[Package Update Request] - libsodium 1.0.19

[GrahamCampbell]

What package is missing from Amazon Linux 2023? Please describe and include package name.

libsodium 1.0.19

Is this an update to existing package or new package request?

Update. Current version is very old.

Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify.

N/A

Any additional information you'd like to include. (use-cases, etc)

Needed by bref: https://github.com/brefphp/aws-lambda-layers/pull/122/files#r1350635922.

[GrahamCampbell]

cc @stewartsmith

[stewartsmith]

Is there specific functionality of bug fixes in the updated libsodium you're looking for?

[GrahamCampbell]

Actually, no. I am just curious as to why we can't ship 1.0.19?

[stewartsmith]

We're currently shipping 1.0.18, and Fedora bumped to 1.0.19 less than a week ago, see https://src.fedoraproject.org/rpms/libsodium/c/0316dd02687facf5f4aa0b693f9ec6218f89ebc8?branch=rawhide

So we're pretty up to date :)

[GrahamCampbell]

Well, kinda. 1.0.18 is years old, though. ;)

[ozbenh]

Yes but the whole world is built against 1.0.18, there is no telling what will break if we just "update" to the latest. This is true of almost all your other update requests. Amazon Linux isn't meant to track every latest upstream of every project out there, we need to provide some form of stability, especially ABI stablility. The balance between this and "newness" is why we have a 2 years major release cadence.

[GrahamCampbell]

Would you consider the bump in 2023.3?

[ozbenh]

Probably not. Not without very very good justifications.

[GrahamCampbell]

These two are important reasons to upgrade:

• New AEADs: AEGIS-128L and AEGIS-256 are now available in the crypto_aeadaegis128l() and crypto_aeadaegis256() namespaces. AEGIS is a family of authenticated ciphers for high-performance applications, leveraging hardware AES acceleration on x86_64 and aarch64. In addition to performance, AEGIS ciphers have unique properties making them easier and safer to use than AES-GCM. They can also be used as high-performance MACs.
• The HKDF key derivation mechanism, required by many standard protocols, is now available in the crypto_kdfhkdf*() namespace. It is implemented for the SHA-256 and SHA-512 hash functions.

[jedisct1]

1.0.19 is fully backwards-compatible.

[stewartsmith]

There's an soname bump for the newer libsodium - so anyone building against it will need to rebuild. For the one package in AL2023 that depends on it (php8.2, specifically the sodium module), we'll do a rebuild to catch this.

[stewartsmith]

As per https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html - the updated libsodium is part of AL2023.4

[GrahamCampbell]

Thanks @stewartsmith. How do we know what version of AL2023 is used by Lambda?