New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Package Request] - libsodium #377
Comments
What packages are depending on The tl;dr here is taht cryptographic libraries are "fun" due to FIPS. |
I am the primary developer/maintainer of https://github.com/PowerDNS/weakforced, which uses libsodium for encrypting data that is then sent around in UDP packets. It's not TLS, I'm just using the data encryption/decryption functions. However I don't really understand the comment about FIPS. I don't care about FIPS.
Rewriting to use e.g. libcrypto primitives to get FIPS support when this has never come up before is unlikely at this stage. |
While we work on getting some more public documentation on all the FIPS related implications, I'll attempt to summarise a bit here:
Ignoring FIPS, there's a few thoughts we have as distro maintainers:
That being said, we don't like having things that are blockers for migrating from AL2 to AL2023, and I get that this particular thing has to be frustrating. Can you point me to the bits of code calling libsodium? I'd like to get an idea of how complex a port to something we already ship is. |
The libsodium code is here: |
AL 2023 currently includes PHP, both v8.1 and v8.2, and that is "supposed" to include the sodium extension by default: Lots of software, including PHP packages we depend on, require the sodium PHP extension. It was straightforward to download both libsodium and the PHP sodium extension and build them, but I feel they really should be part of AL 2023. The sodium PHP extension was included in all Amazon Linux 2 PHP releases. |
I just want to weigh in, tough not planning to use Amazon Linux 2023 myself. I do understand the concerns regarding maintaining additional libraries, and compliancy to some standards. But regarding PHP, i can confirm that lib-sodium is somewhat expected to be present (or installable) within a PHP installation. |
Another argument would be that the sodium extension is used by both Laravel and Symfony, two of the most used PHP Frameworks around the world ( https://symfony.com/doc/current/security/passwords.html#the-sodium-password-hasher : "It uses the Argon2 key derivation function. Argon2 support was introduced in PHP 7.2 by bundling the libsodium extension." ). As said above it's expected to come bundled with PHP. |
We are evaluating inclusion of this package in our next quarterly release |
libsodium has now been released as part of AL2023.2 |
What package is missing from Amazon Linux 2023? Please describe and include package name.
libsodium
The encryption library.
Is this an update to existing package or new package request?
New package request
Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify.
It is available in Amazon Linux 2, as part of the core OS.
Any additional information you'd like to include. (use-cases, etc)
I am an Open-Source software developer, and I'd like to build packages for Amazon Linux 2023 for users who are currently using Amazon Linux 2, but I need libsodium to do so.
The text was updated successfully, but these errors were encountered: