What would a hypothetical sodium_compat v2 look like?

[paragonie-security]

As PHP 8.1's release draws nearer, we're looking at the long tail of backwards compatibility (5.2.4+) and wondering if we should ever create a new major version of sodium_compat that uses features from newer versions of PHP. If we ever did that, what would the new minimum version be, and what would motivate such a divergence?

The most attractive candidate for a hypothetical sodium_compat 2.x is to set the minimum to 7.0 and use strict typing everywhere.

Another attractive candidate is 7.4 with ext-FFI, which would allow us to polyfill scrypt/argon2 effectively. (But, alas, that also requires writing C code.)

If we ever did split the codebase, we'd have to commit to maintaining the 1.x branch until WordPress drops completely support for PHP 5.6. (They consider 7.2 the minimum acceptable version today, but I don't foresee any immediate changes that actually break older versions landing in core without a long discussion leading up to it.)

Is it even worth doing?

That depends entirely on whether or not ext-sodium uptake becomes ubiquitous. From the direction large PHP projects (i.e. Symfony) are taking, this seems likely. If there's a significant lapse between Sodium adoption and PHP 7.2+ adoption, that can be interpreted as a signal that we should consider a newer major version in the first place. If there isn't, we're probably better off focusing on more impactful work.