It seems that adding DEFAULT_HASHING_ALGORITHM setting is an acceptable solution, we have one remaining question: Do we keep the setting around?
1. we can treat DEFAULT_HASHING_ALGORITHM as a transitional setting, limit its values to `sha1` and `sha256`, and deprecate it immediately. Florian said: *"From a security perspective I wonder if we should limit this that the existing sha1 and the new sha256 algos. We really don't ever want anyone to put md5 there and it is really just a transitional setting.", "...setting this to sha256, running with it and then changing it to sha512 will be a hard cut. There will be no migration path like there would be for sha1. Imo that limits the usefulness of such a setting for long term usage and makes it questionable if we want to support such usage."* 2. we can treat DEFAULT_HASHING_ALGORITHM as a new feature and allows any secure hash algorithm supported by hashlib. Simon said: *"**It does add one more setting but it feels like having this configurable project wide will be a plus as it will allow the ecosystem to rely on it and hopefully make audit of large Django application a bit easier when having specific hashing requirements.".* Personally I think we should choose the first option because it's safer. *We're delaying the 3.1 release until tomorrow.* Best, Mariusz -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/023a0518-a58c-48c6-8b36-9d5fb7a7c108n%40googlegroups.com.
