Hi Scott, On 10/01/2016 22:22, Scott Arciszewski wrote:
And I'm of the opinion that most users need a library that does everything for them, and power users need a toolkit, and we shouldn't try to solve both use cases with the same library.
I don't think anyone is arguing against that, they just see a different pair of tools: a toolkit which is abstracted slightly away from libsodium but still has all its flexibility, and a crypto-for-dummies interface on top of that.
If libsodium gets obsoleted (unlikely), it will be because of the availability of practical quantum computers, which also obsoletes openssl and all existing public-key cryptography. Mcrypt is unique in that it was completely abandoned (and poorly designed, to boot) after adoption. I don't think this is a meaningful discussion to have right now, given how widespread it is.
OpenSSL was incredibly widespread when Heartbleed was uncovered; it still is, and from your other mails you're still not a fan. Without a crystal ball, we can't know that Sodium is going to last forever, so are looking for a way to integrate its functionality into PHP in such a way that if an alternative comes along later, it is relatively easy to port code from one to the other, rather than tying PHP code directly to Sodium's API.
It may even turn out - I honestly don't know - that the only thing we need to change in Sodium's API is the word "Sodium", and we could simply present the functions as "a toolbox of encryption primitives, currently implemented using libsodium".
Regards, -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
