[Django] #27013: Docs - Using Argon2 with Django - more appropriate pip command
Django
---------------------------+-----------------------------------------------
Reporter: freshquiz | Owner: nobody
Type: Bug | Status: new
Component: | Version: 1.10
Documentation |
Severity: Normal | Keywords: documentation password argon2 pip
Triage Stage: | Has patch: 0
Unreviewed |
Easy pickings: 1 | UI/UX: 0
---------------------------+-----------------------------------------------
On
[https://docs.djangoproject.com/en/1.10/topics/auth/passwords/#argon2-usage
this] docs page:
The recommended command to install argon2 is:
{{{
pip install django[argon2]
}}}
This tripped me up when upgrading to 1.10 from 1.9.x.
Should it not be:
{{{
pip install argon2_cffi
}}}
...as is recommended
[https://argon2-cffi.readthedocs.io/en/stable/installation.html here]?
--
Ticket URL: <https://code.djangoproject.com/ticket/27013>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: freshquiz | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: documentation | Triage Stage:
password argon2 pip | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by charettes):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
Hi freshquiz,
> This tripped me up when upgrading to 1.10 from 1.9.x.
I'm not sure about what you mean here. The 1.10 documentation you linked
to assumes you have Django 1.10 installed which exposes the `argon2`
[https://github.com/django/django/blob/dcebeea2703322bc53c511bf3cff9e3c2e04d802/setup.py#L52
extra requirement].
Running `pip install django[argon2]` with Django 1.10 installed should be
equivalent to `pip install "argon2-cffi>=16.1.0"`.
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:1>
Django
Reporter: freshquiz | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: documentation | Triage Stage:
password argon2 pip | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by freshquiz):
Thanks charettes.
I hadn't used the `[]` pip syntax before and hadn't realised that
`django[argon2]` roughly translates to:
django + argon2 (extra requirement)
It makes sense now, but I still think the docs should change (as the
ticket description outlines), to separate the installation of Django
itself and argon2 (from pip), so as to prevent others not familiar with
the `[]` pip syntax, from stumbling as I did.
I tripped up by simply changing my `requirements.txt` file to include
`django[argon2]`, in addition to modifying `Django==1.9.5` -->
`Django==1.10`. So the combination of `django[argon2]` and `Django==1.10`
produced conflicts in pip.
My point being is if the docs said `argon2_cffi`, we wouldn't be having
this conversation.
If you don't think it's worth the change, please feel free to close the
ticket, otherwise I don't mind creating a PR for it.
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:2>
Django
Reporter: freshquiz | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: documentation | Triage Stage:
password argon2 pip | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by charettes):
I see, as I'm familar with the syntax I'll let other contributor chime in
to figure out whether or not the documentation should be adjusted.
FWIW the correct way of specifying your requirement would be
`Django[argon2]>=1.10` which should be read as `Django >= 1.10` with the
`argon2` extra requirement.
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:3>
Django
Reporter: freshquiz | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 1.10
Severity: Normal | Resolution:
password argon2 pip |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by timgraham):
* type: Bug => Cleanup/optimization
* stage: Unreviewed => Accepted
Comment:
I suppose a clarification wouldn't hurt, although this wording is
copy/pasted from the bcrypt steps so similar changes should be done there.
I think we could replace "downloading the library and installing it with
python setup.py install" (which I think is mostly obsolete these days --
at least, I wouldn't recommend that to anyone new who doesn't know how to
install a library) to the `pip install argon2-cffi>=16.1.0`. The only
downside I see there is hardcoding the argon2-cffi version.
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:4>
Django
Reporter: freshquiz | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 1.10
Severity: Normal | Resolution:
Keywords: documentation | Triage Stage: Accepted
password argon2 pip |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by freshquiz):
Is hardcoding the version necessary?
Wouldn't `argon2-cffi` give the latest stable version?
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:5>
Django
Reporter: freshquiz | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 1.10
Severity: Normal | Resolution:
Keywords: documentation | Triage Stage: Accepted
password argon2 pip |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by timgraham):
It's possible (though probably unlikely for most users) that an older
version of the package could already be installed.
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:6>
Django
Reporter: freshquiz | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 1.10
Severity: Normal | Resolution:
Keywords: documentation | Triage Stage: Accepted
password argon2 pip |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by audiolion):
If you have Django <1.10 and run `pip install django[argon2]` you get a
nice error message `Django 1.9.5 does not provide the extra 'argon2'`.
`pip install argon2-cffi>=16.1.0` would give no such clarification. Are we
sure this should be in there? You shouldn't really be doing the original
install by appending to `requirements.txt` `argon2-cffi>-16.1.0` should
you? It should be through pip and after you ensure everything works you
pin the requirement.
I do agree though that installing libraries with setup tools as part of
the recommendation is probably somewhat obsolete now.
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:7>
Django
Reporter: freshquiz | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 1.10
Severity: Normal | Resolution:
Keywords: documentation | Triage Stage: Accepted
password argon2 pip |
Needs tests: 0 | Patch needs improvement: 0
Changes (by timgraham):
* has_patch: 0 => 1
Comment:
Does this clarify help? [https://github.com/django/django/pull/7128 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:8>
Django
Reporter: freshquiz | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 1.10
Keywords: documentation | Triage Stage: Accepted
password argon2 pip |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by GitHub <noreply@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"9f27735612fc775380d7801c68af0ea1c97cf5a3" 9f27735]:
{{{
#!CommitTicketReference repository=""
revision="9f27735612fc775380d7801c68af0ea1c97cf5a3"
Fixed #27013 -- Clarified commands to install argon2/bcrypt packages.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:9>
Django
Reporter: freshquiz | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 1.10
Severity: Normal | Resolution: fixed
Keywords: documentation | Triage Stage: Accepted
password argon2 pip |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"7c0c3fb6b1d932bc33e7dcc8f16e31cd39992f9b" 7c0c3fb6]:
{{{
#!CommitTicketReference repository=""
revision="7c0c3fb6b1d932bc33e7dcc8f16e31cd39992f9b"
[1.10.x] Fixed #27013 -- Clarified commands to install argon2/bcrypt
packages.
Backport of 9f27735612fc775380d7801c68af0ea1c97cf5a3 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27013#comment:10>