On Sun, Jun 5, 2016 at 9:35 AM, Scott Arciszewski <sc...@paragonie.com>
wrote:
> On Sun, Jun 5, 2016 at 4:31 AM, Fleshgrinder <p...@fleshgrinder.com> wrote:
> > On 6/5/2016 10:23 AM, Scott Arciszewski wrote:
> >> I'm trying to keep concerns separate. I do want to make the pluggable
> >> crypto API happen, but I barely have time for this libsodium RFC and I
> >> don't want to conflate the two. (Even worse: I wouldn't want the mere
> >> thought of an abstract high-level API to block libsodium from getting
> >> accepted.)
> >>
> >> Instead of /completely redesigning/ the libsodium API, what are some
> >> changes that need to be made to alleviate the majority of concerns
> >> ("it's not the pluggable crypto API" notwithstanding)?
> >>
> >> Two things to keep in mind:
> >>
> >> 1. If it breaks existing code that uses libsodium-php in a nontrivial
> >> way, I'm going to resist the change unless it can be proven necessary
> >> for the sake of everyone's sanity.
> >> 2. If it greatly deviates from the experience of using libsodium in
> >> other programming languages (e.g. renaming crypto_box), you no longer
> >> have libsodium and thus I will resist it.
> >>
> >> Getting rid of redundant features (by improving existing ones, not
> >> just cutting them!) is fine. Dropping scrypt, etc. is fine.
> >>
> >
> > Keeping sodium as an extension solves all your problems. You can keep
> > evolving it in any way you like without having to argue with others. No
> > breaking changes, nothing. It can even be used after another API is
> > introduced in core.
>
> All my problems? How do I get non-root users to install it?
>
I don't really get this point. All main distros have separate packages for
the core extensions as well as for PECL extensions. You still need a root
access to install the extension and it doesn't matter if it's a core ext or
PECL ext. There are lots of extensions that do really well outside the core
(e.g. mongo). So why do we really need it in the core?
Personally I find libsodiam a nice extension that provides some cool stuff.
However I don't see a big benefit of adding that to the core. We already
struggle to maintain the current extensions and even if you said that you
would maintain it, we should also take into account the fact that it can
change and we might end up with another unmaintained ext.
Cheers
Jakub
