Hi, I have raised 2 PRs for the deprecation of the auth mechanism, These should be removed but these are public APIs we should first deprecate it in 3.13 and then remove it in 3.15.
If you folks don’t agree with the deprecation, I will close the PR.
That is backwards! If you remove it and there are users of it then you break compatibility with an email service that may be stuck using the old crypto.
Note also that this discussion is meant to gather support for the deprecation; I would expect to see arguments as to why the feature should be removed, and a reasonably comprehensive overview of usage. When evaluating a change, remember that the status quo (often) wins by default.
There’s precedent in the stdlib for deprecating insecure code, e.g.crypt.
It seems to me that support for something like this should be deprecated, perhaps especially if people are using it. The stdlib shouldn’t encourage or enable bad practices.
Perhaps this is a question for the Security Developer-in-Residence @sethmlarson ?
There’s plenty of precedent for deprecating and removing insecure code in Python, see SSLv3/TLSv1/1.1 in the “ssl” module. If this code isn’t recommended (judging from the linked document) and isn’t in widespread usage I think deprecating it makes sense to me.