[openssl-project] Current 1.1.1 status compared to Release criteria

[Matt Caswell]

I've done a review of the 1.1.1 release criteria against the current
status. See below.

TL;DR summary: Status is generally good. There are some outstanding
issues and PRs that need input from various people. Specifically there
are actions for: @levitte, @paulidale, @dot-asm, @mspncp, @t-j-h


Criteria: All open github issues/PRs older than 2 weeks at the time of
release to be assessed for relevance to 1.1.1. Any flagged with the
1.1.1 milestone to be closed

Status:

There are currently 7 open issues flagged against 1.1.1. Of these 1 has
had a fix merged and we're awaiting confirmation that the fix has
worked. 2 have fixes available in currently open PRs. The remaining 4 are:

6490: Reuse of PSKs between TLS 1.2 and TLS 1.3 is questionable

This is the subject of current IETF TLS WG debate. One option is to
simply disable TLS1.3 if 1.2 PSKs are in use.

5944: Policy issue: TLSv1.3 makes upgrade without program modification
impossible

I think this can be closed, but I'd like @levitte to confirm

3901: pthread_atfork for android API < 21

It's unclear to me what needs to be done here.

3254: flaws in OpenSSL-1.1.1-dev builds on Windows

I'm not sure what the next step is. @levitte probably needs to take
another look.


There are 8 currently open PRs flagged against 1.1.1. 3 of these are new
(within the last couple of days). The remaining 5 older ones are:

6694: Update sm2_crypt.c

We're waiting on a CLA or confirmation of triviality. Also @paulidale
had a comment, which has been responded to. Not sure if it was a
satisfactory answer (@paulidale should probably check).

6623: Fix potential NULL pointer dereference in EVP "int_ctx_new"

It's unclear what needs to happen next.

6596: crypto/o_fopen.c: alias fopen to fopen64

@t-j-h made a comment...awaiting a response from @dot-asm

6075: Increase number of MR tests for RSA prime generation

Waiting on review comments from @mspncp

5035: Recreate OS390-Unix

Awaiting input from @t-j-h. It's not clear to me if this issue justifies
the 1.1.1 label? I think OS390 is an issue even in 1.1.0?


Criteria: Clean builds in Travis and Appveyor for two days

Status: Both Travis and Appveyor are currently clean.



Criteria: run-checker.sh to be showing as clean 2 days before release

Status: run-checker is currently clean.


Criteria: No open Coverity issues (not flagged as "False Positive" or
"Ignore")

Status: There is one currently open Coverity issue not flagged as "false
positive" or "ignore". This issue has been fixed, and should be cleared
the next time coverity is updated.


Criteria: TLSv1.3 RFC published (with at least one beta release after
the publication)

Status: The RFC number will be 8446. The RFC Editor has done the first
pass editing, and those edits are being reviewed by ekr. See
https://github.com/tlswg/tls13-rfc. From our perspective we are ready to
apply the final RFC updates as soon as it is published (see PR 6741), so
we should be able to do the final beta release shortly afterwards.


Matt