On 5/14/2014 8:24 PM, Weijun Wang wrote: >>> How is this unsafe, especially compared to if we don't fix it? The only >>> bad thing is that if someone wants to set the timeout to be less than >>> 120 ms, now there will be no way to do it. But that should never happen, >>> right? >>> >> My concerns is that it might happen. 120ms is not a small number, and >> 120s is not a big number in some circumstances. > > 120ms and 120s are possible values, So it is really confusing to me that 119 will be treated as seconds, and 121 will be treated as milliseconds.
> but I doubt people will set them in > krb5.conf. > I did not get your idea. People won't use kdc_timeout option at all? >> >> Alternatively, for better inerop, we can suggest to use explicit spec in >> the configure instead of guess the what the spec is. Support two >> default specs is really confusing. >> > > Unless we drop kdc_timeout and invent a new key name, we will have to > deal with the correctness (sec) and compatibility (msec) at the same > time. Yes, we can suggest people always adding a unit, but it looks most > people simply put a bare number there. IMHO, just declare it as a known issue of Java is an alternative approach I may prefer. Is Java the only implementation to use milliseconds in the configuration? Do we have public specification for the kdc_timeout option? Or we just declare we follow the industry conversions? If Java is the only vendor to use milliseconds wrongly, it may be OK to make the correction in a major release (JDK 9?). Xuelei
