[openssl-dev] [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

[Blumenthal, Uri - 0553 - MITLL]

> ​Heh. I actually tested building all releases of openssl after 0.9.7 a few
> months back - several refuse to build with the default options on 64 bit. In
> addition my experience shows that compilers get stricter over time, so old
> code will general need changes to work with newer compilers (even when you're
> only talking over a relatively short period such as 5 years). Now if this code
> were included in openssl but disabled by default then these problems would
> exist but simply be hidden until someone tried to use it. Given the user would
> then have to fix them (since no one else cares about their favourite dead
> algorithm) I don't really see what advantage having the code in the main tree
> offers.

I did not say “no maintenance costs”. I said that I concur that the
maintenance costs for such code would be minimal, which usually it is.

I’m against “disabling by default”. Removing access to such code from libssl
is OK, and the correct thing to do from the security point of view. Removing
from libcrypto is bad, and enough people here explained why well enough to
avoid repeating the reasons.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151119/287ec7e2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151119/287ec7e2/attachment.bin>