[openssl-dev] [openssl-announce] OpenSSL version 1.0.2 released

Fri Jan 23 10:00:28 UTC 2015

On 22/01/15 22:34, Steffen Nurpmeso wrote:
> Since noone else seems to say a word.
> I personally didn't understand at all why v1.0.2 when its
> end-of-life is in sight already.

>From my personal point of view I would like all our releases to have
defined up front lifetimes, so that it is clear how long you can expect
to receive support for.  With respect to 1.0.2 we're not actually quite
there as we've only said:
Version 1.0.2 will be supported until at least 2016-12-31.

Note the "at least". There is a good chance that it will be supported
for significantly longer than that. The reasons for that are discussed
in my recent blog post:
https://www.openssl.org/blog/blog/2014/12/23/the-new-release-strategy/

>  Now you have to continue to
> track three active branches.  But this is your problem of course.

Actually its four :-( - 0.9.8, 1.0.0, 1.0.1 and 1.0.2 (and of course we
have master as well). Again see my blog post for a discussion on the
thinking that went into it. As ever these decisions are a compromise
between many competing pressures.

> What i _really_ don't understand is why 1.0.2 is delivered with
> false documentation (not only "int SSL_CONF_finish(SSL_CONF_CTX
> *cctx);") etc., especially given that there are bug reports.
> Documentation is a vivid part of a software, especially when
> a completely new interface is introduced.  From only the
> documentation you won't be able to get that stuff going.
> Is ALPN, a prominent member of the NEWS entry (you find it on the
> website), at all documented?  Where can i find a word about it??

Well "false" documentation seems a bit harsh to me :-)...that kind of
makes it sound like we are deliberately setting out to mislead you!!

It is a valid criticism that the documentation is not up to scratch.
That applies to all versions...1.0.2 is nothing special there. It is on
our list of things to sort out (see
https://www.openssl.org/about/roadmap.html). That list has quite a few
things on it, many of which are quite significant. Actually looking at
it now reminds me that it could do with an update...quite a few of those
things can either be knocked off (because we have done them), or we have
some good progress to report. But documentation hasn't quite made it to
the top of the list yet. It will do though.

> So why that hastiness, now that OpenSSL gains enough money to pay
> the bread of not only one, but indeed multiple fulltime
> developers.

Well 1.0.2 was in beta for nearly a year, so I'm not sure I would
describe its release as hasty! Most of its development (including any
associated documentation) was done before the time that any additional
resources were made available.

Matt