[LEDE-DEV] Fading out PolarSSL

[Toke Høiland-Jørgensen]

Jo-Philipp Wich <jo at mein.io> writes:

> Hi list,
>
> the mbed TLS project (formerly known as PolarSSL) declared the mbedTLS
> 1.3 branch (packaged as "libpolarssl" by LEDE) to be EOL with the end of
> the year 2016. [1]
>
> In order to avoid shipping an outdated and possibly vulnerable SSL
> library with the first LEDE release we begun migrating core package
> dependencies and default library choices to the "mbedtls" package which
> includes the most recent 2.4.0 release of mbedTLS.
>
> There has been an ongoing discussion in IRC on how to handle the
> remaining users of the legacy PolarSSL package and whether to ship this
> library with the initial release and remove it later or whether to drop
> it now in order to catch potential fallout early.
>
> Since we didn't want to single-handedly decide this issue in IRC I took
> the topic to the list now to facilitate wider feedback.
>
> Right now there are more or less two approaches proposed:
>
> a) Keep libpolarssl available for the initial 17.01.0 release and drop
>    it with the first maintenance release 17.01.1 about 6-8 weeks later
>
> b) Drop libpolarssl now, even before branching and urge the feed package
>    maintainers to migrate users of libpolarssl to the libmbedtls
>    variant

I'd say drop it immediately unless there is a pressing reason not to
(i.e., an important package that can't be ported). Far better to deal
with the fallout during an RC phase than have a possible regression on a
point release six weeks from now. And we won't be doing anyone any
favours by shipping a known obsolete SSL library in the first release.

Dropping it also makes sure that we get a chance to weed out all
packages that are still inadvertently built against the old version
(libcurl depends on libpolarssl on my install from last night's nightly
build, for instance).

-Toke