[Buildroot] [PATCH] polarssl: remove on security grounds
Gustavo Zacarias
gustavo at zacarias.com.ar
Tue Nov 1 23:27:04 UTC 2016
On 29/10/16 10:50, Thomas Petazzoni wrote:
> Hello,
>
> On Fri, 28 Oct 2016 10:36:51 -0300, Gustavo Zacarias wrote:
>> The 1.2.x branch is no longer maintained and the latest release from the
>> maintained branches (2.3, 2.1, 1.3) were security releases, so more
>> likely than not 1.2 is affected.
>> In consequence switch shairport-sync to the openssl backend.
>
> The question that immediately comes to mind is: if 1.2 is no longer
> security-maintained, why don't we package the newer versions such as
> 2.3 ?
>
> I guess it's because polarssl 2.3 doesn't exist, and it's called
> mbedtls instead. But it would be good to get your confirmation, and
> have this written clearly in the commit log, and Config.in.legacy help
> text.
Hi.
I think we've already talked about this in the past.
The problem is that mbedtls is not a replacement for polarssl - they're
not compatible except for a small transitional period during the 1.3.x
series, so it has little merit mentioning "switch to mbedtls" since
nothing will work as-is.
Regards.
More information about the buildroot
mailing list