No two reviewers from same company

Tim Hudson tjh at
Thu May 23 22:27:36 UTC 2019

We have discussed this at numerous OMC meetings in terms of how to managed
potential *perceived *conflicts of interest that might arise if people
outside of the fellows come from the same company and hence can effectively
turn the OMC review control mechanism into a single control rather than a
dual control.

We discussed tooling changes to make checking this possible given that in
each instance we have had the individuals involved make a commitment to
avoid that situation (through their own actions).
Occasionally that didn't happen and the person "corrected" it when pointed

We haven't formally voted to make such a change - however it is something
that I think we should have in place and I do support.
Making a formal policy change of course will go through our usual decision
making process.

What I was expecting tooling-wise is that the scripts would detect this
situation and advise - at the very least warn - and potentially blocking

The OpenSSL fellows are in a completely different context - the company
they work for is directed by the OMC - so there isn't a separate external
third party source of influence so there is no reasonable mechanism to
*perceive* a potential conflict of interest.

Note - this is all about *perceptions* of a *potential* situation - not
about something we are actually concerned about for the individuals
However it is prudent to address even the perception of a path for
potential conflicts of interest in my view.


On Fri, May 24, 2019 at 8:16 AM Paul Dale <paul.dale at> wrote:

> There hasn't been a vote about this, however both Shane and I have
> committed to not approve each other's PRs.
> I also asked Richard if this could be mechanically enforced, which I
> expect will happen eventually.
> Pauli
> --
> Oracle
> Dr Paul Dale | Cryptographer | Network Security & Encryption
> Phone +61 7 3031 7217
> Oracle Australia
> -----Original Message-----
> From: Salz, Rich [mailto:rsalz at]
> Sent: Friday, 24 May 2019 1:01 AM
> To: openssl-project at
> Subject: Re: No two reviewers from same company
>     > I understand that OpenSSL is changing things so that, by mechanism
> (and maybe by
>     > policy although it’s not published yet), two members of the same
> company cannot
>     > approve the same PR.  That’s great.  (I never approved Akamai
> requests unless it
>     > was trivial back when I was on the OMC.)
>     No such decision has been made as far as I know although it has been
> discussed
>     at various times.
> In private email, and
> the
> implication is that this was a policy.
>     > Should this policy be extended to OpenSSL’s fellows?
>     IMO, no.
> Why not?  I understand build process is always handled by Matt and Richard
> (despite many attempts in the past to expand this), but I think if Oracle
> or Akamai can't "force a change" then it seems to me that the OMC shouldn't
> either.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-project mailing list