Jo-Philipp Wich <j...@mein.io> writes: > Hi list, > > the mbed TLS project (formerly known as PolarSSL) declared the mbedTLS > 1.3 branch (packaged as "libpolarssl" by LEDE) to be EOL with the end of > the year 2016. [1] > > In order to avoid shipping an outdated and possibly vulnerable SSL > library with the first LEDE release we begun migrating core package > dependencies and default library choices to the "mbedtls" package which > includes the most recent 2.4.0 release of mbedTLS. > > There has been an ongoing discussion in IRC on how to handle the > remaining users of the legacy PolarSSL package and whether to ship this > library with the initial release and remove it later or whether to drop > it now in order to catch potential fallout early. > > Since we didn't want to single-handedly decide this issue in IRC I took > the topic to the list now to facilitate wider feedback. > > Right now there are more or less two approaches proposed: > > a) Keep libpolarssl available for the initial 17.01.0 release and drop > it with the first maintenance release 17.01.1 about 6-8 weeks later > > b) Drop libpolarssl now, even before branching and urge the feed package > maintainers to migrate users of libpolarssl to the libmbedtls > variant
I'd say drop it immediately unless there is a pressing reason not to (i.e., an important package that can't be ported). Far better to deal with the fallout during an RC phase than have a possible regression on a point release six weeks from now. And we won't be doing anyone any favours by shipping a known obsolete SSL library in the first release. Dropping it also makes sure that we get a chance to weed out all packages that are still inadvertently built against the old version (libcurl depends on libpolarssl on my install from last night's nightly build, for instance). -Toke _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
