[openssl-project] Policy update

Kurt Roeckx kurt at roeckx.be
Sat Dec 23 09:30:57 UTC 2017


On Fri, Dec 22, 2017 at 11:53:20PM -0600, Benjamin Kaduk wrote:
> On Fri, Dec 22, 2017 at 03:28:50PM +0100, Kurt Roeckx wrote:
> > 
> > I think at least the wording could be improved. For instance, it
> > says "All [new] algorithms and protocols must be disableable". I
> > assume it means cryptographic algorithms, like AES, SHA2, HMAC, ...
> > Does something like CMS and X509 fall under that? It doesn't sound
> > like an algorithm to me, and protocol also doesn't seem like the
> > correct word. The same goes for the "All algorithms and protocols
> > should be [standardised]".
> > 
> > On a related topic, I think there has been a suggestion that we
> > should work on not exposing such compile time options in the
> > public headers but that applications should do runtime detection
> > of the available features instead.
> 
> I agree with these concerns about exposing the compile-time options
> in the public headers, but I also have concerns about the number of
> compile-time options in general.  Growth of compile-time options
> brings *exponential* growth in the number of possible "supported"
> configurations, which places a huge maintenance burden on us.  Do we
> really need to take on that burden?

They currently break often, like don't compile or the test suite
doesn't skip them, because we don't test them all, but they've all
been easy to fix. Maybe we should also say that only the default
options are supported?


Kurt



More information about the openssl-project mailing list