#27013 closed Cleanup/optimization (fixed)
Docs - Using Argon2 with Django - more appropriate pip command
| Reported by: | Matt C | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | 1.10 |
| Severity: | Normal | Keywords: | documentation password argon2 pip |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Change History (10)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
Thanks charettes.
I hadn't used the [] pip syntax before and hadn't realised that django[argon2] roughly translates to:
django + argon2 (extra requirement)
It makes sense now, but I still think the docs should change (as the ticket description outlines), to separate the installation of Django itself and argon2 (from pip), so as to prevent others not familiar with the [] pip syntax, from stumbling as I did.
I tripped up by simply changing my requirements.txt file to include django[argon2], in addition to modifying Django==1.9.5 --> Django==1.10. So the combination of django[argon2] and Django==1.10 produced conflicts in pip.
My point being is if the docs said argon2_cffi, we wouldn't be having this conversation.
If you don't think it's worth the change, please feel free to close the ticket, otherwise I don't mind creating a PR for it.
comment:3 by , 8 years ago
I see, as I'm familar with the syntax I'll let other contributor chime in to figure out whether or not the documentation should be adjusted.
FWIW the correct way of specifying your requirement would be Django[argon2]>=1.10 which should be read as Django >= 1.10 with the argon2 extra requirement.
comment:4 by , 8 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|---|
| Type: | Bug → Cleanup/optimization |
I suppose a clarification wouldn't hurt, although this wording is copy/pasted from the bcrypt steps so similar changes should be done there. I think we could replace "downloading the library and installing it with python setup.py install" (which I think is mostly obsolete these days -- at least, I wouldn't recommend that to anyone new who doesn't know how to install a library) to the pip install argon2-cffi>=16.1.0. The only downside I see there is hardcoding the argon2-cffi version.
comment:5 by , 8 years ago
Is hardcoding the version necessary?
Wouldn't argon2-cffi give the latest stable version?
comment:6 by , 8 years ago
It's possible (though probably unlikely for most users) that an older version of the package could already be installed.
comment:7 by , 8 years ago
If you have Django <1.10 and run pip install django[argon2] you get a nice error message Django 1.9.5 does not provide the extra 'argon2'. pip install argon2-cffi>=16.1.0 would give no such clarification. Are we sure this should be in there? You shouldn't really be doing the original install by appending to requirements.txt argon2-cffi>-16.1.0 should you? It should be through pip and after you ensure everything works you pin the requirement.
I do agree though that installing libraries with setup tools as part of the recommendation is probably somewhat obsolete now.
Hi freshquiz,
I'm not sure about what you mean here. The 1.10 documentation you linked to assumes you have Django 1.10 installed which exposes the
argon2extra requirement.Running
pip install django[argon2]with Django 1.10 installed should be equivalent topip install "argon2-cffi>=16.1.0".