Hi Peter,

Since you've raised this issue of the difficulty of upgrading in the past, I wanted to ask about something you mentioned previously:

> ​I reckon to go from v2 to v3 will cost some 5 digits in implementation and testing cost, and this is repeated a few times a year.

The 2-to-3 transition was a big one (new major version) but releases like this should happen only once every few years or so.

Aside from these big releases, LTS versions (2.28, 3.6) are supported for 3 years and should be API-compatible. In theory upgrading between LTS minor versions should be as easy as recompiling the code.

Is this in fact not the case, and if so what causes the difficulty in upgrading? Are there things we could do to make upgrading between minor versions easier? If there are improvements we can make, it would be great to hear them.

Many thanks,
David Horstmann
Mbed TLS Developer
From: Peter <peter@peter2000.co.uk>
Sent: 06 August 2024 16:22
To: David Horstmann <David.Horstmann@arm.com>
Cc: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>; Kumar, Praveen <praveen.m.kumar@philips.com>
Subject: Re: [mbed-tls] Re: Requesting information for mbed-tls commercial license & support
 
This topic has without a doubt been silently visited by many MbedTLS
users :)

The biggest problem I see is that the MbedTLS devs produce a new
version roughly every 2.3 weeks :) And any customer with a brain and
internet access will google MbedTLS, discover that the current version
is about a year later than the one in your product, and ask you a very
pointed question "why aren't you using a version with the latest
security patches?".

You then end up in an impossible position of having to explain to your
customer (who, like everybody on the internet is a security expert,
and has read all about deprecated crypto suites, hash collisions, and
doesn't care that e.g. TLS 1.3 removes a bunch of hashes which are
still used on some of the CACERT.PEM certificates) that for commercial
and technical (e.g. product testing, over many months) reasons you had
to freeze your product with MbedTLS v2.8 or whatever.

You also have to explain to your "security expert" customer that most
of the mods done in the last couple of years are at best tangential to
any concept of secure comms in an embedded product which 99% of the
time is running in an environment without physical (access) security,
so "nice" stuff like zeroing malloc'd buffers before freeing them does
nothing for security because only somebody totally "inside" your box
is going to be reading RAM.

So I don't think the license is a problem :)

Peter

>Hi Praveen,
>
>Mbed TLS is distributed under both the Apache 2.0 and GPL 2.0 licenses (dual-licensed), users may use the library under the terms of whichever license they prefer.
>
>The Apache 2.0 license is a permissive license which usually allows commercial use, however you should check the terms of this license for yourself to ensure it is compatible with your usecase.
>
>We do not provide paid support for Mbed TLS. We provide some support via the mailing list (for general support queries) and GitHub (for bug reports) but it is on a best-effort basis only.
>
>I hope that helps.
>
>Kind regards,
>David Horstmann
>Mbed TLS Developer
>________________________________
>From: Kumar, Praveen via mbed-tls <mbed-tls@lists.trustedfirmware.org>
>Sent: 06 August 2024 11:59
>To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
>Subject: [mbed-tls] Requesting information for mbed-tls commercial license & support
>
>
>Hi,
>
>
>
>We are in the process of qualifying a suitable encryption library for our pre-hospital patient monitor and the telemedicine system. I am writing to request your guidance regarding the mbed-tls use for commercial purposes. I look forward to your response.
>
>
>
>Regards,
>
>Praveen Kumar
>
>R&D Project Manager
>
>Emergency Care Professional (EC-Pro)
>
>Philips
>
>
>
>Tel +44 (0) 1256 362427 Email praveen.m.kumar@philips.com<mailto:praveen.m.kumar@philips.com>
>
>
>
>Remote Diagnostic Technologies Limited. Registered office: Ascent 1, Farnborough Aerospace Centre, Aerospace Boulevard, Farnborough GU14 6XW, UK. Registered in England No. 3321782.
>
>
>
>[Logo  Description automatically generated]<http://www.philips.com/>
>
>Connect with Philips
>
>[cid:image002.gif@01DAE7F8.0802FC50]<https://www.linkedin.com/company/philips/>[cid:image003.gif@01DAE7F8.0802FC50]<https://twitter.com/PhilipsHealth>[cid:image004.gif@01DAE7F8.0802FC50]<https://www.youtube.com/PhilipsHealthcare/videos>
>
>
>
>________________________________
>The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.