From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from elephants.elehost.com (elephants.elehost.com [216.66.27.132]) by sourceware.org (Postfix) with ESMTPS id 68DBE3858410 for ; Fri, 29 Oct 2021 15:00:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 68DBE3858410 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=nexbridge.com Authentication-Results: sourceware.org; spf=none smtp.mailfrom=nexbridge.com X-Virus-Scanned: amavisd-new at elehost.com Received: from Mazikeen (cpe00fc8d49d843-cm00fc8d49d840.cpe.net.cable.rogers.com [99.229.22.139] (may be forged)) (authenticated bits=0) by elephants.elehost.com (8.15.2/8.15.2) with ESMTPSA id 19TF0iEE062574 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 29 Oct 2021 11:00:44 -0400 (EDT) (envelope-from rsbecker@nexbridge.com) Reply-To: From: To: "'Alejandro Colomar \(man-pages\)'" , "'Theo de Raadt'" Cc: "'Libc-alpha'" , "'linux-man'" , , References: <73ac38a2-c287-4cc1-4e9c-0f9766ac4c0c@gmail.com> <00d501d7ccbe$0169c340$043d49c0$@nexbridge.com> <63238.1635515736@cvs.openbsd.org> <00e401d7cccf$ccde0d40$669a27c0$@nexbridge.com> <73029.1635517278@cvs.openbsd.org> <00e701d7ccd2$058b9070$10a2b150$@nexbridge.com> <326e75f9-f732-a7a8-22dc-5fc304601b39@gmail.com> In-Reply-To: <326e75f9-f732-a7a8-22dc-5fc304601b39@gmail.com> Subject: RE: Is getpass(3) really obsolete? Date: Fri, 29 Oct 2021 11:00:38 -0400 Organization: Nexbridge Inc. Message-ID: <00f001d7ccd5$bf25e0f0$3d71a2d0$@nexbridge.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Content-Language: en-ca Thread-Index: AQIurXUz3siHir4QEPyFWZm7FNZOgwHZ6oOZAi9B6dkCYbJFUgFa6lunAtQjv/IBUmGaPwHl0Njgqs2+T+A= X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, MAY_BE_FORGED, SPF_HELO_NONE, SPF_NONE autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Oct 2021 15:00:50 -0000 On October 29, 2021 10:45 AM, Alejandro Colomar wrote: > On 10/29/21 16:33, rsbecker@nexbridge.com wrote: > > October 29, 2031 10:21 AM, Theo de Raadt will write: > >> wrote: > >> > >>>>> getpass() is obsolete in POSIX.2. However, some platforms still > >>>>> are on > >>> POSIX.1, > >>>> so replacing it instead of providing a configure detection/switch > >>>> for it > >>> might > >>>> cause issues. > >>>> > >>>> > >>>> The community finally had the balls to get rid of gets(3). > >>>> > >>>> getpass(3) shares the same flaw, that the buffer size isn't = passed. > >>>> This has been an issue in the past, and incorrectly led to > >>> readpassphrase(3) >=20 > That seems a good reason to keep the "Do not use it." note in the = manual page. > I think I'll add a recommendation for readpassphrase(3bsd) for the = moment > which is the only alternative available in Linux. >=20 > >>>> > >>>> readpassphrase(3) has a few too many features/extensions for my > >>>> taste, but > >>> at > >>>> least it is harder to abuse. > >>> > >>> readpassphrase is not generally supported. This will break builds = on > >>> many platforms. > I found readpassphrase(3) in FreeBSD and OpenBSD. > It is also present in libbsd(7), which is available in most Linux = distributions. > I also found it on a Mac that I have access. >=20 > NetBSD has getpass_r(3) instead. It is not in any other system I have = access. >=20 >=20 > >> > >> Of course moving forward takes a long time. If a better API is = supplied then > >> there is a choice in 10 years. If a better API is not supplied, = then 10 years > from > >> now this conversation can get a reply. > > > > I checked the API 10 years from now (check the above date) at it's = still not > there =F0=9F=98=89 In the meantime, compatibility is important. I = checked the latest > release (last week's) on my platform and readpassphrase() is not = available. Let's > please put a compatibility layer in. > > > libbsd(7) is probably the compatibility layer that you're looking for. > What system are you on? >=20 > I am on two variants (x86 and ia64) of HPE NonStop with current = operating systems - and I do the build/test for git and OpenSSL. = getpass() an alias to getpass2() but the other procs are not present. If = this is going into git, I would suggest putting something into compat.c = to abstract out the call. If it's there, we can handle it on a = platform-by-platform basis. Thanks, Randall