httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [REWRITE] htpasswd.c
Date Thu, 11 Oct 2001 17:40:13 GMT
From: "Mladen Turk" <>
Sent: Thursday, October 11, 2001 12:27 PM

> I like the sound of htdbm.
> There is other thing that was discussed earlier and that is to drop the
> crypt() from htpasswd.
> As there been said the crypt() is preserved for compatibility reasons only,
> and the preferred hashing scheme is MD5.

That's my understanding, yes.  Please make that a second patch to htpasswd,
and a first patch on top of your htdbm.  If folks disagree later, it's easy
to segregate.

> So IMO the htpasswd util doesn't need that option implemented. I'll put it
> as #if 0...#endif.

No, it needs to be implemented (with some APR_HAS_CRYPT test) but it may be
set off as not-the-default.

> I don't think that htdigest would be so hard to integrate with htpasswd,
> I'll check that :)

Please don't :-?  This will become rapidly confusing.  It's better to posit
the idea first, write the patch second.  It's much less disheartening when
folks tell you up front it's not desired.

First clean up htpasswd, doing what it already did, then in a second patch
adopt the MD5 default.

Then offer up your htdbm, with an MD5 default scheme if you like.

And toss out the idea of merging htpasswd+htdigest.  I suspect alot of us
might find that overly confusing.

The bigger issue is one lots of submitters get caught in (including me.)
Try to make each patch do one thing, so that it's easy to follow the history.

[I don't care about a mass update to a never-released entity like your new
ApacheMonitor.  A module or utility that's been released, e.g. the htpasswd
and htdigest utilities need careful tracking to be able to spot bugs if they
are introduced in later releases.]


View raw message