Hi list, the mbed TLS project (formerly known as PolarSSL) declared the mbedTLS 1.3 branch (packaged as "libpolarssl" by LEDE) to be EOL with the end of the year 2016. [1]
In order to avoid shipping an outdated and possibly vulnerable SSL library with the first LEDE release we begun migrating core package dependencies and default library choices to the "mbedtls" package which includes the most recent 2.4.0 release of mbedTLS. There has been an ongoing discussion in IRC on how to handle the remaining users of the legacy PolarSSL package and whether to ship this library with the initial release and remove it later or whether to drop it now in order to catch potential fallout early. Since we didn't want to single-handedly decide this issue in IRC I took the topic to the list now to facilitate wider feedback. Right now there are more or less two approaches proposed: a) Keep libpolarssl available for the initial 17.01.0 release and drop it with the first maintenance release 17.01.1 about 6-8 weeks later b) Drop libpolarssl now, even before branching and urge the feed package maintainers to migrate users of libpolarssl to the libmbedtls variant Currently known remaining users of polarssl are: * bmx7 * pianod * shadowsocks-libev-polarssl * shairport-sync-mini * shairport-sync-polarssl * transmission-cli-polarssl * transmission-daemon-polarssl * transmission-remote-polarssl * umurmur-polarssl Please provide feedback on which approach you'd prefer and if you'd be affected by the PolarSSL deprecation or not. Regards, Jo 1: https://tls.mbed.org/tech-updates/releases/mbedtls-2.0.0-released _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
