On 9/7/07, Martin Kraemer <[EMAIL PROTECTED]> wrote: > On Fri, Sep 07, 2007 at 01:12:05AM -0500, William A. Rowe, Jr. wrote: > > But my first argument remains; if we break the expected > > behavior, we instantly render all previous generated hashes irreconcilable. > > > > So it really seems like an apr-1.3 change, if that, and httpd-2.4/3.0 if > > that was what the poster was getting at. > > I don't know about IBM's EBCDIC machines. For BS2000, we have no > problem with backward compatibility, as 2.2.6 will be the 1st 2.x > release, and as far as MD5 is concerned, compatibility with UNIX > .htpasswd files is valued higher than compatibility with 1.3 (which > is going to be replaced by 2.2.6). Anyway, users tended to use the > default (crypt) passwords, not the (more exotic on unix machines) > MD5 passwords. And a major switch in versions allows for a minor > incompatible change that is going to be well documented too.
For the z/OS operating system, the IBM-delivered, Apache 2.0-based web server has creation of MD5 password hashes disabled due to the lack of portability and the expected surprise/dismay at being able to create hashes that can't be used on more popular platforms. I don't know how many other users of APR password hashes exist on that platform. There's really no way to know. > So, from my POV, I'm leaning towards fixing it in an "ASCII compatible" > way, rather than maintaining the incompatible format for eternity. +1 here as well A "--disable-portable-md5" option could probably be provided, but I don't think there are enough (possibly *any*) theoretical users of that to justify cluttering the code for eternity.
