Deprecation of stuff

Tomas Mraz tmraz at redhat.com
Wed Sep 4 12:43:34 UTC 2019 

On Mon, 2019-09-02 at 08:38 +0200, Richard Levitte wrote:
> The dispute in PR https://github.com/openssl/openssl/pull/7853 has
> made it quote obvious that we have some very different ideas on when
> and why we should or shouldn't deprecate stuff.
> 
> What does deprecation mean?  Essentially, it's a warning that at some
> point in the future, the deprecated functionality will be removed.  I
> believe that part of the issue surrounding this is uncertainty about
> when that removal will happen, so let me just remind you what's
> written in our release strategy document:
> 
>   * No existing public interface can be removed until its replacement
>     has been in place in an LTS stable release. The original
> interface
>     must also have been documented as deprecated for at least 5
> years.
>     A public interface is any function, structure or macro declared
> in
>     a public header file.
> 
> Ref: https://www.openssl.org/policies/releasestrat.html
> 
> I'd like to get this thread started with the following four
> questions,
> for as many of us to answer as possible:
> 
> 1. Why should we deprecate stuff

Because keeping every legacy API/feature/option/... increases the
maintenance burden, attack surface, confuses users/developers, and in
general hinders the development.

> 2. Why should we not deprecate stuff

If something does not really have an adequate replacement, it does not
really increase the maintenance burden, does not significantly increase
the attack surface, and is still used widely in applications, it should
not be deprecated.

> 3. When should we deprecate stuff

As soon as possible when there is a better replacement for the stuff. I
believe it is better to give the warning about future removal as soon
as possible rather than to plan deprecating and later removing
something anyway but delay the deprecation "to not scare someone
early".

> 4. When should we not deprecate stuff


-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

More information about the openssl-project mailing list