[openssl-project] Policy update

Kurt Roeckx kurt at roeckx.be
Fri Jan 5 22:53:11 UTC 2018


On Fri, Dec 22, 2017 at 03:28:50PM +0100, Kurt Roeckx wrote:
> Hi,
> 
> During our face 2 face meeting last week we talked about the
> direction we want to move in, and the policy we'll use to get
> there. This are the current proposals:
> - Insecure configuration options shall not be enabled by default;
>   they must be enabled by a compile-time switch. This applies to all
>   new contributions and existing code should be addressed at the
>   next major (1.2.0) release.
> - All new algorithms must be disableable at compile-time. With the
>   exception of known not-to-work when disabled RSA SHA1 MD5 AES,
>   existing code should be addressed at the next major (1.2.0)
>   release. (PR’s to fix those welcome).
> - All algorithms and protocols should be recognized by a national or
>   international standards body. This applies to all new
>   contributions and existing code should be addressed at the next
>   major (1.2.0) release.

Maybe we should also add wording that we might have other reasons
to not add something and that those are just minimum requirements.

We might also want to add that we see a clear need for (some of) our
users to have it.


Kurt



More information about the openssl-project mailing list