| Message ID | 1437080329-96500-1-git-send-email-eswierk@skyportsystems.com |
|---|---|
| State | Changes Requested |
| Headers | show |
On 16/07/15 17:58, Ed Swierk wrote: > This patch updates the polarssl package to build the current mbed 1.3.x > release. > > It also prefixes the generated binaries with mbed_, to avoid names that > overlap with other packages (like sha1sum) or that are generic and > confusing (like selftest or hello). And breaks at least openvpn in the process since 1.2.x and 1.3.x are API incompatible (also Hiawatha but a bump would fix that). I didn't test rtmpdump or shairport-sync for breakage. So there's more to do than just bump (there's no openvpn release compatible with 1.3.x, that's scheduled for the 2.4.x branch). Regards.
Dear Ed Swierk, On Thu, 16 Jul 2015 13:58:49 -0700, Ed Swierk wrote: > This patch updates the polarssl package to build the current mbed 1.3.x > release. > > It also prefixes the generated binaries with mbed_, to avoid names that > overlap with other packages (like sha1sum) or that are generic and > confusing (like selftest or hello). > > Signed-off-by: Ed Swierk <eswierk@skyportsystems.com> > --- > package/polarssl/0001-no-test-suite.patch | 27 ---------------------- > ...he-standard-CMake-flag-to-drive-the-share.patch | 18 +++++++-------- > package/polarssl/polarssl.hash | 4 ++-- > package/polarssl/polarssl.mk | 17 +++++++++++--- > 4 files changed, 25 insertions(+), 41 deletions(-) > delete mode 100644 package/polarssl/0001-no-test-suite.patch Thanks for your patch. However, following Gustavo's comment, I've marked your patch as "Changes Requested" in our patch tracking system. Can you resubmit a new version that takes into account Gustavo's comments? Thanks! Thomas
On 07/16/15 23:11, Thomas Petazzoni wrote: > Dear Ed Swierk, > > On Thu, 16 Jul 2015 13:58:49 -0700, Ed Swierk wrote: >> This patch updates the polarssl package to build the current mbed 1.3.x >> release. >> >> It also prefixes the generated binaries with mbed_, to avoid names that >> overlap with other packages (like sha1sum) or that are generic and >> confusing (like selftest or hello). >> >> Signed-off-by: Ed Swierk <eswierk@skyportsystems.com> >> --- >> package/polarssl/0001-no-test-suite.patch | 27 ---------------------- >> ...he-standard-CMake-flag-to-drive-the-share.patch | 18 +++++++-------- >> package/polarssl/polarssl.hash | 4 ++-- >> package/polarssl/polarssl.mk | 17 +++++++++++--- >> 4 files changed, 25 insertions(+), 41 deletions(-) >> delete mode 100644 package/polarssl/0001-no-test-suite.patch > > Thanks for your patch. However, following Gustavo's comment, I've > marked your patch as "Changes Requested" in our patch tracking system. > Can you resubmit a new version that takes into account Gustavo's > comments? Since it anyway is not compatible and upstream changed name, perhaps it's better just to create a new package called mbedtls? When we remove polarssl we can make a legacy entry to point to mbedtls. Regards, Arnout
Arnout, Ed, On Fri, 17 Jul 2015 00:32:59 +0200, Arnout Vandecappelle wrote: > > Thanks for your patch. However, following Gustavo's comment, I've > > marked your patch as "Changes Requested" in our patch tracking system. > > Can you resubmit a new version that takes into account Gustavo's > > comments? > > Since it anyway is not compatible and upstream changed name, perhaps it's > better just to create a new package called mbedtls? When we remove polarssl we > can make a legacy entry to point to mbedtls. Why would we remove polarssl? Is the project dead? Or is mbedtls its replacement? Other than that, yes: if mbedtls is like a new library that is incompatible with polarssl, then a separate package is the best option. Thanks, Thomas
On 17/07/15 04:52, Thomas Petazzoni wrote: > Arnout, Ed, > > On Fri, 17 Jul 2015 00:32:59 +0200, Arnout Vandecappelle wrote: > >>> Thanks for your patch. However, following Gustavo's comment, I've >>> marked your patch as "Changes Requested" in our patch tracking system. >>> Can you resubmit a new version that takes into account Gustavo's >>> comments? >> >> Since it anyway is not compatible and upstream changed name, perhaps it's >> better just to create a new package called mbedtls? When we remove polarssl we >> can make a legacy entry to point to mbedtls. > > Why would we remove polarssl? Is the project dead? Or is mbedtls its > replacement? > > Other than that, yes: if mbedtls is like a new library that is > incompatible with polarssl, then a separate package is the best option. mbedtls is polarssl, it just got renamed when they got bought by ARM. Adding to confusion this was done with the 1.3+ branches but not with 1.2 (which is in security maintenance). It was to reflect that polarssl (now mbedtls) is the crypto library for the mbed operating system, even though it still works with linux (likely they enabled this with 1.3+ but never backported to 1.2- hence keeping the old name). Last time i've checked the 1.2 and 1.3 series couldn't coexist sanely on the same system, and since programs checks for polarssl rather than mbedtls for now it's probably still the case. rtmpdump can use any of the three optionally (gnutls, openssl, polarssl), dunno if it can handle 1.3+ curl needs 1.3+ (we never enabled polarssl support). Newer hiawatha needs 1.3+ (or can use bundled). shairport-sync can use either polarssl or openssl (mandatory one of them), dunno if it can handle 1.3+ openvpn can use openssl or polarssl (not 1.3+). So it basically narrows down the choices, though it doesn't necessarily take down other packages. Question is, keep 1.2 and some small targets small or go 1.3+ ? Also there's mbedtls 2.0.0 now, which, again, breaks API. And this has a better chance of living side by side with polarssl 1.2 since they've renamed everything it seems. Regards.
On 07/17/15 12:30, Gustavo Zacarias wrote: > On 17/07/15 04:52, Thomas Petazzoni wrote: > >> Arnout, Ed, >> >> On Fri, 17 Jul 2015 00:32:59 +0200, Arnout Vandecappelle wrote: >> >>>> Thanks for your patch. However, following Gustavo's comment, I've >>>> marked your patch as "Changes Requested" in our patch tracking system. >>>> Can you resubmit a new version that takes into account Gustavo's >>>> comments? >>> >>> Since it anyway is not compatible and upstream changed name, perhaps it's >>> better just to create a new package called mbedtls? When we remove polarssl we >>> can make a legacy entry to point to mbedtls. >> >> Why would we remove polarssl? Is the project dead? Or is mbedtls its >> replacement? >> >> Other than that, yes: if mbedtls is like a new library that is >> incompatible with polarssl, then a separate package is the best option. > > mbedtls is polarssl, it just got renamed when they got bought by ARM. > Adding to confusion this was done with the 1.3+ branches but not with 1.2 (which > is in security maintenance). > It was to reflect that polarssl (now mbedtls) is the crypto library for the mbed > operating system, even though it still works with linux (likely they enabled > this with 1.3+ but never backported to 1.2- hence keeping the old name). > Last time i've checked the 1.2 and 1.3 series couldn't coexist sanely on the > same system, and since programs checks for polarssl rather than mbedtls for now > it's probably still the case. > rtmpdump can use any of the three optionally (gnutls, openssl, polarssl), dunno > if it can handle 1.3+ > curl needs 1.3+ (we never enabled polarssl support). > Newer hiawatha needs 1.3+ (or can use bundled). > shairport-sync can use either polarssl or openssl (mandatory one of them), dunno > if it can handle 1.3+ > openvpn can use openssl or polarssl (not 1.3+). > So it basically narrows down the choices, though it doesn't necessarily take > down other packages. > Question is, keep 1.2 and some small targets small or go 1.3+ ? > Also there's mbedtls 2.0.0 now, which, again, breaks API. And this has a better > chance of living side by side with polarssl 1.2 since they've renamed everything > it seems. So the tarball called mbedtls installs a library called polarssl? Or does it install a library called mbedtls with a symlink from polarssl? Either way, since there's an API change, I still think it makes sense to make it a new package - that's what we do with webkitgtk24 as well. If side-by-side is not possible, we can just make it depend on !polarssl or vice versa. It's a bit of a pain while we have both polarssl and mbedtls because of the extra select/depends stuff in the packages using it, but anyway most packages only have automatic dependencies in the .mk file. With the API breakage in mbedtls 2.0 in mind, it's probably best to call the new package mbedtls13 so we can eventually (when everything has migrated to 2.0 API) end up with just a single package mbedtls. All this for a TLS library that has simplicity as its USP :-) Regards, Arnout
On 17/07/15 08:11, Arnout Vandecappelle wrote: > So the tarball called mbedtls installs a library called polarssl? Or does it > install a library called mbedtls with a symlink from polarssl? The 1.3 series installs as polarssl for compatbility purposes. I haven't looked at the 2.0 tarball but according to the release notes it should install as mbedtls since they broke API anyway (unless they're too shortsighted). > Either way, since there's an API change, I still think it makes sense to make > it a new package - that's what we do with webkitgtk24 as well. If side-by-side > is not possible, we can just make it depend on !polarssl or vice versa. It's a > bit of a pain while we have both polarssl and mbedtls because of the extra > select/depends stuff in the packages using it, but anyway most packages only > have automatic dependencies in the .mk file. > > With the API breakage in mbedtls 2.0 in mind, it's probably best to call the > new package mbedtls13 so we can eventually (when everything has migrated to 2.0 > API) end up with just a single package mbedtls. Question is, Ed, are you using mbedtls for your project? Because that would make 2.0 more reasonable, in general we prefer the latest versions unless there's a special need in the form of BR packages that can't work with the latest version. Regarding openvpn killing 1.2 would leave it in just-openssl ground, which isn't too ideal since openvpn+polarssl is probably smaller than openssl alone. The openvpn 2.4 milestone/branch contains 1.3 support but it's no easy backport, in general we tend to avoid that and there's no release date set either. It also remains to be seen if that works with 2.0. > All this for a TLS library that has simplicity as its USP :-) Heh, don't mention it, even openssl kept the API compatible (not ABI though, arguably that's it's main bloat problem). Regards.
diff --git a/package/polarssl/0001-no-test-suite.patch b/package/polarssl/0001-no-test-suite.patch deleted file mode 100644 index 4c8552a..0000000 --- a/package/polarssl/0001-no-test-suite.patch +++ /dev/null @@ -1,27 +0,0 @@ -Add BUILD_TESTS option to disable test suite - -By default, PolarSSL builds a fairly extensive test suite to validate -the library. In the context of Buildroot, building this test suite is -not really useful, so we add a BUILD_TESTS to disable its build. - -[Gustavo: update for 1.2.11] -Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> -Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> - -diff -Nura polarssl-1.2.11.orig/CMakeLists.txt polarssl-1.2.11/CMakeLists.txt ---- polarssl-1.2.11.orig/CMakeLists.txt 2014-07-11 17:14:43.414651327 -0300 -+++ polarssl-1.2.11/CMakeLists.txt 2014-07-11 17:23:00.573498626 -0300 -@@ -49,9 +49,11 @@ - add_subdirectory(library) - add_subdirectory(include) - --if(CMAKE_COMPILER_IS_GNUCC) -+option(BUILD_TESTS "Build tests." ON) -+ -+if(CMAKE_COMPILER_IS_GNUCC AND BUILD_TESTS) - add_subdirectory(tests) --endif(CMAKE_COMPILER_IS_GNUCC) -+endif(CMAKE_COMPILER_IS_GNUCC AND BUILD_TESTS) - if(CMAKE_COMPILER_IS_CLANG) - add_subdirectory(tests) - endif(CMAKE_COMPILER_IS_CLANG) diff --git a/package/polarssl/0002-cmake-use-the-standard-CMake-flag-to-drive-the-share.patch b/package/polarssl/0002-cmake-use-the-standard-CMake-flag-to-drive-the-share.patch index d241ae2..2ab80a5 100644 --- a/package/polarssl/0002-cmake-use-the-standard-CMake-flag-to-drive-the-share.patch +++ b/package/polarssl/0002-cmake-use-the-standard-CMake-flag-to-drive-the-share.patch @@ -17,23 +17,23 @@ index 27bd2e0..2ae0aba 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -1,5 +1,15 @@ --option(USE_STATIC_POLARSSL_LIBRARY "Build PolarSSL static library." ON) --option(USE_SHARED_POLARSSL_LIBRARY "Build PolarSSL shared library." OFF) +-option(USE_STATIC_MBEDTLS_LIBRARY "Build mbed TLS static library." ON) +-option(USE_SHARED_MBEDTLS_LIBRARY "Build mbed TLS shared library." OFF) +# Use the standard CMake flag to drive the shared object build. -+if(DEFINED BUILD_SHARED_LIBS AND NOT DEFINED USE_STATIC_POLARSSL_LIBRARY AND NOT DEFINED USE_SHARED_POLARSSL_LIBRARY) -+ set(USE_STATIC_POLARSSL_LIBRARY ON) ++if(DEFINED BUILD_SHARED_LIBS AND NOT DEFINED USE_STATIC_MBEDTLS_LIBRARY AND NOT DEFINED USE_SHARED_MBEDTLS_LIBRARY) ++ set(USE_STATIC_MBEDTLS_LIBRARY ON) + if(BUILD_SHARED_LIBS) -+ set(USE_SHARED_POLARSSL_LIBRARY ON) ++ set(USE_SHARED_MBEDTLS_LIBRARY ON) + else() -+ set(USE_SHARED_POLARSSL_LIBRARY OFF) ++ set(USE_SHARED_MBEDTLS_LIBRARY OFF) + endif() +else() -+ option(USE_STATIC_POLARSSL_LIBRARY "Build PolarSSL static library." ON) -+ option(USE_SHARED_POLARSSL_LIBRARY "Build PolarSSL shared library." OFF) ++ option(USE_STATIC_MBEDTLS_LIBRARY "Build mbed TLS static library." ON) ++ option(USE_SHARED_MBEDTLS_LIBRARY "Build mbed TLS shared library." OFF) +endif() + option(LINK_WITH_PTHREAD "Explicitly link mbed TLS library to pthread." OFF) set(src - aes.c -- 2.1.0 diff --git a/package/polarssl/polarssl.hash b/package/polarssl/polarssl.hash index e7883fd..23ed577 100644 --- a/package/polarssl/polarssl.hash +++ b/package/polarssl/polarssl.hash @@ -1,2 +1,2 @@ -# From https://polarssl.org/tech-updates/releases/polarssl-1.2.14-released -sha256 d7cbd8314aa3a5441f6282d13d07df610f49b4bc678088b04188adf093d17d37 polarssl-1.2.14-gpl.tgz +# From https://tls.mbed.org/code/releases/mbedtls-1.3.11-gpl.tgz +sha256 67a593027b6a442a4fa5b6c224c4ac8cdae5be721f5a28a11d34f10dcda441cb mbedtls-1.3.11-gpl.tgz diff --git a/package/polarssl/polarssl.mk b/package/polarssl/polarssl.mk index 289a28d..9462253 100644 --- a/package/polarssl/polarssl.mk +++ b/package/polarssl/polarssl.mk @@ -5,10 +5,12 @@ ################################################################################ POLARSSL_SITE = https://tls.mbed.org/code/releases -POLARSSL_VERSION = 1.2.14 -POLARSSL_SOURCE = polarssl-$(POLARSSL_VERSION)-gpl.tgz +POLARSSL_VERSION = 1.3.11 +POLARSSL_SOURCE = mbedtls-$(POLARSSL_VERSION)-gpl.tgz POLARSSL_CONF_OPTS = \ - -DENABLE_PROGRAMS=$(if $(BR2_PACKAGE_POLARSSL_PROGRAMS),ON,OFF) + -DENABLE_PROGRAMS=$(if $(BR2_PACKAGE_POLARSSL_PROGRAMS),ON,OFF) \ + -DENABLE_TESTING=OFF \ + -DCMAKE_EXECUTABLE_SUFFIX_C=_mbed \ POLARSSL_INSTALL_STAGING = YES POLARSSL_LICENSE = GPLv2 @@ -26,4 +28,13 @@ else ifeq ($(BR2_microblaze),y) POLARSSL_POST_CONFIGURE_HOOKS += POLARSSL_DISABLE_ASM endif +# Prefix installed executables with mbed_ to avoid conflicting with +# other tools like sha1sum +define POLARSSL_PREFIX_EXECUTABLES + cd $(TARGET_DIR)/usr/bin; for f in *_mbed; do [ ! -f $$f ] || mv $$f mbed_$${f%_mbed}; done + rm -f $(TARGET_DIR)/usr/lib/libmbedtls.a +endef + +POLARSSL_POST_INSTALL_TARGET_HOOKS += POLARSSL_PREFIX_EXECUTABLES + $(eval $(cmake-package))
This patch updates the polarssl package to build the current mbed 1.3.x release. It also prefixes the generated binaries with mbed_, to avoid names that overlap with other packages (like sha1sum) or that are generic and confusing (like selftest or hello). Signed-off-by: Ed Swierk <eswierk@skyportsystems.com> --- package/polarssl/0001-no-test-suite.patch | 27 ---------------------- ...he-standard-CMake-flag-to-drive-the-share.patch | 18 +++++++-------- package/polarssl/polarssl.hash | 4 ++-- package/polarssl/polarssl.mk | 17 +++++++++++--- 4 files changed, 25 insertions(+), 41 deletions(-) delete mode 100644 package/polarssl/0001-no-test-suite.patch