Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#66581 - [freerdp] remove mbedtls from depends

Attached to Project: Community Packages
Opened by tinywrkb (tinywrkb) - Thursday, 07 May 2020, 18:44 GMT
Last edited by David Runge (dvzrv) - Friday, 08 May 2020, 11:58 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
David Runge (dvzrv)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


freerdp already depends on openssl as a crypto lib.
mbedtls is a community package which often is out-of-date for long periods like today, 23 days and counting with an existing CVE-2020-10932.
openssl on the other hand is a core package so it's much more maintained and frequently updated.

According to freerdp's dev:
* There's no added benefit of building against mbedtls when openssl already enabled.
* mbedtls is less supported than openssl, specifically the server related parts.
* The generated executable has no command flag for selecting which crypto backend to use at runtime, so from a user perspective, it makes no sense of building against both and pulling them both as runtime depends.

Please remove mbedtls from depends.
This task depends upon

Closed by  David Runge (dvzrv)
Friday, 08 May 2020, 11:58 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with freerdp 2:2.1.0-1