Author christian.heimes
Recipients christian.heimes, gregory.p.smith, mbussonn, miss-islington, rhettinger
Date 2019-10-15.16:37:23
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1571157444.17.0.415165713597.issue33604@roundup.psfhosted.org>
In-reply-to
Content
The weird argument style of a required digestmod with None as default is an unfortunate outcome of the old API. The msg and digestmod argument can be passed in as keyword and as positional argument. I studied existing code and have considered to make digestmod a required keyword-only argument, but that would have broken too much code. The current style is backwards compatible with all code except for code that must be changed any way.

Only code that depends on implicit default digestmod="md5" breaks. The code must adjusted for the deprecation no matter the argument style. The required change is fully backwards compatible with Python 2.7 to 3.7. Bottle is such a case that got broken by the deprecation.

It does not make sense to default to another hashing algorithm:
* This would also break software. Applications would suddenly get a different MAC for the same function call and arguments.
* In cryptography the HMAC algorithm is an operation on a key, message, and PRF. Defaulting to MD5 didn't make sense in the first place.
* Cryptographic primitives have a 'best before' date. SHA256 might become broken in a decade -- maybe 9 years and 364 days earlier, maybe 20 years later. I don't want to do another deprecation cycle.
History
Date User Action Args
2019-10-15 16:37:24christian.heimessetrecipients: + christian.heimes, rhettinger, gregory.p.smith, mbussonn, miss-islington
2019-10-15 16:37:24christian.heimessetmessageid: <1571157444.17.0.415165713597.issue33604@roundup.psfhosted.org>
2019-10-15 16:37:24christian.heimeslinkissue33604 messages
2019-10-15 16:37:23christian.heimescreate