django-trunk patches

auth-passwords-algorithms.patch

Enables you to use different password hashing algorithms with django.contrib.auth. Configurable via:

• AUTH_USE_PASSWORD_ALGORITHM - algorithm to use in the project. Keep in mind that changing it won't invalidate or in any way change already stored passwords.
• AUTH_PASSWORD_ALGORITHMS - dict of all usable algorithms. By default includes sha1, md5 (you shouldn't use it, though), sha224/sha256/sha384/sha512 if hashlib is present, UNIX crypt if available and pbkdf2 if PBKDF2 module is installed.
• AUTH_SALT_LENGTH - length of the salt, obviously. After patching, contrib.auth will try to use os.urandom with a fallback to hashing random strings (which is what vanilla contrib.auth does).

Warning: the patch changes the way passwords are stored in database (instead of using hexdigests, it uses base64, and it changes password field size to 255). Make backup of your auth_users table, and run manage.py upgradepasswords after applying.

I am no cryptography expert, but I believe they recommend using one of stronger key derivation functions instead of SHA family or MD5 for storing passwords. /me uses PBKDF2.

Comes with unit tests (and it modifies contrib.auth unit tests to be compatible with base64'd password hashes).

Tested in production, works fine. If you have any suggestions, contact me.

setuptools.patch

Very tiny patch to make Django's setup.py use setuptools instead of core distutils. Because I like setup.py develop.

Contact

Via IRC: PiotrLegnica on Freenode. Or via Bitbucket messaging. Or via mail.