Re: [LEDE-DEV] Fading out PolarSSL
On Tue, 2017-01-03 at 17:32 +0100, Steven Barth wrote: > Hey everyone, > > > > > Currently known remaining users of polarssl are: > > > > * bmx7 > > * pianod > > * shadowsocks-libev-polarssl > > * shairport-sync-mini > > * shairport-sync-polarssl > > * transmission-cli-polarssl > > * transmission-daemon-polarssl > > * transmission-remote-polarssl > > * umurmur-polarssl > > > > > > Please provide feedback on which approach you'd prefer and if you'd be > > affected by the PolarSSL deprecation or not. > I think for all but the first two from this list, there is a > non-polarssl version already packaged. > Which would mainly leave bmx7 and pianod as main concerns. I think the > former used to work with cyassl > at some point in time and the latter should work with gnutls. Both of > which we have, so it might just > be a minor change to the packaging Makefiles. > > So from my point of view dropping libpolarssl now (with a bit of upfront > notice to the maintainers) > makes more sense than trying to drop a package later which is a bit of > unexpected and am not sure if > it can be effectively announced in a service release and just delays the > inevitable. > > > Cheers, > > Steven > > ___ > lede-adm mailing list > lede-...@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-adm Drop it now. Speaking for pianod and shairport-sync... I have already updated pianod (which I still develop) to use mbed TLS and I am currently working with the shairport- sync developer to replace PolarSSL with mbed TLS this weekend. /ted ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Fading out PolarSSL
Hi, I'm in favor of dropping it, don't see anything good in keeping outdated and unsupported libraries. As far as package status goes... shadowsocks-libev --> https://github.com/openwrt/packages/pull/3729 + https://github.com/lede-project/source/pull/657 pianod + shairport-sync* --> https://github.com/openwrt/packages/issues/3733 transmission* --> https://github.com/openwrt/packages/issues/3731 umurmur --> doesn't compile, pr submitted upstream Best regards, Daniel ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] Fading out PolarSSL
Jo-Philipp Wichwrites: > Hi list, > > the mbed TLS project (formerly known as PolarSSL) declared the mbedTLS > 1.3 branch (packaged as "libpolarssl" by LEDE) to be EOL with the end of > the year 2016. [1] > > In order to avoid shipping an outdated and possibly vulnerable SSL > library with the first LEDE release we begun migrating core package > dependencies and default library choices to the "mbedtls" package which > includes the most recent 2.4.0 release of mbedTLS. > > There has been an ongoing discussion in IRC on how to handle the > remaining users of the legacy PolarSSL package and whether to ship this > library with the initial release and remove it later or whether to drop > it now in order to catch potential fallout early. > > Since we didn't want to single-handedly decide this issue in IRC I took > the topic to the list now to facilitate wider feedback. > > Right now there are more or less two approaches proposed: > > a) Keep libpolarssl available for the initial 17.01.0 release and drop >it with the first maintenance release 17.01.1 about 6-8 weeks later > > b) Drop libpolarssl now, even before branching and urge the feed package >maintainers to migrate users of libpolarssl to the libmbedtls >variant I'd say drop it immediately unless there is a pressing reason not to (i.e., an important package that can't be ported). Far better to deal with the fallout during an RC phase than have a possible regression on a point release six weeks from now. And we won't be doing anyone any favours by shipping a known obsolete SSL library in the first release. Dropping it also makes sure that we get a chance to weed out all packages that are still inadvertently built against the old version (libcurl depends on libpolarssl on my install from last night's nightly build, for instance). -Toke ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] Fading out PolarSSL
Hi list, the mbed TLS project (formerly known as PolarSSL) declared the mbedTLS 1.3 branch (packaged as "libpolarssl" by LEDE) to be EOL with the end of the year 2016. [1] In order to avoid shipping an outdated and possibly vulnerable SSL library with the first LEDE release we begun migrating core package dependencies and default library choices to the "mbedtls" package which includes the most recent 2.4.0 release of mbedTLS. There has been an ongoing discussion in IRC on how to handle the remaining users of the legacy PolarSSL package and whether to ship this library with the initial release and remove it later or whether to drop it now in order to catch potential fallout early. Since we didn't want to single-handedly decide this issue in IRC I took the topic to the list now to facilitate wider feedback. Right now there are more or less two approaches proposed: a) Keep libpolarssl available for the initial 17.01.0 release and drop it with the first maintenance release 17.01.1 about 6-8 weeks later b) Drop libpolarssl now, even before branching and urge the feed package maintainers to migrate users of libpolarssl to the libmbedtls variant Currently known remaining users of polarssl are: * bmx7 * pianod * shadowsocks-libev-polarssl * shairport-sync-mini * shairport-sync-polarssl * transmission-cli-polarssl * transmission-daemon-polarssl * transmission-remote-polarssl * umurmur-polarssl Please provide feedback on which approach you'd prefer and if you'd be affected by the PolarSSL deprecation or not. Regards, Jo 1: https://tls.mbed.org/tech-updates/releases/mbedtls-2.0.0-released ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev