Received: from mail.netlandish.com (mail.netlandish.com [174.136.98.166]) by code.netlandish.com (Postfix) with ESMTP id 53E4E80CD2 for <~petersanchez/public-inbox@lists.code.netlandish.com>; Wed, 18 Oct 2023 19:57:50 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.219.171; helo=mail-yb1-f171.google.com; envelope-from=peter@netlandish.com; receiver= Authentication-Results: mail.netlandish.com; dkim=pass (1024-bit key; unprotected) header.d=netlandish.com header.i=@netlandish.com header.b=BqVB4ptF Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) by mail.netlandish.com (Postfix) with ESMTP id 3B5E1152E8A for <~petersanchez/public-inbox@lists.code.netlandish.com>; Wed, 18 Oct 2023 19:57:48 +0000 (UTC) Received: by mail-yb1-f171.google.com with SMTP id 3f1490d57ef6-d9b2ca542e5so6416255276.3 for <~petersanchez/public-inbox@lists.code.netlandish.com>; Wed, 18 Oct 2023 12:57:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netlandish.com; s=google; t=1697659068; x=1698263868; darn=lists.code.netlandish.com; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=4RKdYgodlHb4TirWFTcsuplykP3MfleqjDwgbww52Z0=; b=BqVB4ptFIxpmeNGLeOy0gP2mRSsIJIZ2CLZYHUvL4/kAWgsZy+1lyOAT2fCe1QCD4U kCivxPxgIb42hQKL1q+yCrJt8JB59peiKeJIKL611K4kxQQPguM7+WDi8C5CjfESBmRs m4IOYiMlpHM4dJbHNt1U0vlIT2XRWzDLCJ9fg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697659068; x=1698263868; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=4RKdYgodlHb4TirWFTcsuplykP3MfleqjDwgbww52Z0=; b=gAEN01ZwRF4pCxLEbt3SJSyZGu9iOhtz+mXZVoiZGDOkrVy4efJtmWOB4Qfdmw3rZ8 scARtyVQj3lGFh4a2gUGeDZYRFB6j+tS+FPlBeddH126oVyf+hQaTez3TS6xGbstfQ9G yF4ltU451zcF3mVNAmmQMk839O06uTAl4ji3Hl+iZeMQjr+JemokyidlYfD2KusxXr82 j3iurlXJytUSyRpc89dm2gwJ0SeZfDoOu2H9CPtyvtRW8/KggSr+mXI9hVi5kel4cl7r UQwVdf2ysQ+YjQd7Yto9s8Qzb4jku7bLFOd1qQtmbY9++x8CyxV6s2CokLjuYd+40wkJ 8y4A== X-Gm-Message-State: AOJu0YyqANZbVbkP9qYuCi+ntSr1njccAv3SJ6t7Gc3ZCBzmL0ibFvXk mnTm1WRFLoZZgrZhbqhT43Uq/d8r X-Google-Smtp-Source: AGHT+IFDXR/t01y9oArYJUYlax8rRaOSDdF63KfFWxY4X7C968Zoeuh25NBSVsBpP8jhZ5X4NwoPbA== X-Received: by 2002:a05:6902:49:b0:d91:b6e5:54dd with SMTP id m9-20020a056902004900b00d91b6e554ddmr392698ybh.3.1697659068087; Wed, 18 Oct 2023 12:57:48 -0700 (PDT) Received: from localhost (94-125-212-190.enitel.net.ni. [190.212.125.94]) by smtp.gmail.com with ESMTPSA id l23-20020a25b317000000b00d9b4ddf1c32sm1548559ybj.2.2023.10.18.12.57.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Oct 2023 12:57:47 -0700 (PDT) Date: Wed, 18 Oct 2023 13:57:45 -0600 From: Peter Sanchez To: Matt Klein Cc: ~petersanchez/public-inbox@lists.code.netlandish.com Subject: Re: [PATCH django-impersonate] Specify usedforsecurity=False in call to hashlib.sha1 as a security best practice Message-ID: <20231018195745.x3mnxhpvj523rqeq@thinkpad.my.domain> X-PGP-Key: https://petersanchez.com/publickey.txt X-Sourcehut-Patchset-Update: NEEDS_REVISION References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: >Doing so prevents this code from getting flagged in our toolchain, and >it seems to be best practice, so I'd suggest integrating this into the >main repo. Matt, thanks for the patch! The issue here is that the `usedforsecurty` keyword variable was added in Python 3.9 and current supported versions of Django are 3.2, 4.1 and 4.2. Unfortunately 3.2 supports Python 3.6 still (though support for 3.2 goes away in April next year) and 4.2 has support for 3.8 and is supported until April 2026. So I think the patch needs a Python version check and if it's 3.9+, add the flag.