Switch to sha512 in AuthTktAuthenticationPolicy #2496
Conversation
|
As I said in #2362 I don't want to do this until 2.0. |
|
Okay :-) Missed that. |
|
@mmerickel Why is something we've warned about for three major releases a 2.0-only change? |
|
@tseaver My concern is that the warnings don't actually show up for people. Python 2.7 changed the default behavior to not show DeprecationWarnings unless you explicitly set an environ variable or interpreter flag. It's ridiculous. For this reason, and that the behavior of this change is something that will affect people who upgrade by logging out every user of their website if they didn't see the warnings... It feels like a bad idea. We should do a better job with our deprecation warnings, we've never changed how it worked (the current system worked great on Python 2.6) but simply doesn't work well now. |
|
@bertjwregeer pep8 failure:
|
|
@tseaver Yeah, noticed that. But unless we agree to ship this soon, I was not planning on fixing this until 2.0. |
|
The deprecation is weird because it's changing the default. It's not removing a feature where user's code will error but rather just flipping it to something else. Super subtle. |
|
IMHO, having user logins evaporate during a "major" software upgrade (and I would count Pyramid 1.6.x -> 1.7 as such) doesn't sound like a big enough issue to warrant deferring the change until 2.0. We won't be "breaking" users software, in the sense that they will be forced to make code changes to get up and running: users who care will be able to a) change the code ahead of time such that they pass an explicit |
|
Alright, I'm satisfied since we've at least discussed the issue. 2.0 was my conservative feeling as no one had expressed interest otherwise until now. We'll have to make the release notes very clear here. |
|
@mmerickel Updated CHANGES.txt with specific text. Also, re-organised it a little (forgot that I was on a feature branch). |
|
|
This matches the TODO located at: https://github.com/Pylons/pyramid/blob/master/TODO.txt#L123