On 30/05/13 06:38, Daniel Friesen wrote:
The current documentation on the setting is also
complete and totally
false. It says "For compatibility with old installations set to
false.", but at this point this has absolutely nothing to do with
I'm pretty sure it is still true, with the code as it stands. There's
a difference between "completely and totally false" and "should
probably be false in the future".
Frankly even if we do have any sort of remaining
bet it would be fairly trivial to actually solve (eg: For ancient
password hashes just try both ancient algorithms instead of just one).
Feel free to change User::comparePasswords() to do that, and then
deprecate $wgPasswordSalt. If there are authentication plugins that
depend on it, it would be polite to allow for a deprecation period
rather than just removing it.
-- Tim Starling