Message 415863 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	Zooko.Wilcox-O'Hearn, christian.heimes, corona10, gregory.p.smith, jstasiak, kmaork, larry, lemburg, mgorny, oconnor663, xtreak
Date	2022-03-23.10:23:53
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<38de1359-74e2-e69e-dc4d-292f81240512@egenix.com>
In-reply-to	<1647997938.81.0.617572467556.issue39298@roundup.psfhosted.org>

Content
On 23.03.2022 02:12, Gregory P. Smith wrote: > > I view the NIST standard hashes as important enough to attempt to guarantee as present (all the SHAs and MD5) as built-in. Others should really demonstrate practical application popularity to gain included battery status rather than just using PyPI. +1 on this. I also think the topic deserves a wider discussion. IMO, Python's stdlib should only provide a basic set of hash algorithms and not try to add every single new algorithm out there. PyPI is a much better way to add support for new hash algorithms, can move much faster than the stdlib, provide specialized builds for added performance and also add exotic features, which are not always needed. Here's the list of Python 3.10 algos on a typical Linux system: >>> hashlib.algorithms_available {'sha512_256', 'mdc2', 'md5-sha1', 'md4', 'ripemd160', 'shake_128', 'sha3_384', 'blake2s', 'sha3_512', 'sha3_256', 'sha256', 'sha1', 'sm3', 'sha512_224', 'whirlpool', 'sha384', 'shake_256', 'sha224', 'sha512', 'sha3_224', 'md5', 'blake2b'} This already is more than enough. Since we're using OpenSSL in Python anyway, exposing some of the often used algos from OpenSSL is fine, since it doesn't add much extra bloat. The above list already goes way beyond this, IMO. The longer the list gets, the more confusion it causes among users, since Python's stdlib doesn't provide any guidance on basic questions such as "Which hash algo should I use for my application". Most applications today will only need these basic hash algos: {'ripemd160', 'sha3_512', 'sha3_256', 'sha256', 'sha1', 'sha512', 'md5'}

On 23.03.2022 02:12, Gregory P. Smith wrote:
> 
> I view the NIST standard hashes as important enough to attempt to guarantee as present (all the SHAs and MD5) as built-in. Others should really demonstrate practical application popularity to gain included battery status rather than just using PyPI.

+1 on this. I also think the topic deserves a wider discussion.

IMO, Python's stdlib should only provide a basic set of hash algorithms
and not try to add every single new algorithm out there.

PyPI is a much better way to add support for new hash algorithms,
can move much faster than the stdlib, provide specialized builds for
added performance and also add exotic features, which are not always
needed.

Here's the list of Python 3.10 algos on a typical Linux system:

>>> hashlib.algorithms_available
{'sha512_256', 'mdc2', 'md5-sha1', 'md4', 'ripemd160', 'shake_128', 'sha3_384',
'blake2s', 'sha3_512', 'sha3_256', 'sha256', 'sha1', 'sm3', 'sha512_224',
'whirlpool', 'sha384', 'shake_256', 'sha224', 'sha512', 'sha3_224', 'md5',
'blake2b'}

This already is more than enough. Since we're using OpenSSL in Python
anyway, exposing some of the often used algos from OpenSSL is fine,
since it doesn't add much extra bloat. The above list already goes
way beyond this, IMO.

The longer the list gets, the more confusion it causes among users,
since Python's stdlib doesn't provide any guidance on
basic questions such as "Which hash algo should I use for my
application".

Most applications today will only need these basic hash algos:

{'ripemd160', 'sha3_512', 'sha3_256', 'sha256', 'sha1', 'sha512', 'md5'}

History
Date	User	Action	Args
2022-03-23 10:23:53	lemburg	set	recipients: + lemburg, gregory.p.smith, larry, christian.heimes, mgorny, Zooko.Wilcox-O'Hearn, jstasiak, oconnor663, corona10, xtreak, kmaork
2022-03-23 10:23:53	lemburg	link	issue39298 messages
2022-03-23 10:23:53	lemburg	create