[openssl-dev] [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

[Richard Moore]

On 19 November 2015 at 16:56, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu
> wrote:

> ​Heh. I actually tested building all releases of openssl after 0.9.7 a few
> months back - several refuse to build with the default options on 64 bit.
> In addition my experience shows that compilers get stricter over time, so
> old code will general need changes to work with newer compilers (even when
> you're only talking over a relatively short period such as 5 years). Now if
> this code were included in openssl but disabled by default then these
> problems would exist but simply be hidden until someone tried to use it.
> Given the user would then have to fix them (since no one else cares about
> their favourite dead algorithm) I don't really see what advantage having
> the code in the main tree offers.
>
>
> I did not say “no maintenance costs”. I said that I concur that the
> maintenance costs for such code would be *minimal*, which usually it is.
>
> I’m against “disabling by default”. Removing access to such code from
> libssl is OK, and the correct thing to do from the security point of view.
> Removing from libcrypto is bad, and enough people here explained why well
> enough to avoid repeating the reasons.
>

​Yes, but a several people (including me) disagree with you. And one of the
options that has been suggested is to keep the code but have it disabled by
default.

Rich.
​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151119/6e8ba7e0/attachment.html>