On Wednesday, 30 August 2017 14:57:22 PDT Thiago Macieira wrote: > On Wednesday, 30 August 2017 13:51:47 PDT Mats Wichmann wrote: > > iotivity no longer "ships" mbedtls, leaving it to the developer to pull > > it from the upstream git themselves. however, once they do, we will end > > > > up doing: > > git checkout -f development && git reset --hard mbedtls-2.4.2 > > > > before applying the iotivity patch and proceeding. > > > > The note below says we should upgrade to 2.6.0 to address the CVE. > > > > How should we react to this? > > We should stop telling people to reset to 2.4.2. > > And we need to update the patch we ask people to apply for every one of our > releases. It should be done on top of the latest stable.
One more thing: we need to upstream our changes, or at least make the effort. Upstream has not yet accepted some fixes that Microsoft contributed and are probably part of the patch. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center _______________________________________________ iotivity-dev mailing list [email protected] https://lists.iotivity.org/mailman/listinfo/iotivity-dev
