php extension for libsodium

ulwurf · October 6, 2017, 9:53pm

Hello!
Is it possible to get the php-extension for libsodium installed?

Or alternatively get PHP 7.2? It includes this extension out of the box.

Would be great - thanks

Admin · October 7, 2017, 1:30pm

PHP 7.2 has not been released yet. There are development builds available for testing right now, but we are not going to run testing versions of software on our servers. We want to provide a reliable service, and we need stable and reliable software to do that.

Similarly, the PHP extension for libsodium I could find seems to be an obscure, custom implementation. That software is just a bit too esoteric to install on millions of websites at once.

When PHP 7.2 gets it’s first stable release, we’re going to add it to the PHP switcher as well. And with libsodium being available in the core PHP distribution, we will investigate adding it as well.

jedisct1 · October 7, 2017, 6:06pm

Not sure what extension you are referring to, but GitHub - jedisct1/libsodium-php: The PHP extension for libsodium. is neither “obscure”, “custom” or “esotheric”. This is not what it’s supposed to be anyway

It’s actively maintained, by the creepy guy who also maintains the code in PHP 7.2, and who also happens to be the author of libsodium. This extension can be installed via PECL and offers the same API as what will be in PHP 7.2. The code is virtually the same.

Admin · October 7, 2017, 7:59pm

@jedisct1 said:
Not sure what extension you are referring to, but GitHub - jedisct1/libsodium-php: The PHP extension for libsodium. is neither “obscure”, “custom” or “esotheric”. This is not what it’s supposed to be anyway

It has only 300 stars on GitHub. That’s not a popular project.

It’s actively maintained, by the creepy guy who also maintains the code in PHP 7.2, and who also happens to be the author of libsodium. This extension can be installed via PECL and offers the same API as what will be in PHP 7.2. The code is virtually the same.

Like I said, we’ll consider including it with PHP 7.2.

Please understand that our PHP installations are used on millions of websites, we can’t install software on a whim.

SilverEagle · October 9, 2017, 3:47pm

@Admin said:
It has only 300 stars on GitHub. That’s not a popular project.

I’m not sure you fully understand what just happened in this conversation.

You referred to the libsodium-php extension, created by the same person who created the libsodium library itself (the same “gold standard” crypto library that PHP itself intends to use), as “obscure” and “esoteric”…

…and then the actual author of libsodium and libsodium-php took time out of their personal day to come here and set the record straight…

…and you then dismissed their hard work (which is, by the way, the very same hard work that’s about to make its way into PHP) as worthless due to a lack of stars on GitHub.

If you’re looking for GitHub-indicated popularity, I would refer you to https://github.com/jedisct1/libsodium. 4700 stars and counting. Note the username there. It’s the same person.

Were I in your position, I would’ve never written that second post, and instead would’ve offered some profuse apologies to the person doing more to push security and crypto forward (not just in PHP, but for the web at large) than almost any other software developer I know.

Given the huge breadth of installed clients on your service, it would unquestionably be in your best interests to take steps to improve the security options available to those clients. I would highly recommend taking this post into consideration instead of flatly rejecting it.

Admin · October 9, 2017, 6:11pm

You’re right @SilverEagle , I missed some important points.

I COMPLETELY missed the similarity with the username @jedisct1 (both on the forum and on the official project). The details check out, I’m happy to see the author of libsodium (and many other great projects) here! I’m sorry I didn’t recognize you before.

As far as cryptography libraries go, libsodium is quite a popular one. And definitely not worthless. For those with specific and high cryptography needs, libsodium is very useful.

However, the key phrase here is “as far as cryptography libraries go”. Note that this is the first post on this forum ever requesting this particular extension. Not a single other person has ever requested this extension or expressed interest in using it. I don’t mean that as criticism regarding the library itself, I have no doubts about the quality of it. However, the majority of the InfinityFree user base apparently don’t have any need for this extension.

Please understand that we’re dealing with a website hosting service. A large part of InfinityFree users use off the shelf software, like WordPress, Joomla, MyBB or even a drag and drop builder. I don’t know of any popular CMS which requires the libsodium extension. For the sake of compatibility, many scripts don’t rely on extensions that are not available with a typical PHP installation. To ensure as many people as possible can use the software, CMS developers generally rely on extension available on virtually all PHP installations (like openssl for cryptography).

So the only scripts that would need libsodium have some specific purpose related to cryptography, which cannot be fulfilled with openssl or other more widely available plugins. But (again, judging by the general interest), that’s a rare edge case here.

When libsodium will be shipped with PHP 7.2, we should see libsodium-php usage increase on the web and probably see more scripts adopting it as well. When that happens, we’ll make sure the extension will be available on our servers too.