Hi!
I'm looking into packaging the TF-PSA-Crypto library in Debian for the upcoming MbedTLS 4.0.0 release.
I've noticed that there are two (identical?) tags for version 1.0.0-beta: tf-psa-crypto-1.0.0-beta and v1.0.0-beta.
Maybe it is a dumb question, but: which of the two tags am I supposed to use? Which of the two forms should I "watch" for updates?
Also: why are there two identical tags in the first place? This also happens with MbedTLS!
Curious to know, bye :)
Hi Andrea,
The vVERSION tags are automatically created by GitHub when we create a release. The mbedtls-VERSION and now tf-psa-crypto-VERSION tags follow the historical pattern that the project has been using, and have the benefit of reflecting the project name. I believe that they're equivalent: I don't think we've ever had a reason to make them point to different commits.
The thing to watch is a new release on GitHub.
Thank you for maintaining these packages!
Best regards,
On Tue Jul 29, 2025 at 5:19 PM CEST, Gilles Peskine wrote:
The vVERSION tags are automatically created by GitHub when we create a release. The mbedtls-VERSION and now tf-psa-crypto-VERSION tags follow the historical pattern that the project has been using, and have the benefit of reflecting the project name. I believe that they're equivalent: I don't think we've ever had a reason to make them point to different commits.
The thing to watch is a new release on GitHub.
Hi Gilles! The thing is: tf-psa-crypto has no GitHub releases (yet), just tags. So these must have been created manually, right?
Thank you for maintaining these packages!
Thank you for maintaining LTS branches :)
Bye!
There is one release in https://github.com/Mbed-TLS/TF-PSA-Crypto/releases (manual tag tf-psa-crypto-1.0.0-beta, GitHub automatic tag v1.0.0-beta). There will be another one when 1.0.0 comes out (we aren't planning a second beta).
For packaging purposes, note that it's likely that during the early days of 1.x/4.x we'll make simultaneous releases where Mbed TLS 4.x includes TF-PSA-Crypto 1.x and does not work with another version. But our objective at some point during the 4.x series is to make the projects independent, where Mbed TLS 4.x could work with TF-PSA-Crypto 1.y, and eventually (but don't hold your breath) could work with an independent implementation of the PSA Crypto API.
-- Gilles
On 31/07/2025 23:27, Andrea Pappacoda wrote:
On Tue Jul 29, 2025 at 5:19 PM CEST, Gilles Peskine wrote:
The vVERSION tags are automatically created by GitHub when we create a release. The mbedtls-VERSION and now tf-psa-crypto-VERSION tags follow the historical pattern that the project has been using, and have the benefit of reflecting the project name. I believe that they're equivalent: I don't think we've ever had a reason to make them point to different commits.
The thing to watch is a new release on GitHub.
Hi Gilles! The thing is: tf-psa-crypto has no GitHub releases (yet), just tags. So these must have been created manually, right?
Thank you for maintaining these packages!
Thank you for maintaining LTS branches :)
Bye!
On Fri Aug 1, 2025 at 9:50 AM CEST, Gilles Peskine wrote:
There is one release in https://github.com/Mbed-TLS/TF-PSA-Crypto/releases (manual tag tf-psa-crypto-1.0.0-beta, GitHub automatic tag v1.0.0-beta). There will be another one when 1.0.0 comes out (we aren't planning a second beta).
Ops, sorry! GitHub didn't show the release in the main program page since it is a pre-release, and I simply missed it.
For packaging purposes, note that it's likely that during the early days of 1.x/4.x we'll make simultaneous releases where Mbed TLS 4.x includes TF-PSA-Crypto 1.x and does not work with another version. But our objective at some point during the 4.x series is to make the projects independent, where Mbed TLS 4.x could work with TF-PSA-Crypto 1.y, and eventually (but don't hold your breath) could work with an independent implementation of the PSA Crypto API.
Sounds great! I'm just trying to getting familiar with this new library to be able to package it promptly after the release.
Since we are talking about Git tags and releases: is it acceptable to start packaging from Git tags exclusively (i.e., not using the provided .tar.bz2)? In my packaging, I want to generate the auto-generated files from scratch (which, given the wide range of software which can be used during Debian package builds, is not an issue).
Thanks again for your answers, bye :)
On 01/08/2025 14:15, Andrea Pappacoda wrote:
Since we are talking about Git tags and releases: is it acceptable to start packaging from Git tags exclusively (i.e., not using the provided .tar.bz2)? In my packaging, I want to generate the auto-generated files from scratch (which, given the wide range of software which can be used during Debian package builds, is not an issue).
It's better to use the git tags, in fact. They're inherently fairly protected against tampering, unlike archives. GitHub doesn't track the history of releases or their attachments.
-- Gilles
psa-crypto@lists.trustedfirmware.org
-
Andrea Pappacoda -
Gilles Peskine