[wp-trac] [WordPress Trac] #45806: Add sodium_compat -- a libsodium-compatible cryptography API for PHP <7.2

WordPress Trac noreply at wordpress.org
Fri Jan 4 20:14:58 UTC 2019 

#45806: Add sodium_compat -- a libsodium-compatible cryptography API for PHP <7.2
------------------------------------------+------------------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:  (none)
     Type:  defect (bug)                  |      Status:  new
 Priority:  normal                        |   Milestone:  Awaiting Review
Component:  General                       |     Version:  trunk
 Severity:  normal                        |  Resolution:
 Keywords:  has-patch                     |     Focuses:
------------------------------------------+------------------------------

Comment (by ayeshrajans):

 Hi Scott,
 I'm not someone who has the rights to make a decision on this, but as
 someone who uses WordPress and contributes to it, I would like to put my 2
 cents.

 I can't express this enough on how much I appreciate you making modern
 security libraries accessible to lesser fortunate PHP systems that cannot
 use libsodium extension. In a CMS Unconference event, I was talking with a
 few security team members in Joomla about including sodium_compat in core.
 Joomla is in a rapid path to drop backwards compatibility in favor of
 adopting modern cryptography. Joomla already has  crypt component, and the
 inclusion agrees with them well.

 **Maintenance overhead**

 Every dependency we _ship_ with WordPress increases the maintenance
 overhead. I just opened a ticket to upgrade the PHPMailer library.
 WordPress does not utilize cryptogrphic functions to the extent of Joomla,
 and from both consumer and a WorPress developer perspective, I personally
 do not think including a library of this size (1MB patch) and security-
 importance is justifiable.

 **Dependencies**

 With the support for PHP 5.2 dropped, there is more incentive to use
 Composer. Many WordPress sites already use Composer (although there is no
 support in core), and they can already _require_ sodium_compat if they
 have a need to do so.

 With the sodium_compat library in core, we are shipping one more
 dependency to _everyone_, without a use for it right away, and with only
 plans to do in the future.

 **libsodium suitability**

 One of the biggest motivations to use `libsodium` is in how dangerous the
 defaults of OpenSSL can be, and the adoption of new EC curves and ciphers.
 This does not mean OpenSSL is downright broken. If you use the right
 options, and make sure to authenticate everything, OpenSSL can still
 provide usable. Composer itself uses OpenSSL, and recent PHP package
 validation projects such such as Phive use pgp for package signing.

 OpenSSL or GPG, they use the same well tested and reviewed binaries. It
 does not matter how they are linked, but they use the same code
 nonetheless. Sodium_compat is however, a compat library. I think the first
 question if whether we should use libsodium before jumping into a the next
 step of providing compatibility for those who don't have libsodium (i.e
 including sodium_compat).

 **sodium_compat suitability**

 Even if libsodium has received enough scrutiny, this does not mean
 sodium_compat had the same amount of review done on its code.

 https://github.com/paragonie/sodium_compat/graphs/contributors

 Looking at the real humans involved in this library, it only had 9 non-
 Paragon contributors. All commits from these contributors are trivial
 changes such as typo fixes and small bug fixes.

 I see the Paragon IE is a commercial organization providing support
 commercial support for this library. While I'm not sure how many people
 are involved under `paragonie-security` Github handle, I can't help but
 notice the how much this library is attached to ParagonIE. In my opinion,
 this is not a good flag, because in case ParagonIE loses interest in
 maintaining `sodium_compat`, there are not enough people who are involved
 to fork and maintain this project. While WordPress includes libraries
 written by a single author, that is because historical reasons and in how
 small a certain library.

 In addition, `sodium_compat` has _not_ received a proper security review.
 While I'm aware of you requesting support support from WordPress
 Association, I still think it's premature to include a library of this
 stage in WordPress.

 --

 Once again I should highlight that I, and I'm sure everyone in WordPress
 ecosystem too, appreciate your work and good intentions all your work on
 this. It's not my decision at all, and while I have faith in those who
 make the decision to do the best for WordPress, I doubt they would decide
 to go with sodium_compat, at least in current stage.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45806#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list