Pierre, >> Even if we axe mcrypt and in with a net-gain of 0 extensions, you'd >> see it as a risk? > > Except that we already refused to kill mcrypt, and it is not like I > did not try to convince us to kill it.
We decided not to kill it for 7.0. That doesn't mean it got a permanent buy... >> Let me state this clearly: I'm personally not going to bother pushing >> for a pluggable crypto API if the only option is to use OpenSSL and >> all its legacy cruft. I especially don't have lukewarm feelings >> towards RSA or ECDSA, which are your only real options with it. >> >> I feel that it simply would not be a worthwhile use of my time to do >> so. If Internals decides "no libsodium" but "yes pluggable crypto >> API", you'll have to find someone else to spearhead it. > > Sorry, my point was not clear. > > I do like the concept of a pluggable crypto API. Very much. I said it > before and I say it again. I love the concept and will do what I can > to support it :) > > What I do not like too much is the addition of an extension with > (relatively) low level functions for one specific library. It does not > really matter how good is this specific library, I simply do not see > such addition as a good strategic move. I agree with you in principle, but in this particular case I think that there's enough justification considering how measurably bad mcrypt is, and how little some people trust openssl. That leaves no room in core. So in this case I think it *may* be worth it to add it. Anthony -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php