Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove LegacyPasswd code and dependency on crypt #1153

Closed
peterbecich opened this issue Jan 3, 2023 · 2 comments · Fixed by #1165
Closed

remove LegacyPasswd code and dependency on crypt #1153

peterbecich opened this issue Jan 3, 2023 · 2 comments · Fixed by #1165

Comments

@peterbecich
Copy link
Member

peterbecich commented Jan 3, 2023
edited
Loading

hackage-server has a dependency on the extra-library crypt:

hackage-server/hackage-server.cabal

Lines 443 to 444 in 5f5b814

if !os(darwin)
extra-libraries: crypt

I believe that refers to this function: https://en.wikipedia.org/wiki/Crypt_(C)

It appears that crypt is deprecated:
https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-migration-stable.html

The implementation of libcrypt.so within glibc has been deprecated
for a long time and will be removed in the near future.

For this reason, we are following other distributions (where
this has been tested for years already) and switching to the
external libxcrypt implementation, now also in stable installations.

It also looks like Nix is moving away from libcrypt to a different library libxcrypt: NixOS/nixpkgs#181764

The usage of the library in hackage-server is here:

hackage-server/src/Distribution/Server/Features/LegacyPasswds/Auth.hs

Line 49 in c3312b0

foreign import ccall unsafe "crypt" cCrypt :: CString-> CString -> CString

Can we replace libcrypt with libxcrypt , or replace this foreign import ccall with some other library like
@peterbecich peterbecich changed the title Should crypt be replaced with libcrypt? Should crypt be replaced with something else? Jan 3, 2023
@peterbecich peterbecich changed the title Should crypt be replaced with something else? Can libcrypt be replaced with something else? Jan 3, 2023
@peterbecich peterbecich mentioned this issue Jan 3, 2023
Merged
@peterbecich
Copy link
Member Author

The easiest way to solve this is by deleting the "old-style crypt() auth", if possible:

hackage-server/src/Distribution/Server/Features/LegacyPasswds/Auth.hs

Lines 29 to 43 in 5f5b814

-- Old-style crypt() auth
--
-- compatible with apache htpasswd files using CRYPT format:
--
-- http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
--
-- | These are the *old* crypt format password hashes (salted DES: perl crypt).
-- Not the same as the new hashes we store in 'PasswdHash'.
--
newtype HtPasswdHash = HtPasswdHash String
deriving (Eq, Show, Typeable, MemSize)
$(deriveSafeCopy 0 'base ''HtPasswdHash)

@peterbecich peterbecich changed the title Can libcrypt be replaced with something else? Can libcrypt be replaced with something else? Or delete "old-style crypt() auth"? Jan 3, 2023
@peterbecich peterbecich changed the title Can libcrypt be replaced with something else? Or delete "old-style crypt() auth"? Can libcrypt be replaced with something else? Or delete "old-style crypt() auth"? Jan 3, 2023
@gbaz
Copy link
Contributor

gbaz commented Jan 3, 2023

At this point I think just ripping out the legacypasswd stuff is acceptable -- the migration has been over for a long time now. PR welcome.

@peterbecich peterbecich changed the title Can libcrypt be replaced with something else? Or delete "old-style crypt() auth"? remove LegacyPasswd code and dependency on crypt Jan 9, 2023
peterbecich added a commit to peterbecich/hackage-server that referenced this issue Jan 16, 2023
@peterbecich
disable Basic Auth to remove dependency on deprecated crypt library
b6080f3 
haskell#1153 (comment)
@peterbecich peterbecich mentioned this issue Jan 16, 2023
Merged
peterbecich added a commit to peterbecich/hackage-server that referenced this issue Feb 4, 2023
@peterbecich
disable Basic Auth to remove dependency on deprecated crypt library
d4f76f4 
haskell#1153 (comment)
peterbecich added a commit to peterbecich/hackage-server that referenced this issue Feb 4, 2023
@peterbecich
disable Basic Auth to remove dependency on deprecated crypt library
68e3119 
haskell#1153 (comment)
gbaz pushed a commit that referenced this issue Feb 24, 2023
@peterbecich
disable Basic Auth to remove dependency on deprecated crypt library (
9774da5 
…#1165)

#1153 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

disable Basic Auth to remove dependency on deprecated crypt library peterbecich/hackage-server
2 participants
@gbaz @peterbecich