On Wed, 1 Dec 2004 19:30:43 +0000, Joe Orton <[EMAIL PROTECTED]> wrote: > On Wed, Dec 01, 2004 at 09:36:32AM -0500, Jeff Trawick wrote: > > > > HP-UX apparently has no other function than getpass(), and it silently > > truncates after 8 characters. There are Apache httpd and Subversion > > users grappling with this limit. (It caused a some puzzlement for me > > with cvs too, but APR won't help that ;) ) > > > > The hint from Joe is to set ac_cv_func_getpass=no before running > > configure. A nicer way would be to add a configure option such as > > --enable-apr-getpass. But why not avoid the system getpass() by > > default? Is maintaining compatibility with limitations of other > > applications on the same system preferable to breaking compatibility > > with the same application used on different systems with different > > native capabilities? > > Using the getpass replacement iff PASS_MAX is defined and "small" would > sound sensible? The terminal handling of the APR getpass doesn't look > as good as my nearest libc w.r.t. handling control characters though if > that were fixed I guess it would be fine to use it on all platforms with > POSIX termios support. > > But the trade-off is also against backwards-compatibility of APR, right? > Use of long passwords could "break" when upgrading to a new version of > APR with this fixed, since they would stop being truncated, although the > workaround is obviously simple.
is this an accurate understanding? the migration problem comes with the subversion-type usage scenario; user thinks password is 10 characters; actual stored password on server (HP-UX) was truncated at 8 characters; user upgrades APR on HP-UX client and now the passwords don't match when user continues to enter 10 characters; if server wasn't HP-UX or client wasn't HP-UX, it never would have worked to begin with; when both are HP-UX, client has to now be aware that they only thought their password was 10 characters, and it was really 8 with the Apache httpd (htpasswd) testcase, the discrepancy would already have been noted since the long password entered on the web browser dialog would never have matched; so no migration concern
