apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Trawick" <traw...@gmail.com>
Subject Re: PATCH: md5 hash files not portable between EBCDIC and ASCII
Date Fri, 07 Sep 2007 10:36:46 GMT
On 9/7/07, Martin Kraemer <martin@apache.org> wrote:
> On Fri, Sep 07, 2007 at 01:12:05AM -0500, William A. Rowe, Jr. wrote:
> > But my first argument remains; if we break the expected
> > behavior, we instantly render all previous generated hashes irreconcilable.
> >
> > So it really seems like an apr-1.3 change, if that, and httpd-2.4/3.0 if
> > that was what the poster was getting at.
>
> I don't know about IBM's EBCDIC machines. For BS2000, we have no
> problem with backward compatibility, as 2.2.6 will be the 1st 2.x
> release, and as far as MD5 is concerned, compatibility with UNIX
> .htpasswd files is valued higher than compatibility with 1.3 (which
> is going to be replaced by 2.2.6). Anyway, users tended to use the
> default (crypt) passwords, not the (more exotic on unix machines)
> MD5 passwords. And a major switch in versions allows for a minor
> incompatible change that is going to be well documented too.

For the z/OS operating system, the IBM-delivered, Apache 2.0-based web
server has creation of MD5 password hashes disabled due to the lack of
portability and the expected surprise/dismay at being able to create
hashes that can't be used on more popular platforms.

I don't know how many other users of APR password hashes exist on that
platform.  There's really no way to know.

> So, from my POV, I'm leaning towards fixing it in an "ASCII compatible"
> way, rather than maintaining the incompatible format for eternity.

+1 here as well

A "--disable-portable-md5" option could probably be provided, but I
don't think there are enough (possibly *any*) theoretical users of
that to justify cluttering the code for eternity.

Mime
View raw message