Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python: migrate away from crypt library #318

Closed
link2xt opened this issue Jun 4, 2024 · 11 comments · Fixed by #475
Closed

python: migrate away from crypt library #318

link2xt opened this issue Jun 4, 2024 · 11 comments · Fixed by #475

Comments

@link2xt
Copy link
Contributor

link2xt commented Jun 4, 2024

crypt is removed in Python 3.13 which is currently in beta.
@hagenest
Copy link
Contributor

hagenest commented Jun 5, 2024

I suppose we should replace it with hashlib?

@hagenest hagenest mentioned this issue Jun 5, 2024
Closed
@link2xt
Copy link
Contributor Author

link2xt commented Jun 6, 2024

Maybe we should switch to https://pypi.org/project/legacycrypt/ instead.
This is what was proposed in #49 or we can even just revert that PR.

@hagenest
Copy link
Contributor

hagenest commented Jun 6, 2024

ah, if we already use that, sure! I was thinking that maybe passlib would be an option too, but best to keep dependencies low.

@hagenest
Copy link
Contributor

hagenest commented Jun 6, 2024

wait, we are doing our crypto with a random library with 2 github stars?
Maybe we should use passlib instead? It's recommended in the crypt docs: https://docs.python.org/3/library/crypt.html

@link2xt
Copy link
Contributor Author

link2xt commented Jun 6, 2024
edited
Loading

Yes, passlib is probably better. Or doveadm that we already have, i.e. reverting #49 Calling doveadm should be somewhat cheap because we only do this when user is created, for logging in there is no need to call a subprocess.

hagenest added a commit that referenced this issue Jun 16, 2024
@hagenest
Merge branch 'main' into hagi/#318-crypt=>hashlib
f789110
@hpk42
Copy link
Contributor

hpk42 commented Jun 18, 2024

I am not sure this whole crypt->passlib or other mechanism is really worth it.
Chatmail is based on debian 12, and that uses python 3.11.
By the time debian packages python 3.13 and we switch to debian 13 or so,
we might have ported our python code to Rust already.
So i suggest to close both this issue and the PR, and revisit it next year, or in the context of a Debian 13 upgrade of chatmail.

@hagenest hagenest closed this as not planned Won't fix, can't repro, duplicate, stale Jun 18, 2024
@missytake
Copy link
Contributor

Who knows, maybe there is a better crypt replacement then.

@hagenest
Copy link
Contributor

yeah, makes sense I guess

missytake added a commit that referenced this issue Jun 18, 2024
@missytake
Merge branch 'main' into hagi/#318-crypt=>hashlib
e5707b7
@missytake
Copy link
Contributor

So i suggest to close both this issue and the PR, and revisit it next year, or in the context of a Debian 13 upgrade of chatmail.

We're still working on it because it is basically finished and only the CI is broken. If we realize it is not actually finished we will probably close it.

@missytake missytake reopened this Jun 19, 2024
@missytake missytake closed this as not planned Won't fix, can't repro, duplicate, stale Jun 19, 2024
@link2xt link2xt reopened this Jan 25, 2025
@link2xt
Copy link
Contributor Author

link2xt commented Jan 25, 2025

Now it is finally broken.
@adbenitez made a PR #475

@link2xt link2xt mentioned this issue Jan 25, 2025
Merged
@adbenitez
Copy link
Contributor

I initially tried switching to hashlib that seems to be the recommended lib in the standard lib, but crypt does random salting while hashlib doesn't and in theory that makes it vulnerable to rainbow-something attacks so I decided to go with the smaller change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@hpk42 @link2xt @adbenitez @hagenest @missytake