Re: [LEDE-DEV] Fading out PolarSSL

[Ted Hess]

On Tue, 2017-01-03 at 17:32 +0100, Steven Barth wrote:
> Hey everyone,
> 
> > 
> > Currently known remaining users of polarssl are:
> > 
> >  * bmx7
> >  * pianod
> >  * shadowsocks-libev-polarssl
> >  * shairport-sync-mini
> >  * shairport-sync-polarssl
> >  * transmission-cli-polarssl
> >  * transmission-daemon-polarssl
> >  * transmission-remote-polarssl
> >  * umurmur-polarssl
> > 
> > 
> > Please provide feedback on which approach you'd prefer and if you'd be
> > affected by the PolarSSL deprecation or not.
> I think for all but the first two from this list, there is a 
> non-polarssl version already packaged.
> Which would mainly leave bmx7 and pianod as main concerns. I think the 
> former used to work with cyassl
> at some point in time and the latter should work with gnutls. Both of 
> which we have, so it might just
> be a minor change to the packaging Makefiles.
> 
> So from my point of view dropping libpolarssl now (with a bit of upfront 
> notice to the maintainers)
> makes more sense than trying to drop a package later which is a bit of 
> unexpected and am not sure if
> it can be effectively announced in a service release and just delays the 
> inevitable.
> 
> 
> Cheers,
> 
> Steven
> 
> ___
> lede-adm mailing list
> lede-...@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-adm

Drop it now.

Speaking for pianod and shairport-sync... I have already updated pianod (which I
still develop) to use mbed TLS and I am currently working with the shairport-
sync developer to replace PolarSSL with mbed TLS this weekend.

/ted

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Fading out PolarSSL

[Daniel Engberg]

Hi,

I'm in favor of dropping it, don't see anything good in keeping outdated 
and unsupported libraries.


As far as package status goes...

shadowsocks-libev --> https://github.com/openwrt/packages/pull/3729 + 
https://github.com/lede-project/source/pull/657
pianod + shairport-sync* --> 
https://github.com/openwrt/packages/issues/3733

transmission* --> https://github.com/openwrt/packages/issues/3731
umurmur --> doesn't compile, pr submitted upstream

Best regards,
Daniel

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] Fading out PolarSSL

[Toke Høiland-Jørgensen]

Jo-Philipp Wich  writes:

> Hi list,
>
> the mbed TLS project (formerly known as PolarSSL) declared the mbedTLS
> 1.3 branch (packaged as "libpolarssl" by LEDE) to be EOL with the end of
> the year 2016. [1]
>
> In order to avoid shipping an outdated and possibly vulnerable SSL
> library with the first LEDE release we begun migrating core package
> dependencies and default library choices to the "mbedtls" package which
> includes the most recent 2.4.0 release of mbedTLS.
>
> There has been an ongoing discussion in IRC on how to handle the
> remaining users of the legacy PolarSSL package and whether to ship this
> library with the initial release and remove it later or whether to drop
> it now in order to catch potential fallout early.
>
> Since we didn't want to single-handedly decide this issue in IRC I took
> the topic to the list now to facilitate wider feedback.
>
> Right now there are more or less two approaches proposed:
>
> a) Keep libpolarssl available for the initial 17.01.0 release and drop
>it with the first maintenance release 17.01.1 about 6-8 weeks later
>
> b) Drop libpolarssl now, even before branching and urge the feed package
>maintainers to migrate users of libpolarssl to the libmbedtls
>variant

I'd say drop it immediately unless there is a pressing reason not to
(i.e., an important package that can't be ported). Far better to deal
with the fallout during an RC phase than have a possible regression on a
point release six weeks from now. And we won't be doing anyone any
favours by shipping a known obsolete SSL library in the first release.

Dropping it also makes sure that we get a chance to weed out all
packages that are still inadvertently built against the old version
(libcurl depends on libpolarssl on my install from last night's nightly
build, for instance).

-Toke

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev