[Package Request] PHP Sodium

[nwtben]

What package is missing from Amazon Linux 2022? Please describe and include package name.
php-sodium

Is this an update to existing package or new package request?
new package request

Is this package available in Amazon Linux 2?
yes

[patricksebastien]

Useful to make an API with Laravel framework using laravel/passport

[ozbenh]

I assume it replies on libsodium ? We have actually removed that one purposefully as nothing good comes from yet-another-crypto-library especially when it comes to security, compliance, and things like FIPS. We'll keep track of the requests nonetheless, thanks for the feedback.

[kpsoaren]

Laravel is a widely-used framework. Not including php-sodium and libsodium will keep us and many many other businesses from adopting AL2023.

[ozbenh]

libsodium is also absent from other enterprise distros. As far as I know it isn't in any shape to be FIPS certified. Note that you always have the option of building the required dependencies from sources.

[ArronKing]

I had this problem too, if it helps any other PHP users here's how to get sodium installed on AL2023:

sudo yum install php8.1-devel php-pear gcc
wget https://download.libsodium.org/libsodium/releases/LATEST.tar.gz
// verify the file integrity https://libsodium.gitbook.io/doc/installation#integrity-checking
tar -xvzf LATEST.tar.gz
cd libsodium-stable
./configure
make && make check
sudo make install
sudo pecl install -f libsodium
//add extension=sodium.so to php.ini

[rajjanorkar]

This is something we really need! Thank you

[neilcook]

I assume it replies on libsodium ? We have actually removed that one purposefully as nothing good comes from yet-another-crypto-library especially when it comes to security, compliance, and things like FIPS. We'll keep track of the requests nonetheless, thanks for the feedback.

"Nothing good". Except being able to run all the software that makes use of it. Heaven forfend that AL2023 should give developers a choice of crypto algorithms and implementations. And FIPS compliance is of course a requirement for every use-case for every application around the world. Oh wait.

[BernardRobbins]

As an addon to @ArronKing excellent instructions
echo extension=sodium.so | sudo tee /etc/php.d/20-sodium.ini
​# clean up
sudo dnf autoremove php8.1-devel gcc
cd ..
rm -rf libsodium-stable LATEST.tar.gz

[ozbenh]

We are evaluating inclusion of this package in our next quarterly release

[stewartsmith]

FYI: I've deleted a comment on this issue that wasn't being respectful.

A reminder from CONTRIBUTING.md:

This project has adopted the Amazon Open Source Code of Conduct.
For more information see the Code of Conduct FAQ or contact
opensource-codeofconduct@amazon.com with any additional questions or comments.

[faizanakram99]

FYI: I've deleted a comment on this issue that wasn't being respectful.

A reminder from CONTRIBUTING.md:

This project has adopted the Amazon Open Source Code of Conduct.
For more information see the Code of Conduct FAQ or contact
opensource-codeofconduct@amazon.com with any additional questions or comments.

What exactly was disrespectful and towards whom in that comment? And which rule from coc did it break?

Something which is part of core PHP since version 7.2 is missing from the latest images of Amazon, the ones shipping PHP 8.2, how is calling it out disrespectful?

[faizanakram99]

I had this problem too, if it helps any other PHP users here's how to get sodium installed on AL2023:

sudo yum install php8.1-devel php-pear gcc
wget https://download.libsodium.org/libsodium/releases/LATEST.tar.gz
// verify the file integrity https://libsodium.gitbook.io/doc/installation#integrity-checking
tar -xvzf LATEST.tar.gz
cd libsodium-stable
./configure
make && make check
sudo make install
sudo pecl install -f libsodium
//add extension=sodium.so to php.ini

Thank you @ArronKing for making al2023 useable.

[BernardRobbins]

What exactly was disrespectful

Calling the team stupid. And the rest of your comment was vapid.

[faizanakram99]

What exactly was disrespectful

Calling the team stupid. And the rest of your comment was vapid.

I called the action as stupid, not the team. The action of not shipping core extensions.

As far the rest of comment goes, it was about switching to a different cloud provider after PHP 8.1 is EOL if the images didn't include the core extensions. It shows the importance of extensions like sodium, deleting the comment and calling it vapid doesn't look respectful either.

[faizanakram99]

Okay, I have come to realize that I might have overreacted a bit, and if I hurt someone in the process, I apologize.

[ozbenh]

The problem isn't the extension, the problem is libsodium which we don't currently ship. This is being looked at and considered for an upcoming quarterly release

[Frtrillo]

The problem isn't the extension, the problem is libsodium which we don't currently ship. This is being looked at and considered for an upcoming quarterly release

Thanks, waiting for it, laravel passport is a complete package and laravel is widely used even if it uses that library for crypto

[timsinakiran]

al2023 is pretty useless and older version don't have php8.2. . Probably time to switch all projects elsewhere. sigh.

[ozbenh]

You might want to consider waiting for the upcoming quarterly release....

[victorPetrescuZonk]

This is a core package... pls. add it. Many major frameworks are impacted (ex Symfony, Laravel).

[ozbenh]

php-sodium has now been released as part of AL2023.2 for php 8.2 as a separate subpackage php8.2-sodium

[MrTschi]

@ozbenh any chance that it will also be published for 8.1? Magento2 has this as a dependency..

[limmike]

for php 8.1, you can build it

              dnf install -y php-devel php-pear gcc
              pear update-channels
              pecl update-channels

                dnf install -y libsodium-devel
                yes 'no' | pecl install -f libsodium
                echo 'extension=sodium.so' > /etc/php.d/20-sodium.ini

run the above comments as root