On 29/12/2014 01:37, Matt Caswell wrote: > On 28/12/14 00:31, Jakob Bohm wrote: >> On 24-12-2014 00:49, Matt Caswell wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> You will have noticed that the OpenSSL 1.0.0 End Of Life Announcement >>> contained a link to the recently published OpenSSL Release Strategy that >>> is available here: >>> https://www.openssl.org/about/releasestrat.html >>> >>> I have put up a blog post on the thinking behind this strategy on the >>> newly created OpenSSL Blog that you may (or may not!) find interesting. >>> It can be found here: >>> https://www.openssl.org/blog/blog/2014/12/23/the-new-release-strategy/ >> I am afraid that this is a somewhat rush decision, with insufficient >> consideration for the impact on others: > Not at all. This decision has been under consideration for some > considerable period of time with much discussion of the impacts. Discussing this only amongst yourselves has probably blinded you to the needs ofoutsiders, leading to a bad decision. But since your minds are made mostly up, let me rephrase the key communityneeds as I see them: 1. The ability, at any given day, to know which of the currently available OpenSSLreleases is going to receive back-portable security patches with binary compatibilityfor at least 3 to 5 years into the future from that day. A given community member (such as a Linux distro or a closed source product) will use this on one of the daysnear the end of their development cycle, after which they will intend to provideonly small drop in patches (shared libraries, small programs, binary diffs) for the lifetime of their "product". 2. The ability to use libcrypt as the basis for non-SSL code, such as OpenSSH or theSRP reference impementation (you should coordinate changes in low level APIswith at least those two teams). Also there is the need to use subsets of libcryptwithout the rest, e.g. in bootloaders or kernels (I don't know if any of the kernel crypto in Linux or BSD uses OpenSSL code). And then there is all the fun securityresearchers are having with the code. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
