[PATCH] getpass.3: SYNOPSIS: Mark getpass() as [[deprecated]]

[Alejandro Colomar <alx.manpages@gmail.com>]

Suggest readpassphrase(3bsd) as an alternative.

See the long discussion in the mailing list for more details (link
at the bottom of this commit message).  I'll quote some relevant
parts here:

Eugene Syromyatnikov <evgsyr@gmail.com>:
{
	And the only mention of getpass() in POSIX (at least,
	since the 2001's edition) indeed seems to be [1], in the
	list of functions that have not been carried forward from
	XSH5, the 1997 revision of “System Interfaces and Headers”
	(that is, SUSv2)[2], where it is inherited from SUSv1[4]
	from XPG[5] and, as Alejandro already mentioned, marked as
	obsolete, per XPG3 to XPG4 migration guide[6]; the
	previous, 1988, version of POSIX[3] does not mention
	getpass() at all.

	[1] https://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap01.html
	[2] https://pubs.opengroup.org/onlinepubs/7908799/xsh/getpass.html
	[3] https://mirror.math.princeton.edu/pub/oldlinux/download/c953.pdf
	[4] https://pubs.opengroup.org/onlinepubs/9695969499/toc.pdf
	[5] https://bitsavers.computerhistory.org/pdf/xOpen/X_Open_Portability_Guide_1985/xpg_2_xopen_system_v_specification_2.pdf
	[6] http://archive.opengroup.org/publications/archive/CDROM/g501.pdf
}

Theo de Raadt <deraadt@openbsd.org>:
{
	The community finally had the balls to get rid of gets(3).

	getpass(3) shares the same flaw, that the buffer size
	isn't passed.  This has been an issue in the past, and
	incorrectly led to readpassphrase(3).

	readpassphrase(3) has a few too many features/extensions
	for my taste, but at least it is harder to abuse.
}

Alejandro Colomar <alx.manpages@gmail.com>:
{
	I found readpassphrase(3) in FreeBSD and OpenBSD.  It is
	also present in libbsd(7), which is available in most
	Linux distributions.  I also found it on a Mac that I have
	access.

	NetBSD has getpass_r(3) instead.  It is not in any other
	system I have access.
}

Zack Weinberg <zack@owlfolio.org>:
{
	I was about to post exactly the same thing.  getpass(3)
	is not deprecated because there's a better replacement,
	it's deprecated because it's _unsafe_.  The glibc
	implementation wraps getline(3) and therefore  doesn't
	truncate the passphrase or overflow a fixed-size buffer,
	no matter how long the input is, but portable code cannot
	rely on that.  And come to think of it, using getline(3)
	means that prefixes of the passphrase may be left lying
	around in malloc's free lists.

	(getpass also cannot be made thread safe, due to recycling
	of a static buffer, but a program in which multiple
	threads are racing to prompt the user for passwords would
	be a UX disaster anyway, so I don't think that's a
	critical flaw the way it is for e.g. strtok(3).)

	The Linux manpage project's documentation is, as I
	understand it, for Linux with glibc _first_, but not
	_only_; it should not describe this function as
	not-deprecated just because glibc has patched its worst
	problems and doesn't offer any better API.
}

List: linux-man <https://lore.kernel.org/linux-man/6d8642e9-71f7-4a83-9791-880d04f67d17@www.fastmail.com/T/#t>
Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
Cc: Git <git@vger.kernel.org>
Cc: Glibc <libc-alpha@sourceware.org>
Cc: OpenBSD <tech@openbsd.org>
Cc: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Cc: Benoit Lecocq <benoit@openbsd.org>
Cc: Klemens Nanni <kn@openbsd.org>
Cc: Randall <rsbecker@nexbridge.com>
Cc: Eugene Syromyatnikov <evgsyr@gmail.com>
Cc: Theo de Raadt <deraadt@openbsd.org>
Cc: Zack Weinberg <zack@owlfolio.org>
Cc: Florian Weimer <libc-alpha@sourceware.org>
---
 man3/getpass.3 | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/man3/getpass.3 b/man3/getpass.3
index fa2031544..7d6da07fa 100644
--- a/man3/getpass.3
+++ b/man3/getpass.3
@@ -28,7 +28,7 @@ getpass \- get a password
 .nf
 .B #include <unistd.h>
 .PP
-.BI "char *getpass(const char *" prompt );
+.BI "[[deprecated]] char *getpass(const char *" prompt );
 .fi
 .PP
 .RS -4
@@ -48,6 +48,7 @@ Feature Test Macro Requirements for glibc (see
 .SH DESCRIPTION
 This function is obsolete.
 Do not use it.
+See NOTES.
 If you want to read input without terminal echoing enabled,
 see the description of the
 .I ECHO
@@ -126,7 +127,11 @@ Removed in POSIX.1-2001.
 .\" are transmitted as part of the password.
 .\" Since libc 5.4.19 also line editing is disabled, so that also
 .\" backspace and the like will be seen as part of the password.
-.
+You should use instead
+.BR readpassphrase (3bsd),
+provided by
+.IR libbsd .
+.PP
 In the GNU C library implementation, if
 .I /dev/tty
 cannot be opened, the prompt is written to
-- 
2.33.1