From e699739f289f6009214f4e16ea53d5936615c57f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 25 Feb 2021 11:40:08 +0100 Subject: [PATCH 1/9] Add BRANCHES.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- BRANCHES.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 BRANCHES.md diff --git a/BRANCHES.md b/BRANCHES.md new file mode 100644 index 000000000..eb32a5263 --- /dev/null +++ b/BRANCHES.md @@ -0,0 +1,42 @@ +# Maintained branches + +At any point in time, we have a number of maintained branches consisting of: + +- the development branch: this is where new features lands, as well as bug + fixes and security fixes +- one or more LTS branches: these only get bug fixes and security fixes. + +We use [Semantic Versioning](https://semver.org/). In particular, we maintain +API compatibility in the development branch between major version changes. We +also maintain ABI compatibility within LTS branches; see the next section for +details. + +## Backwards Compatibility + +If you have code that's working and secure with Mbed TLS x.y.z, then you +should be able to re-compile it without modification with any later release +x.y'.z' with the same major version number, and your code will still build, be +secure, and work - unless it was relying on something that became insecure in +the meantime (for example, crypto that was found to be weak). In case security +comes in conflict with backwards compatibility, we will put security first, +but always attempt to provide a compatibility option. + +For the LTS branches, additionally we try very hard to also maintain ABI +compatibility (same definition as API except with re-linking instead of +re-compiling) and to avoid any increase in code size or RAM usage, or in the +minimum version of tools needed to build the code. The only exception, as +before, is in case those goals would conflict with fixing a security issue, we +will put security first but provide a compatibility option. (So far we never +had to break ABI compatibility in an LTS branch, but we occasionally had to +increase code size for a security fix.) + +## Currently maintained branches + +The following branches are currently maintained: + +- development (2.x.y releases) +- Mbed TLS 2.16, maintained until at least the end of 2021, see + +- Mbed TLS 2.7 - end of life in March 2021! + +Users are urged to always use the latest version of a maintained branch. From a21abf249cdfd12ef71fb72e69ff06372e81bbe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 25 Feb 2021 11:41:38 +0100 Subject: [PATCH 2/9] Add SECURITY.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There was no mention of our security email address, nor of our security process, in the repo, which made them hard to discover for contributors. Also, this filename is recognized by github: https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository Signed-off-by: Manuel Pégourié-Gonnard --- SECURITY.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..baf4468db --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,18 @@ +## Reporting Vulneratibilities + +If you think you have found an Mbed TLS security vulnerability, then please +send an email to the security team at +. + +## Security Incident Handling Process + +Our security process is detailled in our [security +center](https://developer.trustedfirmware.org/w/mbed-tls/security-center/). + +Its primary goal is to ensure fixes are ready to be deployed when the issue +goes public. + +## Maintained branches + +Only the maintained branches, as listed in BRANCHES.md, get security fixes. +Users are urged to always use the latest version of a maintained branch. From 1b2e06124eefe99beb9904e86e60a347749f6ea9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 25 Feb 2021 11:59:03 +0100 Subject: [PATCH 3/9] Add SUPPORT.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This name is also recognized by github: https://docs.github.com/en/github/building-a-strong-community/adding-support-resources-to-your-project Signed-off-by: Manuel Pégourié-Gonnard --- SUPPORT.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 SUPPORT.md diff --git a/SUPPORT.md b/SUPPORT.md new file mode 100644 index 000000000..44e1dc698 --- /dev/null +++ b/SUPPORT.md @@ -0,0 +1,14 @@ +## Documentation + +Here are some useful sources of information about using Mbed TLS: + +- API documentation (see `make apidoc` or directly the header files); +- the `docs` directory in the source tree; +- the [Mbed TLS knowledge Base](https://tls.mbed.org/kb); +- the [Mbed TLS mailing-list + archives](https://lists.trustedfirmware.org/pipermail/mbed-tls/). + +## Asking Questions + +If you can't find your answer in the above sources, please use the [Mbed TLS +mailing list](https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls). From b6aa958f87a59749cfbe9bd72e9fe548c7c85a52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 25 Feb 2021 11:59:49 +0100 Subject: [PATCH 4/9] Update the issue template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - reference recently-created document - try to improve general readability Signed-off-by: Manuel Pégourié-Gonnard --- .github/issue_template.md | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/issue_template.md b/.github/issue_template.md index 18b87fca8..71c41ee91 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -1,7 +1,16 @@ -Note: This is just a template, so feel free to use/remove the unnecessary things +_Note:_ this is a template, please remove the parts that are not +applicable (these initial notes, and the "Bug" section for a Feature request +and vice-versa). +**Note:** to report a security vulnerability, see `SECURITY.md`. Please do not +use github issues for vulnerabilities. + +_Note:_ To get support, see `SUPPORT.md`. Please do o't use github issues for +questions. + +--------------------------------------------------------------- ### Description -- Type: Bug | Enhancement\Feature Request +- Type: Bug | Enhancement / Feature Request - Priority: Blocker | Major | Minor --------------------------------------------------------------- @@ -28,14 +37,9 @@ Version: **Steps to reproduce** ---------------------------------------------------------------- -## Enhancement\Feature Request - -**Justification - why does the library need this feature?** +## Enhancement / Feature Request **Suggested enhancement** ------------------------------------------------------------------ +**Justification - why does the library need this feature?** -## Question - -**Please first check for answers in the [Mbed TLS knowledge Base](https://tls.mbed.org/kb). If you can't find the answer you're looking for then please use the [Mbed TLS mailing list](https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls)** From 80c02af03cd3bc8e8ea1a87c9f93e50f7e37162b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 25 Feb 2021 12:34:58 +0100 Subject: [PATCH 5/9] Add cross-doc links, avoid redundancies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- .github/issue_template.md | 9 +++++---- BRANCHES.md | 12 ++++++++---- CONTRIBUTING.md | 10 +++++++--- README.md | 2 ++ SUPPORT.md | 3 ++- 5 files changed, 24 insertions(+), 12 deletions(-) diff --git a/.github/issue_template.md b/.github/issue_template.md index 71c41ee91..370066f48 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -2,11 +2,12 @@ _Note:_ this is a template, please remove the parts that are not applicable (these initial notes, and the "Bug" section for a Feature request and vice-versa). -**Note:** to report a security vulnerability, see `SECURITY.md`. Please do not -use github issues for vulnerabilities. +**Note:** to report a security vulnerability, see +[SECURITY.md](../SECURITY.md). Please do not use github issues for +vulnerabilities. -_Note:_ To get support, see `SUPPORT.md`. Please do o't use github issues for -questions. +_Note:_ to get support, see [SUPPORT.md](../SUPPORT.md). Please do not use +github issues for questions. --------------------------------------------------------------- ### Description diff --git a/BRANCHES.md b/BRANCHES.md index eb32a5263..bd47632d9 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -30,13 +30,17 @@ will put security first but provide a compatibility option. (So far we never had to break ABI compatibility in an LTS branch, but we occasionally had to increase code size for a security fix.) -## Currently maintained branches +For contributors, see the [Backwards Compatibility section of +CONTRIBUTING](CONTRIBUTING.md#cackwords-compatibility). + +## Current Branches The following branches are currently maintained: -- development (2.x.y releases) -- Mbed TLS 2.16, maintained until at least the end of 2021, see +- [development](https://github.com/ARMmbed/mbedtls/) +- [mbedtls-2.16](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16) + maintained until at least the end of 2021, see -- Mbed TLS 2.7 - end of life in March 2021! +- [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7) - end of life in March 2021! Users are urged to always use the latest version of a maintained branch. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9b02ba56c..b3a9547a5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -22,9 +22,10 @@ Making a Contribution 1. All new files should include the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) standard license header where possible. 1. Ensure that each commit has at least one `Signed-off-by:` line from the committer. If anyone else contributes to the commit, they should also add their own `Signed-off-by:` line. By adding this line, contributor(s) certify that the contribution is made under the terms of the [Developer Certificate of Origin](dco.txt). The contribution licensing is described in the [License section of the README](README.md#License). -API/ABI Compatibility ---------------------- -The project aims to minimise the impact on users upgrading to newer versions of the library and it should not be necessary for a user to make any changes to their own code to work with a newer version of the library. Unless the user has made an active decision to use newer features, a newer generation of the library or a change has been necessary due to a security issue or other significant software defect, no modifications to their own code should be necessary. To achieve this, API compatibility is maintained between different versions of Mbed TLS on the main development branch and in LTS (Long Term Support) branches. +Backwards Compatibility +----------------------- + +The project aims to minimise the impact on users upgrading to newer versions of the library and it should not be necessary for a user to make any changes to their own code to work with a newer version of the library. Unless the user has made an active decision to use newer features, a newer generation of the library or a change has been necessary due to a security issue or other significant software defect, no modifications to their own code should be necessary. To achieve this, API compatibility is maintained between different versions of Mbed TLS on the main development branch and in LTS (Long Term Support) branches, as described in [BRANCHES.md](BRANCHES.md). To minimise such disruption to users, where a change to the interface is required, all changes to the ABI or API, even on the main development branch where new features are added, need to be justifiable by either being a significant enhancement, new feature or bug fix which is best resolved by an interface change. @@ -48,6 +49,9 @@ When backporting to these branches please observe the following rules: It would be highly appreciated if contributions are backported to LTS branches in addition to the [development branch](https://github.com/ARMmbed/mbedtls/tree/development) by contributors. +The list of maintained branches can be found in the [Current Branches section +of BRANCHES.md](BRANCHES.md#current-branches). + Currently maintained LTS branches are: 1. [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7) 1. [mbedtls-2.16](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16) diff --git a/README.md b/README.md index ac2a6ab44..759ffb57a 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,8 @@ To generate a local copy of the library documentation in HTML format, tailored t 1. Run `make apidoc`. 1. Browse `apidoc/index.html` or `apidoc/modules.html`. +For other sources of documentation, see the [SUPPORT](SUPPORT.md) document. + Compiling --------- diff --git a/SUPPORT.md b/SUPPORT.md index 44e1dc698..1bc0695a4 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -2,7 +2,8 @@ Here are some useful sources of information about using Mbed TLS: -- API documentation (see `make apidoc` or directly the header files); +- API documentation, see the [Documentation section of the + README](README.md#License); - the `docs` directory in the source tree; - the [Mbed TLS knowledge Base](https://tls.mbed.org/kb); - the [Mbed TLS mailing-list From a23df13e52aa13afae947fad6cc2be1470d1f41c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Mar 2021 12:04:44 +0100 Subject: [PATCH 6/9] Minor presentation improvements Minor wording improvement and cosmetic formatting improvements. Signed-off-by: Gilles Peskine --- BRANCHES.md | 30 ++++++++++++++++++------------ SECURITY.md | 6 ++++-- 2 files changed, 22 insertions(+), 14 deletions(-) diff --git a/BRANCHES.md b/BRANCHES.md index bd47632d9..ebb95b742 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -2,9 +2,11 @@ At any point in time, we have a number of maintained branches consisting of: -- the development branch: this is where new features lands, as well as bug - fixes and security fixes -- one or more LTS branches: these only get bug fixes and security fixes. +- The [`development`](https://github.com/ARMmbed/mbedtls/tree/development) branch: + this is where new features land, + as well as bug fixes and security fixes. +- One or more long-time support (LTS) branches: + these only get bug fixes and security fixes. We use [Semantic Versioning](https://semver.org/). In particular, we maintain API compatibility in the development branch between major version changes. We @@ -13,13 +15,17 @@ details. ## Backwards Compatibility -If you have code that's working and secure with Mbed TLS x.y.z, then you -should be able to re-compile it without modification with any later release -x.y'.z' with the same major version number, and your code will still build, be -secure, and work - unless it was relying on something that became insecure in -the meantime (for example, crypto that was found to be weak). In case security -comes in conflict with backwards compatibility, we will put security first, -but always attempt to provide a compatibility option. +We maintain API compatibility in released versions of Mbed TLS. If you have +code that's working and secure with Mbed TLS x.y.z and does not rely on +undocumented features, then you should be able to re-compile it without +modification with any later release x.y'.z' with the same major version +number, and your code will still build, be secure, and work. + +There are rare exceptions: code that was relying on something that became +insecure in the meantime (for example, crypto that was found to be weak) may +need to be changed. In case security comes in conflict with backwards +compatibility, we will put security first, but always attempt to provide a +compatibility option. For the LTS branches, additionally we try very hard to also maintain ABI compatibility (same definition as API except with re-linking instead of @@ -37,8 +43,8 @@ CONTRIBUTING](CONTRIBUTING.md#cackwords-compatibility). The following branches are currently maintained: -- [development](https://github.com/ARMmbed/mbedtls/) -- [mbedtls-2.16](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16) +- [`development`](https://github.com/ARMmbed/mbedtls/) +- [`mbedtls-2.16`](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16) maintained until at least the end of 2021, see - [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7) - end of life in March 2021! diff --git a/SECURITY.md b/SECURITY.md index baf4468db..bd18f6c5d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,7 +6,8 @@ send an email to the security team at ## Security Incident Handling Process -Our security process is detailled in our [security +Our security process is detailled in our +[security center](https://developer.trustedfirmware.org/w/mbed-tls/security-center/). Its primary goal is to ensure fixes are ready to be deployed when the issue @@ -14,5 +15,6 @@ goes public. ## Maintained branches -Only the maintained branches, as listed in BRANCHES.md, get security fixes. +Only the maintained branches, as listed in [`BRANCHES.md`](BRANCHES.md), +get security fixes. Users are urged to always use the latest version of a maintained branch. From 991bbe7f5e1cf13c321e3a615714ad9c4df4cd09 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Mar 2021 12:05:16 +0100 Subject: [PATCH 7/9] Mention the master branch as well Signed-off-by: Gilles Peskine --- BRANCHES.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/BRANCHES.md b/BRANCHES.md index ebb95b742..a7f90764e 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -2,6 +2,9 @@ At any point in time, we have a number of maintained branches consisting of: +- The [`master`](https://github.com/ARMmbed/mbedtls/tree/master) branch: + this always contains the latest release, including all publicly available + security fixes. - The [`development`](https://github.com/ARMmbed/mbedtls/tree/development) branch: this is where new features land, as well as bug fixes and security fixes. @@ -9,7 +12,7 @@ At any point in time, we have a number of maintained branches consisting of: these only get bug fixes and security fixes. We use [Semantic Versioning](https://semver.org/). In particular, we maintain -API compatibility in the development branch between major version changes. We +API compatibility in the `master` branch between major version changes. We also maintain ABI compatibility within LTS branches; see the next section for details. @@ -43,6 +46,7 @@ CONTRIBUTING](CONTRIBUTING.md#cackwords-compatibility). The following branches are currently maintained: +- [master](https://github.com/ARMmbed/mbedtls/tree/master) - [`development`](https://github.com/ARMmbed/mbedtls/) - [`mbedtls-2.16`](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16) maintained until at least the end of 2021, see From 92042d9bc462461b635986891c4c6479a6968526 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Mar 2021 12:05:30 +0100 Subject: [PATCH 8/9] The 2.7 branch is retired Signed-off-by: Gilles Peskine --- BRANCHES.md | 1 - 1 file changed, 1 deletion(-) diff --git a/BRANCHES.md b/BRANCHES.md index a7f90764e..d5144188e 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -51,6 +51,5 @@ The following branches are currently maintained: - [`mbedtls-2.16`](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16) maintained until at least the end of 2021, see -- [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7) - end of life in March 2021! Users are urged to always use the latest version of a maintained branch. From 74a7f93c94b43e5c073c5a9aa13ed33725cb721c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Mar 2021 12:05:44 +0100 Subject: [PATCH 9/9] Add BUGS.md Instructions on how to report a bug. Signed-off-by: Gilles Peskine --- BUGS.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 BUGS.md diff --git a/BUGS.md b/BUGS.md new file mode 100644 index 000000000..e8705ffbc --- /dev/null +++ b/BUGS.md @@ -0,0 +1,20 @@ +## Known issues + +Known issues in Mbed TLS are [tracked on GitHub](https://github.com/ARMmbed/mbedtls/issues). + +## Reporting a bug + +If you think you've found a bug in Mbed TLS, please follow these steps: + +1. Make sure you're using the latest version of a + [maintained branch](BRANCHES.md): `master`, `development`, + or a long-time support branch. +2. Check [GitHub](https://github.com/ARMmbed/mbedtls/issues) to see if + your issue has already been reported. If not, … +3. If the issue is a security risk (for example: buffer overflow, + data leak), please report it confidentially as described in + [`SECURITY.md`](SECURITY.md). If not, … +4. Please [create an issue on on GitHub](https://github.com/ARMmbed/mbedtls/issues). + +Please do not use GitHub for support questions. If you want to know +how to do something with Mbed TLS, please see [`SUPPORT.md`](SUPPORT.md) for available documentation and support channels.