Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91788 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 5482 invoked from network); 20 Mar 2016 16:55:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Mar 2016 16:55:08 -0000 Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.218.48 as permitted sender) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.218.48 mail-oi0-f48.google.com Received: from [209.85.218.48] ([209.85.218.48:36153] helo=mail-oi0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 65/D5-48999-BE5DEE65 for ; Sun, 20 Mar 2016 11:55:08 -0500 Received: by mail-oi0-f48.google.com with SMTP id r187so124242176oih.3 for ; Sun, 20 Mar 2016 09:55:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=4QTUlg+chMm6F1FRqQv22S8cZkfGX/+j7EVJeDUWcHA=; b=gubMZ84yNoBRsk1dDx8tIvm5dMv+kFV4MwTPBDgNvZCHQwyU1imspU+wOk5uq+1kjC 4BRXzx42yWYSFIEVkXCq1s+qxmXbUKZcRBnvg/WGxqj1dFPPcSVBf9Bk9pQigyPG43Xk WR7zNyg9LirKwsL/zORHOnGzh2rNp4lU1GaUW9uN/n8l8pKHP/apEC/V2BTGCTAft/Ry S4qub+70DLaYcGhHg1LcFgQs73p52jO+RfZM0yK1IlUgS0CQCqUDQo9ic8RSLZZyDuSu gLdA8Ge24yN4a1bihMhRgnp1NfQEjYS12QOt7YRNnypYYx9sprWoDPSkBnx2Fy4Bv1g9 ZAKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=4QTUlg+chMm6F1FRqQv22S8cZkfGX/+j7EVJeDUWcHA=; b=bE9ZZUjNKn/L5H66azY5QBJKCpxUWOQ7oo+grdoIBhqFAESUKbuGJnOPmSOiRQopew OsoAabJl8j4FopUDZGowrRB0DW9dft2G6kdVcrcynh/rk0Gt6uhChzksR2FS+1wuP3eL 3OWu1qCh98nhXPpdLv3wW2/BESgVEQ5WzpIkDeO3HV7AiU+89zbKbQCJFUVT3oY07QLa 2l4plZAR40za0gfPSOtIu9+YXGdPagJ2nmO5ZCUvqtYM5ZAa6bvVbjgE5AXLQAjtYqbv 7K/pCQgO957SQr5ZWGJT+hkk0UvSWUveTVQbVQohUZtQ+UX9U3qU7Ma0YDkDWxxo+W09 i+xA== X-Gm-Message-State: AD7BkJIQeXd9NLUkmBaJkaCs/SYSaCgzpZCLEajsuMAeQJ1yRMjIkJSI8s1XrZ2zzmnmV7o+4x26CRESX8hnpA== MIME-Version: 1.0 X-Received: by 10.202.168.8 with SMTP id r8mr3389139oie.40.1458492904713; Sun, 20 Mar 2016 09:55:04 -0700 (PDT) Received: by 10.157.14.47 with HTTP; Sun, 20 Mar 2016 09:55:04 -0700 (PDT) In-Reply-To: <56ED0E3C.3020601@fleshgrinder.com> References: <56E99E97.2050102@fleshgrinder.com> <56EC5F02.60105@fleshgrinder.com> <56ED0E3C.3020601@fleshgrinder.com> Date: Sun, 20 Mar 2016 12:55:04 -0400 Message-ID: To: PHP Internals Content-Type: multipart/alternative; boundary=001a113a3c867e7c2d052e7dd7c9 Subject: Re: [PHP-DEV] [RFC] Libsodium (bump) From: scott@paragonie.com (Scott Arciszewski) --001a113a3c867e7c2d052e7dd7c9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sat, Mar 19, 2016 at 4:30 AM, Fleshgrinder wrote: > On 3/18/2016 9:56 PM, Levi Morrison wrote: > >> At least that's not what it says in the docs. > > > > I meant: at least according to the docs: > > http://php.net/manual/en/language.namespaces.rationale.php > > > >> Namespace names PHP and php, and compound names starting with these > names (like PHP\Classes) are reserved for internal language use and shoul= d > not be used in the userspace code. > > > > Okay, I did not know that. However, right now all internal classes and > functions are in *\* and that is also what the coding standards > prescribe. My point being (and was) that this system works well, so why > change it now shortly after a new major version. Changing all old code > would result in an unbelievable breaking change, even with a new major > version, without any real value. Yes, I am saying that although I am > usually totally in favor of changing things to the better. I simply do > not see *any* benefit here. > > -- > Richard "Fleshgrinder" Fussenegger > > I'm 99% sure that the plan is to go with sodium_* since the change isn't /that/ painful. (Creating a polyfill for code written against the PHP extension is trivial.) While I'd love to break new ground with this (the first extension to actually use the reserved namespace), I'm concerned this would just create a lot of pointless bikeshedding arguments. The goal here isn't to be totally avant garde and break exciting new ground (even if the plot is already allocated for "future development"). The goal here (for me, anyway) is to make cryptography in PHP boring: It should be simply secure (with a security level >=3D 2^100 bits for all meaningful metrics), as side-channel resistant as possible, and intuitive for non-cryptographers to use properly. I want to see PHP get to where it's easier to do the secure thing than to do the insecure thing. The password hashing API in 5.5 was the first great leap towards this goal. Adding CSPRNG functions in PHP 7 that throws an Exception when PHP can't access the kernel's CSPRNG moved us further in the right direction. Deprecating libmcrypt and introducing libsodium is, to me, the next logical step towards that goal. Until that happens, PHP developers will be given more than enough rope to hang themselves (and the company they work for) with their fumbled cryptography engineering. Let's take away the noose and give everyone a safety net. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises =E2=80=8B --001a113a3c867e7c2d052e7dd7c9--