Hi,
Currently php-libsodium 1.x (no longer maintained upstream) is packaged for EPEL and all releases of Fedora. This version makes the libsodium calls available with the \Sodium namespace. This will be changed when PHP 7.2 is released and the calls will use sodium_ instead of the namespace.
A php-libsodium 2.x library is available (maintained), only available for PHP >= 7.0 that also uses the sodium_ convention.
Ideally we'd have a polyfill that takes care of these cases. There is one, but not sufficient for the EPEL/Fedora case [1]. It rewrites the \Sodium calls to the PHP 7.2 calls, which only works with php-libsodium-2.x which is not packaged.
I'm thinking of writing my own polyfill that will expose \Sodium and try to fallback to sodium_ if available or just "forward" to \Sodium calls if not.
What do you guys think? Is there any path to update to php-libsodium 2.x in Fedora or is the plan to wait it out for PHP 7.2? I assume PHP 7.2 will be part of RHEL 8, so that would take care of that problem as well ;)
Cheers, François
Howdy guys
Le 17/09/2017 à 20:15, François Kooman a écrit :
Hi,
Currently php-libsodium 1.x (no longer maintained upstream) is packaged for EPEL and all releases of Fedora. This version makes the libsodium calls available with the \Sodium namespace. This will be changed when PHP 7.2 is released and the calls will use sodium_ instead of the namespace.
A php-libsodium 2.x library is available (maintained), only available for PHP >= 7.0 that also uses the sodium_ convention.
This extension is only for PHP 7.0 / 7.1.
Ideally we'd have a polyfill that takes care of these cases. There is one, but not sufficient for the EPEL/Fedora case [1]. It rewrites the \Sodium calls to the PHP 7.2 calls, which only works with php-libsodium-2.x which is not packaged.
I'm thinking of writing my own polyfill that will expose \Sodium and try to fallback to sodium_ if available or just "forward" to \Sodium calls if not.
What do you guys think? Is there any path to update to php-libsodium 2.x in Fedora or is the plan to wait it out for PHP 7.2? I assume PHP 7.2 will be part of RHEL 8, so that would take care of that problem as well ;)
The package is already ready in my repository https://git.remirepo.net/cgit/rpms/php/pecl/php-pecl-libsodium2.git/tree/
If you think it can help, I can submit it for Fedora (25-27), BTW, I will have to retire it in F28 with PHP 7.2 (which have the php-sodium package, bug from main php-src)
Reminder, PHP 7.2 packages are already available (so testable) in my repository [1]
Remi
[1] https://blog.remirepo.net/post/2017/08/31/PHP-on-the-road-to-the-7.2.0-relea...
Cheers, François
[1] https://github.com/mollie/polyfill-libsodium _______________________________________________ php-devel mailing list -- php-devel@lists.fedoraproject.org To unsubscribe send an email to php-devel-leave@lists.fedoraproject.org
On 09/18/2017 07:03 AM, Remi Collet wrote:
A php-libsodium 2.x library is available (maintained), only available for PHP >= 7.0 that also uses the sodium_ convention.
This extension is only for PHP 7.0 / 7.1.
Yeah I know, so it seems not really important to make this available, assuming there are no (security) issues in php-pecl-libsodium 1.x... it is not longer maintained, so it is a risk... but it is worse in EPEL, and there it is more important to be secure :)
The package is already ready in my repository https://git.remirepo.net/cgit/rpms/php/pecl/php-pecl-libsodium2.git/tree/
If you think it can help, I can submit it for Fedora (25-27), BTW, I will have to retire it in F28 with PHP 7.2 (which have the php-sodium package, bug from main php-src)
Indeed not really... it would only help for EPEL, but there it is not possible...
Reminder, PHP 7.2 packages are already available (so testable) in my repository [1]
Yeah I tested with it, and it works perfectly fine! I'm now using this in spec files:
%if 0%{?fedora} >= 28 Requires: php-sodium %else Requires: php-libsodium %endif
This is not ideal, as you'd want to depend on the PHP version, not the OS as it is very well possible to install PHP 7.2 on EL7, e.g. using SCL or your Remi repo. Is there a way to check for this in spec? I guess that is a bad idea and becomes ugly fast to do this. The only nice way is to do conditional builds which would require multiple "builds".
I'm using a small SodiumCompat class that works in all situations [1].
I think packaging paragonie/sodium_compat may also work, but I am not sure supporting the user space sodium is the way to go, so a very simple wrapper would make more sense that depends on php-sodium or php-libsodium depending on the version of Fedora/EPEL, or better the PHP version.
https://blog.remirepo.net/post/2017/08/31/PHP-on-the-road-to-the-7.2.0-relea...
Thanks!
Cheers, François
[1] https://github.com/fkooman/php-oauth2-server/blob/585410072f3921ac2122098ec5...
Hi,
Sorry, being late..
Le 18/09/2017 à 14:29, François Kooman a écrit :
in spec files:
%if 0%{?fedora} >= 28 Requires: php-sodium %else Requires: php-libsodium %endif
I think this only make sense if you accept both versions as sodium (v2 or PHP 7.2) and libsodium (v1) have different API.
If you need v2 Requires: php-sodium Requires: php-pecl(libsodium) >= 2
If you need v1 Requires: php-libsodium or Requires: php-pecl(libsodium) < 2
Notice: I've just fix a small issue in old v1 extension, which allow to load both extensions simuiltenaously, so I will keep the php-pecl-libsodium package for a few more Fedora versions.
Remi.
P.S. IMHO, "Requires: php-foo" should always be preferred, rather than the php-pecl(xxx) virtual provides.
php-devel@lists.fedoraproject.org
-
François Kooman -
Remi Collet