On 10/01/2016 21:41, Scott Arciszewski wrote:
Hi Rowan,
>I think what people are suggesting is not that libsodium shouldn't be
>supported under-the-hood, just that the fact you're using it shouldn't be
>exposed to userland.
These are separate concerns. Let's call them Sodium and SimpleSodium.
With Sodium, power users gain the ability to write software that
directly uses low-level primitives in PHP without requiring their
users to install dependencies (i.e. from PECL). [
SimpleSodium is a driver for the simple cryptography wrapper.
As noted on the other thread, I think what people are looking for is
actually somewhere between the two - something for power users to use
*without tying their code to libsodium*. Code written using mcrypt_*
functions is now facing an annoying upgrade path; code written with
sodium_* functions now may face the same some years in the future, who
knows?
PHP should not be maintaining its own low-level implementations of
crypto, but it should seem to the user as though it does - they should
be asking PHP for a particular cipher / mode / etc, not asking libsodium
for one via a thin PHP wrapper.
You can have SimpleSodium without Sodium, but if we don't get Sodium into core
I will, personally, not be putting forth one more ounce of time or
effort into helping the PHP core so who knows maybe not?
Obviously, this is entirely your prerogative, but it seems quite a
black-and-white stance - maybe leave a bit of leeway for understanding
other people's concerns before threatening to abandon work which would
be very much appreciated.
Regards,
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
