Uploaded image for project: 'SX Spring Python'
  1. SX Spring Python
  2. SESPRINGPYTHONPY-56

Assess impact of python's deprecation of md5 and sha modules to spring python's security segment

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.0.0.GA
    • Component/s: Security
    • Labels:
      None
    • Environment:
      python 2.5+

      Description

      According to http://www.python.org/dev/peps/pep-0004/, md5 and sha modules are deprecated in python 2.5, and require switching over to hashlib. Todd spotted this issue when trying to configure bamboo. I realized that the security module has an encode/decode process to encrypt passwords, so we need to make spring python able to to handle multiple python versions and deal with this deprecation. See http://docs.python.org/lib/module-hashlib.html for information on how to migrate to hashlib.

      You can either do hashlib.md5(), or hashlib.new("md5"), to get an md5 hasher. The first version is cited as faster and preferred, but the second version is more consistent with the old API, and is probably easier to migrate to. PEP-247 documents a standard API for hashing algorithms, and the second version seems to be more in compliance with that.

        Activity

        Hide
        gregturn Greg Turnquist added a comment -

        Todd updated build.py to use hashlib, not realizing that it broke python2.4 compatibility. Fixed that file to use sha directly. Need to also consider build process when making this change.

        Show
        gregturn Greg Turnquist added a comment - Todd updated build.py to use hashlib, not realizing that it broke python2.4 compatibility. Fixed that file to use sha directly. Need to also consider build process when making this change.
        Hide
        gregturn Greg Turnquist added a comment -

        Tony
        =======
        I would probably try to future-proof the sha implementation along the lines shown here: http://www.gossamer-threads.com/lists/zope/dev/217294 – sha and md5 are gone in python 3.0

        Show
        gregturn Greg Turnquist added a comment - Tony ======= I would probably try to future-proof the sha implementation along the lines shown here: http://www.gossamer-threads.com/lists/zope/dev/217294 – sha and md5 are gone in python 3.0
        Hide
        gregturn Greg Turnquist added a comment -

        The thread suggests:
        On 14.10.2008 19:03 Uhr, Tres Seaver wrote:
        > ----BEGIN PGP SIGNED MESSAGE----
        > Hash: SHA1
        >
        > Andreas Jung wrote:
        >> Log message for revision 92197:
        >> sha -> hashlib
        >
        > That needs to be a conditional import, with a fallback to the old sha
        > module: hashlib is not present in python 2.4. E.g.:
        >
        > try:
        > import hashlib
        > except ImportError: # Python< 2.5
        > import sha
        > _sha = sha.new
        > else:
        > _sha = hashlib.sha1
        >
        > and then use '_sha' in the code.

        Depends on which Python versions we want/must support for the future.
        One option would to jump on Python 2.6 for the next releases (skipping
        Python 2.5 and dropping Python 2.4 support).

        Show
        gregturn Greg Turnquist added a comment - The thread suggests: On 14.10.2008 19:03 Uhr, Tres Seaver wrote: > ---- BEGIN PGP SIGNED MESSAGE ---- > Hash: SHA1 > > Andreas Jung wrote: >> Log message for revision 92197: >> sha -> hashlib > > That needs to be a conditional import, with a fallback to the old sha > module: hashlib is not present in python 2.4. E.g.: > > try: > import hashlib > except ImportError: # Python< 2.5 > import sha > _sha = sha.new > else: > _sha = hashlib.sha1 > > and then use '_sha' in the code. Depends on which Python versions we want/must support for the future. One option would to jump on Python 2.6 for the next releases (skipping Python 2.5 and dropping Python 2.4 support).
        Hide
        gregturn Greg Turnquist added a comment -

        This issue was already being addressed by SESPRINGPYTHONPY-96, so the changes are being delivered on that branch.

        Show
        gregturn Greg Turnquist added a comment - This issue was already being addressed by SESPRINGPYTHONPY-96 , so the changes are being delivered on that branch.
        Hide
        gregturn Greg Turnquist added a comment -

        The specific changes concerning sha/md5 have been resolved.

        Show
        gregturn Greg Turnquist added a comment - The specific changes concerning sha/md5 have been resolved.

          People

          • Assignee:
            Unassigned
            Reporter:
            gregturn Greg Turnquist
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: