On 02/02/2024 11:33, Wojtek Porczyk wrote:
First, let me state that I'm not a contributor to mbedtls, only a downstream
user and repackager [0], so I'm not in position to propose any changes to
mbedtls release process. Having said that:
You're a primary consumer for releases, so we definitely welcome
your point of view.
(…)
For those two reasons, stopping providing checksums as they are currently,
just pasted in the release notes, does not seem like a meaningful change.
More critically (see my other email), those checksums were never
stable, for non-security reasons (e.g. compression changes). So it
looks like we'll drop them before it even gets to security
considerations.
But maybe you could go the other way, and use this opportunity to provide
signed releases? There are many options: signed tags, detached signatures
over tarballs added to GitHub releases, or even just clearsigned output of
sha256sum tool (```-----BEGIN PGP SIGNED MESSAGE-----
0123abcd mbedtls-12.34.5.tar.gz```).
We're going to look into this. How likely we are to actually do it
will depend on demand, so I invite you to make your voice heard on
GitHub.
Yet another possibility would be to
provide signed binaries: in the project I'm currently caring for, we sign just
apt repo and don't provide signed sources, but AFAICT it's not an option here.
Binaries are a no-go because most users of Mbed TLS want to build it
for their own embedded environment. But official source tarballs are
definitely an option.
Best regards,
--
Gilles Peskine
Mbed TLS developer