[OTC VOTE PROPOSAL] Don't merge PR#14759 (blinding=yes and similar properties)

Tomas Mraz tomas at openssl.org
Fri Apr 9 14:32:18 UTC 2021 

I do not think we should retriage this. There needs to be just a policy
vote. Depending on the policy vote outcome the PR will have to be
either:
- merged if the policy vote does not pass or passes and the PR does
  not conflict with it
- dropped if the policy vote passes and says that we do not want any
information on blinding in form of a property
- adjusted and merged if the policy vote passes and says that we want
some information on blinding in form of a property but it needs to be
done differently (such as having no-blinding property or whatever)

The policy vote should happen before beta1. The eventual rework should
not take much time so I do not worry about that.

Implicitly, if the vote passes and says we do not want blinding
property in any form, the original issue as triaged by OTC will be
closed. There is no need for extra decision making process on that.

Tomas

On Fri, 2021-04-09 at 14:27 +0300, Nicola Tuveri wrote:
> But I am not opposed to separate the 2 votes if that is perceived as
> better and we are ready to deal with the possible delays introduced
> in the development.
> 
> I am not entirely sure if this PR can be retriaged by OTC as not-
> blocking for the beta release, but that could also be an option to
> buy more time while we define a policy and then vote to accept or
> reject based on that.
> 
> Nicola
> 
> On Fri, Apr 9, 2021, 14:24 Nicola Tuveri <nic.tuv at gmail.com> wrote:
> > I agree with what Tomàš said, and that is the reason why I
> > convoluted them in a single vote: we need to merge or reject the PR
> > based on a policy, but if we do 2 separate votes we risk to create
> > delays in the already quite loaded development cycles left!
> > 
> > Nicola
> > 
> > On Fri, Apr 9, 2021, 10:53 Tomas Mraz <tomas at openssl.org> wrote:
> > > On Fri, 2021-04-09 at 08:44 +0100, Matt Caswell wrote:
> > > > 
> > > > On 08/04/2021 18:02, Nicola Tuveri wrote:
> > > > > Proposed vote text
> > > > > ==================
> > > > > 
> > > > >      Do not merge PR#14759, prevent declaring properties
> > > similar to
> > > > >      `blinding=yes` or `consttime=yes` in our implementations
> > > and
> > > > >      discourage 3rd parties from adopting similar designs.
> > > > 
> > > > I think this vote tries to cover too much ground in a single
> > > vote. I 
> > > > would prefer to see a simple vote of "Do not merge PR#14759"
> > > > *possibly* 
> > > > followed up by separate votes on what our own policies should
> > > be for 
> > > > provider implementations, and what we should or should not
> > > encourage
> > > > 3rd 
> > > > parties to do.
> > > 
> > > I disagree partially. IMO we should primarily have a policy vote
> > > and
> > > the closing or merging of PR#14759 should come out of it
> > > naturally.
> > > 
-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

More information about the openssl-project mailing list