Uli Fouquet wrote:
Ok. I'll put something into the zope.app.authentication branches for review.
Great!
Two remaining questions: I would like to use `os.urandom` instead of `random.randint` to create the salt, because this is recommended in cryptographic contexts. There was, however, a problem with this module in former times: sometimes it stopped until enough entropy was available, which could make threads and processes hang. Is this still an issue?
Well, the Linux man page for "urandom" says that /dev/urandom never blocks, while /dev/random can block if the entropy pool runs out. I assume os.urandom uses /dev/urandom.
Last question: How should we handle lack of SHA-2 hashes in the Python standard lib of 2.4? Self-implementing sounds too error-prone to me while existing Python ports of the reference implementation in PyCryto etc. are implemented in C which would make `zope.app.authentication` a binary package. Something I would like to avoid. Or is support for Python 2.4 running out anyway?
Let's not implement the SHA-2 version yet. SSHA, based on SHA-1, is sufficient for now. Shane