Hi all
Before we get further into the debate, perhaps someone on the OpenSSL
team, Mark Cox, Ralf Engelschall or Paul Sutton could clarify the
following:
1. Who will take decisions on release objectives, code inclusion,
feature sets, architecture, release timing and so forth? In the case of
Linux we have Linus, in the case of Apache we have a broad group with no
immediate commercial incentives. All three of you are effectively
responsible for Stronghold, which is C2Net's primary product, so there
could potentially be a conflict of interest.
2. Will all code, discussions, technical debates and patches be
public, or only actual releases?
3. If other well-established individuals joined the team would they
get equal say and access? For example, Ben Laurie and Stephen Henson
have both done a lot of work with SSLeay.
4. What effort is being made to ensure that "OpenSSL" does not turn
into "C2Net SSL"?
Also, I think it is very important to get some input from Tim Hudson and
Eric Young. They created SSLeay, they worked for C2Net recently, and
they have now left C2Net and started working for RSA Data Security.
Perhaps they should clarify:
- whether or not their RSA contracts explicitly affect SSLeay
development
- whether they intend to continue SSLeay development
- what they think would be the optimal structure for an "Open SSL
Effort"
Personally, I think we need a strong established person to act as the
"Linus", deciding what goes in and what does not. We also need people
like Mark Cox and Ralf, who use the SSL toolkit heavily, submitting
regular patches and ideas. The coordinator needs to be independent and
fair, and well-known. I think Ben qualifies perfectly. Mark, Paul and
Ralf are certainly capable of doing it, but I would be concerned that
the project would struggle to keep its credibility as an "open" effort
given their close links to C2Net and Stronghold, and given the tone of
the recent announcement.
--
Mark Shuttleworth
Thawte
S/MIME Cryptographic Signature
