[Python-Dev] PEP 594: Removing dead batteries from the standard library (original) (raw)

Nathaniel Smith njs at pobox.com
Wed May 22 15:42:04 EDT 2019

On Wed, May 22, 2019, 04:32 Christian Heimes <christian at python.org> wrote:

On 22/05/2019 12.19, Steven D'Aprano wrote: > I don't think this PEP should become a document about "Why you should > use PAM". I appreciate that from your perspective as a Red Hat security > guy, you want everyone to use best practices as you see them, but it > isn't Python's position to convince Linux distros or users to use PAM.

I think the PEP should make clear why spwd is bad and pining for The Fjords. The document should point users to correct alternatives. There is no correct and secure way to use the spwd module to verify user accounts. Any use of spwd for logins introduces critical security bugs. By the way, all relevant BSD, Linux, and Darwin (macOS) distributions come with PAM support. Almost all use PAM by default. AFAIK only the minimal Alpine container does not have PAM installed by default. This is not Red Hat trying to evangelize the world. PAM is the industry standards on Unix-like OS.

The removal of spwd seems reasonable to me, and I don't think you need to write 20 seperate PEPs for each module, but I do think you should split the spwd/crypt modules off into their own PEP. The discussion about these modules is qualitatively different than some of the others (the security implications etc.), and trying to mix qualitatively different discussions always makes people frustrated.

-n -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20190522/489dad23/attachment-0001.html>

More information about the Python-Dev mailing list