ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed
* [ruby-core:122502] [Ruby Feature#14915] Deprecate String#crypt
       [not found] <redmine.issue-14915.20180716175313.1604@ruby-lang.org>
@ 2025-06-10  1:03 ` jhawthorn (John Hawthorn) via ruby-core
  0 siblings, 0 replies; only message in thread
From: jhawthorn (John Hawthorn) via ruby-core @ 2025-06-10  1:03 UTC (permalink / raw)
  To: ruby-core; +Cc: jhawthorn (John Hawthorn)

Issue #14915 has been updated by jhawthorn (John Hawthorn).


> even if that removal doesn't happen until Ruby 4.

👀

It's been 6 years, is it worth considering `String#crypt`'s removal again? I'd be happy to update Jeremy's patch and gem (which the docs have recommended using since Ruby 2.6).

We ran into it today as @luke-gru found a deadlock when it was used with Ractors (PR is open to fix). I also noticed it does not release the GVL despite being possible for it to take a long time to run (minutes!) with certain arguments. I think it would be best for Ruby not to provide such a badly behaved method.

----------------------------------------
Feature #14915: Deprecate String#crypt
https://bugs.ruby-lang.org/issues/14915#change-113694

* Author: jeremyevans0 (Jeremy Evans)
* Status: Rejected
----------------------------------------
This method is system and implementation dependent, and the
portable usage mentioned in the documentation is not truly
portable (doesn't work on OpenBSD) and insecure as it uses DES.
For systems that lack a crypt(3) implementation, Ruby will
happily substitute a version that only supports DES.  It's 2018,
using DES should be avoided if at all possible.

The only internal usage of String#crypt in Ruby is in Webrick,
where it uses DES for basic authentication with an htpasswd file.
That could and should be changed to use a more secure hash by
default (bcrypt since that's the most secure htpasswd format),
or at least allow the user to customize Webrick's authentication.
I expect there are few if any users actively using Webrick's
htpasswd support.

This moves the String#crypt implementation to the string/crypt
extension, but leaves the String#crypt core method.  The core
method prints a deprecation warning, then loads the string/crypt
extension. The string/crypt extension undefines the String#crypt
core method, then defines the previous implementation.

Because extensions use extconf.rb instead of configure for their
configuration, this ports the related configure.ac code to
extconf.rb.  I'm not sure that is done correctly and works on
all platforms, it will need testing.

For systems that lack a crypt(3) implementation, this modifies the
fallback code to only define crypt_r, since that is the only
function that String#crypt will call in that case.

While the patch just deprecates String#crypt, I think
we should plan to remove support from ruby:

2.6: core method deprecated
2.7: core method removed, string/crypt extension ships with ruby
2.8: string/crypt extension moves to external gem, not shipped

---Files--------------------------------
0001-Deprecate-String-crypt-move-implementation-to-string.patch (20.5 KB)
0001-Deprecate-String-crypt.patch (7.48 KB)
0001-Deprecate-String-crypt.patch (7.35 KB)
0001-Deprecate-String-crypt.patch (7.43 KB)
deprecate-string-crypt.patch (6.7 KB)


-- 
https://bugs.ruby-lang.org/
______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2025-06-10  1:03 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <redmine.issue-14915.20180716175313.1604@ruby-lang.org>
2025-06-10  1:03 ` [ruby-core:122502] [Ruby Feature#14915] Deprecate String#crypt jhawthorn (John Hawthorn) via ruby-core

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).