Hello everyone,
We are currently using the mbedTLS version 2.16.12 in our firmware and we are planning an update to a newer branch. I would like to know, how long the different 3.x branches will be supported.
Is there any fix roadmap, how long an mbedTLS branch must be supported and maintained after its first release? I could only find this information for the 2.28 branch (support until end of 2024).
Thank you for any help you can offer.
Best regards Maher Azarkan
Hilscher Gesellschaft f?r Systemautomation mbH Rheinstra?e 15 / D-65795 Hattersheim / Germany
Sitz der Gesellschaft / place of business: Hattersheim | Gesch?ftsf?hrer / managing director: Sebastian Hilscher, Hans-J?rgen Hilscher Handelsregister / commercial register: Frankfurt B 26873 | Ust. Idnr. / VAT No.: DE113852715 Registergericht / register court: Amtsgericht Frankfurt/Main
Important Information: This e-mail message including its attachments contains confidential and legally protected information solely intended for the addressee. If you are not the intended addressee of this message, please contact the addresser immediately and delete this message including its attachments. The unauthorized dissemination, copying and change of this e-mail are strictly forbidden. The addresser shall not be liable for the content of such changed e-mails.
Wichtiger Hinweis: Diese E-Mail einschlie?lich ihrer Anh?nge enth?lt vertrauliche und rechtlich gesch?tzte Informationen, die nur f?r den Adressaten bestimmt sind. Sollten Sie nicht der bezeichnete Adressat sein, so teilen Sie dies bitte dem Absender umgehend mit und l?schen Sie diese Nachricht und ihre Anh?nge. Die unbefugte Weitergabe, das Anfertigen von Kopien und jede Ver?nderung der E-Mail ist untersagt. Der Absender haftet nicht f?r Inhalte von ver?nderten E-Mails.
My take on this is that there is no value in "support", for an embedded product software module. MbedTLS is free, with no commercial obligations, so nobody is going to fix anything for you.
My plan, running V2.16.2, is to run this for ever. It runs just fine, with LWIP 2.0.3 which also runs just fine. Security fixes are not really relevant in the embedded sphere because in nearly all cases there is no mechanism for deploying new firmware (and doing so remotely would itself be a huge security risk, unless tied down with certificates etc, but certificates have zero value if there is physical access, unless one is using some tamper-proof smartcard module), and since without physical security there is no security at all... you are back to zero :)
IOT products should never be run on an open port. Most of them are clients which call up a private server, for a) this reason and b) to create a long term revenue stream.
If anyone is willing to debate this, I would be seriously interested, but on past occassions everyone stayed very quiet :)
Peter
Hello everyone,
We are currently using the mbedTLS version 2.16.12 in our firmware and we are planning an update to a newer branch. I would like to know, how long the different 3.x branches will be supported.
Is there any fix roadmap, how long an mbedTLS branch must be supported and maintained after its first release? I could only find this information for the 2.28 branch (support until end of 2024).
Thank you for any help you can offer.
Best regards Maher Azarkan
Hilscher Gesellschaft f?r Systemautomation mbH Rheinstra?e 15 / D-65795 Hattersheim / Germany
Sitz der Gesellschaft / place of business: Hattersheim | Gesch?ftsf?hrer / managing director: Sebastian Hilscher, Hans-J?rgen Hilscher Handelsregister / commercial register: Frankfurt B 26873 | Ust. Idnr. / VAT No.: DE113852715 Registergericht / register court: Amtsgericht Frankfurt/Main
Important Information: This e-mail message including its attachments contains confidential and legally protected information solely intended for the addressee. If you are not the intended addressee of this message, please contact the addresser immediately and delete this message including its attachments. The unauthorized dissemination, copying and change of this e-mail are strictly forbidden. The addresser shall not be liable for the content of such changed e-mails.
Wichtiger Hinweis: Diese E-Mail einschlie?lich ihrer Anh?nge enth?lt vertrauliche und rechtlich gesch?tzte Informationen, die nur f?r den Adressaten bestimmt sind. Sollten Sie nicht der bezeichnete Adressat sein, so teilen Sie dies bitte dem Absender umgehend mit und l?schen Sie diese Nachricht und ihre Anh?nge. Die unbefugte Weitergabe, das Anfertigen von Kopien und jede Ver?nderung der E-Mail ist untersagt. Der Absender haftet nicht f?r Inhalte von ver?nderten E-Mails.
Hi Maher,
“We use Semantic Versioninghttps://semver.org/. In particular, we maintain API compatibility in the master branch across minor version changes (e.g. the API of 3.(x+1) is backward compatible with 3.x).” There is no LTS version on any 3.x branch yet. Once we create one at some point in the future, it will be maintained for at least 3 years from that point on.
We always create a new LTS branch when a new major version comes out. That is, around the release of 4.0 there will be a new 3.x LTS. According to the roadmaphttps://mbed-tls.readthedocs.io/en/latest/roadmap/ there won’t be a 4.0 anytime soon. Based on that, there will be a 3.x compatible version with security fixes for at least 4 years from now.
Best regards, Janos
From: Maher Azarkan via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Monday, 27 March 2023 at 10:50 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Question about long-time support for 3.x branch Hello everyone,
We are currently using the mbedTLS version 2.16.12 in our firmware and we are planning an update to a newer branch. I would like to know, how long the different 3.x branches will be supported.
Is there any fix roadmap, how long an mbedTLS branch must be supported and maintained after its first release? I could only find this information for the 2.28 branch (support until end of 2024).
Thank you for any help you can offer.
Best regards Maher Azarkan
Hilscher Gesellschaft für Systemautomation mbH Rheinstraße 15 / D-65795 Hattersheim / Germany
Sitz der Gesellschaft / place of business: Hattersheim | Geschäftsführer / managing director: Sebastian Hilscher, Hans-Jürgen Hilscher Handelsregister / commercial register: Frankfurt B 26873 | Ust. Idnr. / VAT No.: DE113852715 Registergericht / register court: Amtsgericht Frankfurt/Main
Important Information: This e-mail message including its attachments contains confidential and legally protected information solely intended for the addressee. If you are not the intended addressee of this message, please contact the addresser immediately and delete this message including its attachments. The unauthorized dissemination, copying and change of this e-mail are strictly forbidden. The addresser shall not be liable for the content of such changed e-mails.
Wichtiger Hinweis: Diese E-Mail einschließlich ihrer Anhänge enthält vertrauliche und rechtlich geschützte Informationen, die nur für den Adressaten bestimmt sind. Sollten Sie nicht der bezeichnete Adressat sein, so teilen Sie dies bitte dem Absender umgehend mit und löschen Sie diese Nachricht und ihre Anhänge. Die unbefugte Weitergabe, das Anfertigen von Kopien und jede Veränderung der E-Mail ist untersagt. Der Absender haftet nicht für Inhalte von veränderten E-Mails.
mbed-tls@lists.trustedfirmware.org