TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / 28d1d61d72721ae0128184a39b3edf21bf7af8c0 / . / BRANCHES.md
blob: 5945f95d9ce0c04ade68b0147365f7f69917290c [file] [log] [blame] [view]
Manuel Pégourié-Gonnarde6997392021-02-25 11:40:08 +0100[diff] [blame]1# Maintained branches
2
Dave Rodgman9b4d9ae2022-01-05 18:46:17 +0000[diff] [blame]3At any point in time, we have a number of maintained branches, currently consisting of:
Manuel Pégourié-Gonnarde6997392021-02-25 11:40:08 +0100[diff] [blame]4
Dave Rodgman0da8c512024-03-18 15:25:53 +0000[diff] [blame]5- The [`main`](https://github.com/Mbed-TLS/mbedtls/tree/main) branch:
Gilles Peskine991bbe72021-03-16 12:05:16 +0100[diff] [blame]6 this always contains the latest release, including all publicly available
7 security fixes.
Dave Rodgman017a1992022-03-31 14:07:01 +0100[diff] [blame]8- The [`development`](https://github.com/Mbed-TLS/mbedtls/tree/development) branch:
Ronald Cron28d1d612025-09-30 10:42:05 +0200[diff] [blame^]9 this is where the next minor version of Mbed TLS 4 is prepared. It contains
10 new features, bug fixes, and security fixes.
Dave Rodgman9b4d9ae2022-01-05 18:46:17 +0000[diff] [blame]11- One or more long-time support (LTS) branches: these only get bug fixes and
Dave Rodgman1fdf9d02024-03-18 14:37:16 +0000[diff] [blame]12 security fixes. Currently, the supported LTS branches are:
Dave Rodgman1fdf9d02024-03-18 14:37:16 +0000[diff] [blame]13- [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6).
Dave Rodgman9b4d9ae2022-01-05 18:46:17 +0000[diff] [blame]14
15We retain a number of historical branches, whose names are prefixed by `archive/`,
Dave Rodgman017a1992022-03-31 14:07:01 +0100[diff] [blame]16such as [`archive/mbedtls-2.7`](https://github.com/Mbed-TLS/mbedtls/tree/archive/mbedtls-2.7).
Dave Rodgman9b4d9ae2022-01-05 18:46:17 +0000[diff] [blame]17These branches will not receive any changes or updates.
Manuel Pégourié-Gonnarde6997392021-02-25 11:40:08 +0100[diff] [blame]18
19We use [Semantic Versioning](https://semver.org/). In particular, we maintain
Dave Rodgman0da8c512024-03-18 15:25:53 +0000[diff] [blame]20API compatibility in the `main` branch across minor version changes (e.g.
Ronald Cron28d1d612025-09-30 10:42:05 +0200[diff] [blame^]21the API of 4.(x+1) is backward compatible with 4.x). We only break API
Gilles Peskine73876cf2021-06-08 15:33:53 +0200[diff] [blame]22compatibility on major version changes (e.g. from 3.x to 4.0). We also maintain
23ABI compatibility within LTS branches; see the next section for details.
Manuel Pégourié-Gonnarde6997392021-02-25 11:40:08 +0100[diff] [blame]24
Dave Rodgman1fdf9d02024-03-18 14:37:16 +0000[diff] [blame]25We will make regular LTS releases on an 18-month cycle, each of which will have
26a 3 year support lifetime. On this basis, 3.6 LTS (released March 2024) will be
David Horstmannb5e28362025-07-08 15:09:08 +0100[diff] [blame]27supported until March 2027. The next LTS release will be a 4.x release. Due to
28the size and scope of the 4.0 release, the release date of the first 4.x LTS is
29yet to be determined.
Janos Follathe6c0fd02023-03-30 14:59:31 +0100[diff] [blame]30
Gilles Peskine9956efa2022-06-20 18:48:52 +0200[diff] [blame]31## Backwards Compatibility for application code
Manuel Pégourié-Gonnarde6997392021-02-25 11:40:08 +0100[diff] [blame]32
Gilles Peskinea23df132021-03-16 12:04:44 +0100[diff] [blame]33We maintain API compatibility in released versions of Mbed TLS. If you have
34code that's working and secure with Mbed TLS x.y.z and does not rely on
35undocumented features, then you should be able to re-compile it without
36modification with any later release x.y'.z' with the same major version
37number, and your code will still build, be secure, and work.
38
Gilles Peskine43e51fa2022-06-20 18:48:06 +0200[diff] [blame]39Note that this guarantee only applies if you either use the default
40compile-time configuration (`mbedtls/mbedtls_config.h`) or the same modified
41compile-time configuration. Changing compile-time configuration options can
Gilles Peskine3dc9ac92022-06-27 23:02:58 +0200[diff] [blame]42result in an incompatible API or ABI, although features will generally not
Gilles Peskine4fd898e2022-06-29 14:29:52 +0200[diff] [blame]43affect unrelated features (for example, enabling or disabling a
Gilles Peskine43e51fa2022-06-20 18:48:06 +0200[diff] [blame]44cryptographic algorithm does not break code that does not use that
45algorithm).
46
Gilles Peskine6dd92c32021-06-07 20:44:47 +0200[diff] [blame]47Note that new releases of Mbed TLS may extend the API. Here are some
48examples of changes that are common in minor releases of Mbed TLS, and are
49not considered API compatibility breaks:
Gilles Peskine1483fe42021-06-01 22:29:06 +0200[diff] [blame]50
51* Adding or reordering fields in a structure or union.
52* Removing a field from a structure, unless the field is documented as public.
53* Adding items to an enum.
Gilles Peskine6dd92c32021-06-07 20:44:47 +0200[diff] [blame]54* Returning an error code that was not previously documented for a function
55 when a new error condition arises.
56* Changing which error code is returned in a case where multiple error
57 conditions apply.
58* Changing the behavior of a function from failing to succeeding, when the
59 change is a reasonable extension of the current behavior, i.e. the
60 addition of a new feature.
Gilles Peskine1483fe42021-06-01 22:29:06 +0200[diff] [blame]61
Gilles Peskined1a8cd52021-06-07 20:42:40 +0200[diff] [blame]62There are rare exceptions where we break API compatibility: code that was
63relying on something that became insecure in the meantime (for example,
64crypto that was found to be weak) may need to be changed. In case security
65comes in conflict with backwards compatibility, we will put security first,
66but always attempt to provide a compatibility option.
Manuel Pégourié-Gonnarde6997392021-02-25 11:40:08 +0100[diff] [blame]67
Gilles Peskine87d36e32021-06-07 20:42:50 +0200[diff] [blame]68## Long-time support branches
69
Manuel Pégourié-Gonnarde6997392021-02-25 11:40:08 +0100[diff] [blame]70For the LTS branches, additionally we try very hard to also maintain ABI
71compatibility (same definition as API except with re-linking instead of
72re-compiling) and to avoid any increase in code size or RAM usage, or in the
73minimum version of tools needed to build the code. The only exception, as
74before, is in case those goals would conflict with fixing a security issue, we
75will put security first but provide a compatibility option. (So far we never
76had to break ABI compatibility in an LTS branch, but we occasionally had to
77increase code size for a security fix.)
78
Manuel Pégourié-Gonnard80c02af2021-02-25 12:34:58 +0100[diff] [blame]79For contributors, see the [Backwards Compatibility section of
Tom Cosgrovefff613a2021-11-15 13:54:59 +0000[diff] [blame]80CONTRIBUTING](CONTRIBUTING.md#backwards-compatibility).
Manuel Pégourié-Gonnard80c02af2021-02-25 12:34:58 +0100[diff] [blame]81
82## Current Branches
Manuel Pégourié-Gonnarde6997392021-02-25 11:40:08 +0100[diff] [blame]83
84The following branches are currently maintained:
85
Dave Rodgman0da8c512024-03-18 15:25:53 +0000[diff] [blame]86- [main](https://github.com/Mbed-TLS/mbedtls/tree/main)
Dave Rodgman017a1992022-03-31 14:07:01 +0100[diff] [blame]87- [`development`](https://github.com/Mbed-TLS/mbedtls/)
Dave Rodgman1fdf9d02024-03-18 14:37:16 +0000[diff] [blame]88- [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6)
89 maintained until March 2027, see
Minos Galanakis71157fd2025-06-26 15:24:47 +0100[diff] [blame]90 <https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.4>.
Manuel Pégourié-Gonnarde6997392021-02-25 11:40:08 +0100[diff] [blame]91
92Users are urged to always use the latest version of a maintained branch.