On Mon, Dec 04, 2000 at 03:11:54PM -0800, [EMAIL PROTECTED] wrote: > > > I would really prefer that we keep some way to encode passwords in > > > APR. This is a portability issue, so -1 (vote, not veto) for removing > > > md5 from APR. > > > > I'm +1 on moving them to apr-util ... MD5 hashing is entirely portable. That > > is also where SHA-1 hashing is located. > > > > (the standard crypt() is generally non-portable and would remain in APR; > > that should solve Ryan's request for a way to hash [not encode] passwords) > > We don't have a crypt routine, and there has been no discussion of putting > crypt into APR so far.
htpasswd uses crypt(), but that is quite platform specific. It probably should use an APR cover for it. > Plus, for backwards compatability with 1.3, APR > will need to understand how to check for MD5 passwords. APR doesn't do this. Apache does. Since MD5 will be available in apr-util, there shouldn't be any problem. >... > Otherwise, andbody who chose to create MD5 password files will need to > re-create their password files for 2.0. I am -1 for forcing them to do > that, and that is a veto. I would agree with that veto, except it isn't needed :-) The MD5 password files are managed by Apache... not APR. The only thing that uses MD5 in APR is the UUID generation on non-Windows platforms. However, it has no real requirement to do so. The MD5 hashing was simply used as a way to create random data. Cheers, -g -- Greg Stein, http://www.lyra.org/
