On 02/02/2024 11:33, Wojtek Porczyk wrote:
First, let me state that I'm not a contributor to mbedtls, only a downstream user and repackager [0], so I'm not in position to propose any changes to mbedtls release process. Having said that:
You're a primary consumer for releases, so we definitely welcome your point of view.
(…)
For those two reasons, stopping providing checksums as they are currently, just pasted in the release notes, does not seem like a meaningful change.
More critically (see my other email), those checksums were never stable, for non-security reasons (e.g. compression changes). So it looks like we'll drop them before it even gets to security considerations.
But maybe you could go the other way, and use this opportunity to provide signed releases? There are many options: signed tags, detached signatures over tarballs added to GitHub releases, or even just clearsigned output of sha256sum tool (```-----BEGIN PGP SIGNED MESSAGE----- 0123abcd mbedtls-12.34.5.tar.gz```).
We're going to look into this. How likely we are to actually do it will depend on demand, so I invite you to make your voice heard on GitHub.
Yet another possibility would be to provide signed binaries: in the project I'm currently caring for, we sign just apt repo and don't provide signed sources, but AFAICT it's not an option here.
Binaries are a no-go because most users of Mbed TLS want to build it for their own embedded environment. But official source tarballs are definitely an option.
Best regards,