> It seems to me that the easiest thing to do is maintain that release of OpenSSL by themselves.
> Which would be another variation of such unofficial work.
You could look at things like that. I consider it to be more like "your free FIPS ride is done, time to pay up"
> That policy page is half the problem, the other half being the decision
not to make a FIPS module for the current 1.1.x series.
There are many problems with the current FOM. One notable example, is that you cannot have a single executable that handles both FIPS and non-FIPS TLS connections at the same time. Another is the way the whole integrity check is done. I could go on and on, but won't. The project spent a long time discussing and considering alternatives and decided a new start was the best way to move forwards. It was a carefully-considered decision. The fact that it "left a coverage gap" in FIPS/1.0.2 was also discussed.
It's too bad not everyone is pleased. Probably those who didn't plan well, and/or who just got "FIPS for free" and expected that to last forever seem to be among those particular unhappy. Speaking for myself, AND NOT THE PROJECT, too bad.
