I agree, it seems like a lot of work for individual developers to be patching django themselves for secure auth. I'd be extremely grateful to see this merged into the core.
On Feb 11, 10:20 am, "Clemens-O. Hoppe" <clemens.o.ho...@googlemail.com> wrote: > To quote the issue 5600: > So I think the only thing we can do here is increase the salt size. > I think anyone who feels they need more security will have to implement a > custom authentication backend; building this into Django is just to > fraught with danger. > > Yet the patch for the salt-size only increase, it was added not 24 hours > after that, still didn't make its way into any release as far as I'm > aware of it. > > Given the current 20-bit length (5 hex chars), salt-collisions will happen. > > On 02/11/2011 04:04 PM, Russell Keith-Magee wrote: > > > If an idea is important enough, we will include compatibility options > > for older Python versions. > >> In a nutshell, if something requires python >= 2.5 or a lib for older > >> versions of Python, forget about adding it. > > That's not true at all. > > ... but to say that we won't do > > this at all is patently and demonstrably incorrect. > > Sorry if it came along as too harsh -- > > > I apologize if I sound a bit grumpy, but I've spend the last 5 days with > > > monkey-patching a local branch of the auth lib... > > Once again, I didn't mean to insult any dev (running a few projects > myself, so I know how much work it is) and I appreciate the work that is > done. > > > Yours, > > Russell Keith-Magee > > Cheers, > > coh -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
