[Python-Dev] PEP 594: Removing dead batteries from the standard library
On Wed, May 22, 2019 at 10:07:31AM +0200, Christian Heimes wrote:
> On 22/05/2019 06.20, Arfrever Frehtes Taifersar Arahesis wrote:
> > It is possible to have a modern Linux desktop system with PAM not
> > installed at all, and therefore not used.
> Thanks for bringing this up. I don't think we need to care about this care.
> A PAM-free Linux system is an IMHO very special and exotic case. It's
> certainly not a setup anybody should run on a server.
I've heard of rare cases of people running Python on Linux desktops...
> There are a lot
> of good reasons to use PAM. I'll update the BPO with reasons soonish.
I don't think this PEP should become a document about "Why you should
use PAM". I appreciate that from your perspective as a Red Hat security
guy, you want everyone to use best practices as you see them, but it
isn't Python's position to convince Linux distros or users to use PAM.
To put it another way... I think that if you want to make the case for
PAM, put it on the web (a blog?) and link to it.
As far as the spwd module is concerned, on the one hand you're saying
"we should remove it because nobody should ever read from /etc/shadow",
and then on the other hand you're all "but go ahead and read /etc/shadow
if you like, it is perfectly trivial to do":
> By the way, the /etc/shadow shadow(5) format is trivial and can be
> parsed with a few lines of code. There is no need to use spwd.
so I think you're undercutting your own argument. If reading from
/etc/shadow is such a bad thing that we must remove it, why tell people
that they can parse it themselves?
Not that we could stop them, even if we wanted to.