From: "Lydia Sobot" <chilledfrogs@disroot.org>
Subject: Re: radicale broken in 7.8 due to py3-bcrypt changes
To: "Vincent Lee" <vincent@vincent-lee.net>, <ports@openbsd.org>
Date: Thu, 23 Oct 2025 01:22:31 +0200

> Just upgraded to 7.8 to find that Radicale 2.1.12p9 is broken due to
> upstream changes in py3-bcrypt 5.0.0, which causes it to throw
> exceptions when the password is too long instead of silently
> truncating[1]. I'm using the bcrypt authentication backend, the only one
> deemed "secure" in the config file, and an exception gets thrown on
> startup, appended below.
>
> This change has caused quite a few breakages around the Python
> ecosystem, for example here[2].
>
> Just sending this as an FYI. I'm not sure what I'll do going forward,
> probably an attempt to locally patch the program to not go through
> passlib, directly call bcrypt (ignoring the configuration option),
> manually truncating the password before doing so.
libpass 1.9.3, released 2 weeks ago, seems to specifically address this
issue, so I think it would be best to update the py-passlib port first:
https://github.com/notypecheck/passlib/releases/tag/1.9.3
https://github.com/notypecheck/passlib/pull/21