On 24/11/2015 4:09 AM, Jakob Bohm wrote: > But they care very much if Cisco AnyConnect (or any other > OpenSSL using program they may need) stops working or > becomes insecure because the OpenSSL team is breaking > stuff just because it is not needed in their own handful > of example uses. The OpenSSL team (like most open source projects) is made up of individuals that have widely varying backgrounds and experiences - and those experiences lead to different view points on a lot of fairly fundamental topics. This is a good thing - as frankly a project that doesn't have a mix of view points tends to not last. Between the OpenSSL team members our experiences cover a very wide range of uses and many of us have been working on the code base for 17+ years and have worked in areas that are certainly well outside the average or common uses. However despite that experience we certainly don't think that we know what all the users of the code base are doing. Increasingly we are making sure any debate on project direction where there are mixed view points within the team brings in the openssl-users and/or openssl-dev lists so we get to have input from a wider set of people - who may or may not represent uses that we don't already know about. All the view points being expressed are valid and there are good reasons why we could as a team head in either direction (dropping out code or keeping everything or anything along that spectrum) and what is important is to listen to the input and see the varying points of view and add that into the decision making process. So if you have a use of OpenSSL that you think the team might not know about then please express that clearly on the list. View points on what has been proposed are also welcome - but I think you'll find increasing the awareness of the team about what our users are doing is the more important of the two objectives in seeking feedback. Tim.
