[Gnuk-users] gnuk's use of polarssl/mbedtls
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Oct 12 16:33:59 UTC 2017
hey gnuk folks--
Thanks for working on Gnuk! I was looking into maintenance issues for
it (thinking about debian packaging, as i wrote in another thread), and
i found myself asking questions about the maintenance of its crypto
library, so i thought i'd ask here.
i notice that gnuk contains a copy of some files in a directory named
polarssl/, which appears to have been initially imported from polarssl
1.2.6 in 2013 and updated later that year to 1.2.10. However, there are
several changes on top of polarssl's base files that i'm ill-equipped to
understand -- and the commit log messages aren't verbose enough to point
me in the right direction to figure out what's going on.
polarssl is now known as mbedtls (the upstream transition was several
years ago).
debian ships mbedtls 2.4.2 in stable, and 2.6.0 in testing/unstable. It
only ships polarssl 1.3.9 in oldstable (jessie) and 1.2.9 in
oldoldstable (wheezy).
I'm assuming that mbedtls has made improvements since 1.2.10. and
several security announcements have been made post-1.2.10:
https://tls.mbed.org/security -- though i haven't reviewed how many of
them are relevant to the small parts that gnuk uses (none that i could
see from a quick skim, but i could easily have missed something).
How does the gnuk project keep up-to-date with improvements in this
library? is there a plan to switch over from "polarssl" to "mbedtls"
explictly?
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20171012/12e65c07/attachment.sig>
More information about the gnuk-users
mailing list