> Integrity of validated source code when other parts of the tarball get regular changes? The design doc, just recently published, talks about this a bit. Not all details are known yet. > Building the validated source code in a controlled environment separate from the full tarball? I do not believe this has been discussed within the FIPS sponsors. > (If there are answers in the FIPS 3.0.0 draft spec, they need repeating). Or a more careful reading. :) > So right now, FIPS-validated users are left hanging, with no date to get a 3.0.0 code drop to start porting and a looming deadline for the 1.0.x API. You get what you pay for. I can be harsh because I am not a member of the OpenSSL project. You can start by porting to 1.1.x now. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users