Fix mbedtls build #209

sharkwouter · 2025-04-07T18:38:28Z

The download url no longer goes anywhere useful, so I changed the PSPBUILD to use git and pull the commit that corresponds with the release we were already building. I also did some minor consistency fixes in the PSPBUILD.

isage · 2025-04-07T18:45:19Z

Why use commit when there's https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v2.16.12.tar.gz

sharkwouter · 2025-04-07T18:58:45Z

The reason I picked the commit is that tags can be changed and GitHub does not guarantee that release source archives stay the same. So the commit sha is the only safe thing to use.

isage · 2025-04-07T19:12:34Z

Github actually (so far) guarantees that source archives are immutable
https://github.blog/open-source/git/update-on-the-future-stability-of-source-code-archives-and-hashes/

See, for example, https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.16.12 - it was released 3 years ago, yet sha sum of archives listed in release notes are still valid

bucanero · 2025-04-07T20:14:25Z

probably too late, but the Fedora project site hosts the mbedtls packages, here's the link for the v2.16.12:

https://src.fedoraproject.org/repo/pkgs/mbedtls/mbedtls-2.16.12.tar.gz/sha512/8d96d8cd906cc0999134320e4e1f550631426d166eab5da6e65469ee7286093810fcc6ac4bd5500ee55972d159f8bef7f9e53245f7f0eec72f72c35265b4313b/mbedtls-2.16.12.tar.gz

btw, this file is the exact same, and keeps the sha256 sum unmodified 294871ab1864a65d0b74325e9219d5bcd6e91c34a3c59270c357bb9ae4d5c393

mbedtls/PSPBUILD

sharkwouter · 2025-04-07T21:10:34Z

Thanks for the help @bucanero :D

Fix mbedtls build

6484992

bucanero reviewed Apr 7, 2025

View reviewed changes