> -----Original Message----- > From: Matthias Andree [mailto:matthias.and...@gmx.de] > Sent: zondag 20 januari 2013 14:09 > To: openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] [PATCH 3/3] PolarSSL-1.2 support > > Is there any important system where requiring PolarSSL >= 1.2.3 is not > an option, besides "admin is too lazy or can't convince his manager > that he needs to upgrade"? > > This #ifdef stuff makes the whole story a bit inconcise. It might be > suitable for 2.3.X, but not to base 2.4 or newer releases on. > > Barring that, I'd suggest to add stuff to fail the build with older > PolarSSL versions and kill the PolarSSL < 1.2.3 code. It would seem > from the changelogs that PolarSSL 1.2.N (with N highest available) does > away with certain design issues in earlier versions, so there is a > compelling reason to upgrade. >
I agree that it's annoying, but I wouldn't remove support for an existing, still secure version of PolarSSL in a dot-release. We could mark 1.1 as deprecated, and remove it in 2.4? For the moment, recent versions Debian (sid/wheezy) and Ubuntu (precise+) still contain 1.1, meaning that it's a nice service for them to keep support for a while. > (I was irritated anyways that the newest released OpenVPN version would > not work with the newest stable PolarSSL version, and am foregoing the > PolarSSL option on the FreeBSD port - we do have an up-to-date > PolarSSL, so it wouldn't build.) > Unfortunately getting PolarSSL to work wasn't trivial due to some (necessary) PolarSSL changes. We're still working on getting support patches for a number of the new features ready. Adding these patches to 2.3 during the RC phase would have caused to large a disruption for an RC. PolarSSL targets a clean API, sometimes sacrificing the stability of the API in the process. While that is annoying in the short term, in the long term it helps to keep me sane as a developer. Regards, Adriaan
