Backports to 1.1.1 and what is allowed

Matt Caswell matt at openssl.org
Tue Jun 16 13:03:58 UTC 2020


PR 11188 proposes to backport a series of s390x patches to the 1.1.1
branch. IIUC it includes performance improvements as well as support for
new hardware instructions.

I think we need to have a much clearer and more explicit policy about
exactly what is allowed to be backported to a stable branch. For example
PR #11968 was a significant recent PR that backported AES CTR-DRBG
performance improvements to the 1.1.1 branch and was allowed (should it
have been?).

We have always said that the stable releases should only receive bug and
security fixes. Performance improvements have been a bit of a grey area,
e.g. a few lines of code that significantly improves the performance of
a particular algorithm or codepath could reasonably be justified as
"fixing a performance bug". OTOH bringing in whole new files of
assembler seems to go way beyond that definition.

However, when I tried to find a reference to the policy which says
exactly what we are allowed to backport I could find one. Do we have
such a thing?

In any case I think we should develop a much more explicit policy that
will enable us to decide whether PRs such as 11188 are reasonable or
not. See for example Ubuntu's Stable Release Updates policy:

https://wiki.ubuntu.com/StableReleaseUpdates


Matt


More information about the openssl-project mailing list