[LEDE-DEV] Fading out PolarSSL

Toke Høiland-Jørgensen toke at toke.dk
Tue Jan 3 04:38:12 PST 2017

Jo-Philipp Wich <jo at mein.io> writes:

> Hi list,
> the mbed TLS project (formerly known as PolarSSL) declared the mbedTLS
> 1.3 branch (packaged as "libpolarssl" by LEDE) to be EOL with the end of
> the year 2016. [1]
> In order to avoid shipping an outdated and possibly vulnerable SSL
> library with the first LEDE release we begun migrating core package
> dependencies and default library choices to the "mbedtls" package which
> includes the most recent 2.4.0 release of mbedTLS.
> There has been an ongoing discussion in IRC on how to handle the
> remaining users of the legacy PolarSSL package and whether to ship this
> library with the initial release and remove it later or whether to drop
> it now in order to catch potential fallout early.
> Since we didn't want to single-handedly decide this issue in IRC I took
> the topic to the list now to facilitate wider feedback.
> Right now there are more or less two approaches proposed:
> a) Keep libpolarssl available for the initial 17.01.0 release and drop
>    it with the first maintenance release 17.01.1 about 6-8 weeks later
> b) Drop libpolarssl now, even before branching and urge the feed package
>    maintainers to migrate users of libpolarssl to the libmbedtls
>    variant

I'd say drop it immediately unless there is a pressing reason not to
(i.e., an important package that can't be ported). Far better to deal
with the fallout during an RC phase than have a possible regression on a
point release six weeks from now. And we won't be doing anyone any
favours by shipping a known obsolete SSL library in the first release.

Dropping it also makes sure that we get a chance to weed out all
packages that are still inadvertently built against the old version
(libcurl depends on libpolarssl on my install from last night's nightly
build, for instance).


More information about the Lede-dev mailing list