Closed xmclark closed 5 years ago
Thanks for your suggestion.
My original thought was libsodium is the critical dependency of zbox, so users should have full control of it. Thus, they don't need to trust zbox to manage the cryptography library for them. But from usability perspective this is indeed not convenience for end users.
The optional feature might make build script more complicated, but it seems worth of it. I will add it as an optional feature in the next release.
We forked and made a change to the build script to pre-bundle libsodium. So far we are really enjoy zbox! Having it pre-bundled is super nice.
Our build script change is rough, but it has served our needs. Feel free to snag it if you like, or I can open a PR too.
https://github.com/wasmerio/zbox/blob/bundle-libsodium/build.rs
Thank you @xmclark , you can open a PR and I am happy to merge it.
The libsodium gpg signature verification is also added in f1630f42f1f20b50b984f0bee20f3d65a4633505.
Using zbox could be a little easier if libsodium was downloaded and built during
cargo build
. Although simple, libsodium is an extra configuration step, and It introduces complexity for local development and automated CI builds.The
rust_sodium
project does this in a custom build script.Zbox could offer an optional pre-bundled version with a feature flag e.g.
cargo build --features libsodium-bundled
which would download and build a recent stable build of libsodium.