[openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Jonathan Larmour
jifl at eCosCentric.com
Fri Nov 13 18:03:33 UTC 2015
Hi,
On 13/11/15 17:08, Stefan.Neis at t-online.de wrote:
>> We are considering removing from OpenSSL 1.1 known broken
>> or outdated cryptographic primitives.
> [...]
>> My preference would be to remove these algorithms completely
>> (as in, delete the code).
>
> From the formal[istic] point of view, I'd suggest to follow the way
> many libraries use for API changes, i.e. to only remove the
> algorithms that currently are already disabled by default and only
> disable the rest (clearly stating the intention of removing them in
> the next release), but still keep if for now. So users get a fair
> warning and a timeframe for "fixes", before things are finally
> removed.
I strongly agree with this. Not every OpenSSL user reads the openssl-dev
mailing list (nor -announce). I have been bitten by this in the past in
other FOSS projects which only solicited comments from mailing list readers.
Disabling (and deprecating) them achieves most of the desired effect
anyway as it makes it trivial to identify which bits to remove later on.
Jifl
--
eCosCentric Limited http://www.eCosCentric.com/ The eCos experts
Barnwell House, Barnwell Drive, Cambridge, UK. Tel: +44 1223 245571
Registered in England and Wales: Reg No 4422071.
------["Si fractum non sit, noli id reficere"]------ Opinions==mine
More information about the openssl-dev
mailing list