[openssl-users] OpenSSL Release Strategy and Blog

Jakob Bohm jb-openssl at wisemo.com
Wed Jan 7 09:26:33 UTC 2015


On 29/12/2014 01:37, Matt Caswell wrote:
> On 28/12/14 00:31, Jakob Bohm wrote:
>> On 24-12-2014 00:49, Matt Caswell wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> You will have noticed that the OpenSSL 1.0.0 End Of Life Announcement
>>> contained a link to the recently published OpenSSL Release Strategy that
>>> is available here:
>>> https://www.openssl.org/about/releasestrat.html
>>>
>>> I have put up a blog post on the thinking behind this strategy on the
>>> newly created OpenSSL Blog that you may (or may not!) find interesting.
>>> It can be found here:
>>> https://www.openssl.org/blog/blog/2014/12/23/the-new-release-strategy/
>> I am afraid that this is a somewhat rush decision, with insufficient
>> consideration for the impact on others:
> Not at all. This decision has been under consideration for some
> considerable period of time with much discussion of the impacts.
Discussing this only amongst yourselves has probably blinded you
to the needs ofoutsiders, leading to a bad decision.

But since your minds are made mostly up, let me rephrase the key
communityneeds as I see them:

1. The ability, at any given day, to know which of the currently
available OpenSSLreleases is going to receive back-portable
security patches with binary compatibilityfor at least 3 to 5
years into the future from that day.  A given community member
(such as a Linux distro or a closed source product) will use
this on one of the daysnear the end of their development cycle,
after which they will intend to provideonly small drop in
patches (shared libraries, small programs, binary diffs) for the
lifetime of their "product".

2. The ability to use libcrypt as the basis for non-SSL code, such
as OpenSSH or theSRP reference impementation (you should coordinate
changes in low level APIswith at least those two teams).  Also
there is the need to use subsets of libcryptwithout the rest, e.g.
in bootloaders or kernels (I don't know if any of the kernel
crypto in Linux or BSD uses OpenSSL code).  And then there is all
the fun securityresearchers are having with the code.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list