[openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

[Tim Hudson]

On 24/11/2015 4:09 AM, Jakob Bohm wrote:
> But they care very much if Cisco AnyConnect (or any other
> OpenSSL using program they may need) stops working or
> becomes insecure because the OpenSSL team is breaking
> stuff just because it is not needed in their own handful
> of example uses.

The OpenSSL team (like most open source projects) is made up of
individuals that have widely varying backgrounds and experiences - and
those experiences lead to different view points on a lot of fairly
fundamental topics. This is a good thing - as frankly a project that
doesn't have a mix of view points tends to not last.

Between the OpenSSL team members our experiences cover a very wide range
of uses and many of us have been working on the code base for 17+ years
and have worked in areas that are certainly well outside the average or
common uses. However despite that experience we certainly don't think
that we know what all the users of the code base are doing.

Increasingly we are making sure any debate on project direction where
there are mixed view points within the team brings in the openssl-users
and/or openssl-dev lists so we get to have input from a wider set of
people - who may or may not represent uses that we don't already know about.

All the view points being expressed are valid and there are good reasons
why we could as a team head in either direction (dropping out code or
keeping everything or anything along that spectrum) and what is
important is to listen to the input and see the varying points of view
and add that into the decision making process.

So if you have a use of OpenSSL that you think the team might not know
about then please express that clearly on the list. View points on what
has been proposed are also welcome - but I think you'll find increasing
the awareness of the team about what our users are doing is the more
important of the two objectives in seeking feedback.

Tim.