Hi Randall, Theo,
On 10/29/21 16:33, rsbecker@xxxxxxxxxxxxx wrote:
October 29, 2031 10:21 AM, Theo de Raadt will write:
<rsbecker@xxxxxxxxxxxxx> wrote:
getpass() is obsolete in POSIX.2. However, some platforms still
are on
POSIX.1,
so replacing it instead of providing a configure detection/switch
for it
might
cause issues.
The community finally had the balls to get rid of gets(3).
getpass(3) shares the same flaw, that the buffer size isn't passed.
This has been an issue in the past, and incorrectly led to
readpassphrase(3)
That seems a good reason to keep the "Do not use it." note in the manual
page. I think I'll add a recommendation for readpassphrase(3bsd) for
the moment which is the only alternative available in Linux.
readpassphrase(3) has a few too many features/extensions for my
taste, but
at
least it is harder to abuse.
readpassphrase is not generally supported. This will break builds on
many platforms.
I found readpassphrase(3) in FreeBSD and OpenBSD.
It is also present in libbsd(7), which is available in most Linux
distributions.
I also found it on a Mac that I have access.
NetBSD has getpass_r(3) instead. It is not in any other system I have
access.
Of course moving forward takes a long time. If a better API is supplied then
there is a choice in 10 years. If a better API is not supplied, then 10 years from
now this conversation can get a reply.
I checked the API 10 years from now (check the above date) at it's still not there 😉 In the meantime, compatibility is important. I checked the latest release (last week's) on my platform and readpassphrase() is not available. Let's please put a compatibility layer in.
libbsd(7) is probably the compatibility layer that you're looking for.
What system are you on?
<https://libbsd.freedesktop.org/wiki/>
Cheers,
Alex
--
Alejandro Colomar
Linux man-pages comaintainer; https://www.kernel.org/doc/man-pages/
http://www.alejandro-colomar.es/
