[LEDE-DEV] Fading out PolarSSL

[Jo-Philipp Wich]

Hi list,

the mbed TLS project (formerly known as PolarSSL) declared the mbedTLS
1.3 branch (packaged as "libpolarssl" by LEDE) to be EOL with the end of
the year 2016. [1]

In order to avoid shipping an outdated and possibly vulnerable SSL
library with the first LEDE release we begun migrating core package
dependencies and default library choices to the "mbedtls" package which
includes the most recent 2.4.0 release of mbedTLS.

There has been an ongoing discussion in IRC on how to handle the
remaining users of the legacy PolarSSL package and whether to ship this
library with the initial release and remove it later or whether to drop
it now in order to catch potential fallout early.

Since we didn't want to single-handedly decide this issue in IRC I took
the topic to the list now to facilitate wider feedback.

Right now there are more or less two approaches proposed:

a) Keep libpolarssl available for the initial 17.01.0 release and drop
   it with the first maintenance release 17.01.1 about 6-8 weeks later

b) Drop libpolarssl now, even before branching and urge the feed package
   maintainers to migrate users of libpolarssl to the libmbedtls variant

Currently known remaining users of polarssl are:

 * bmx7
 * pianod
 * shadowsocks-libev-polarssl
 * shairport-sync-mini
 * shairport-sync-polarssl
 * transmission-cli-polarssl
 * transmission-daemon-polarssl
 * transmission-remote-polarssl
 * umurmur-polarssl


Please provide feedback on which approach you'd prefer and if you'd be
affected by the PolarSSL deprecation or not.

Regards,
Jo


1: https://tls.mbed.org/tech-updates/releases/mbedtls-2.0.0-released