OpenSSL change development strategy: switch to the GitHub issue to discuss the patch
OpenSSL development team announced some changes in the project development strategy. This includes closing the openssl-dev list and choosing to discuss all the patches on GitHub. In addition, a new read-only mailing list, openssl-project for users worldwide, was added.
They also said they are changing the release schedule, so unless there is an emergency, the security update will be released on Tuesday, the pre-announcement last Tuesday. The team said they did not think it necessary to sacrifice their weekend time for every single CVE leak.
For technical debt, in addition to the issue on GitHub, the code is also refactored to make it cleaner and contains fewer errors. They recently added PACKET and WPACKET APIs to libssl to make the code clearer and to avoid handlers’ code-handling errors such as forgetting to check the buffer length. The development team also built a new “technical-debt” tag on GitHub to tag content about technology debt.
Regarding the OpenSSL roadmap, the development team said they are still committed to making TLS 1.3 a major feature of the next release. Of course, this has to wait for the IETF to finish it. In addition, they will also change the open source license in the next release. The next major feature behind OpenSSL 1.1.1 will be FIPS.