On 04/10/2014 05:36 PM, Kurt Roeckx wrote: > ... >> >> While I'm not one of the OpenSSL committers, I've had the honor and >> privilege of being close enough to some of the action to have an >> appreciation for the heavy burden of responsibility they carry. >> >> IMHO user community contributions, and the care and effort that went >> into them and the desire and need for them, are not being callously >> disregarded. It's just that after all the urgently necessary activities >> are covered there isn't a lot of discretionary time left over. OpenSSL >> hangs by a thinner thread than most people realize. > > So my the question is basically what we can do so that more of the > patches get applied in a reasonable time? > > For instance, would it help to use "Signed-off-by" or > "Reviewed-by" patches in some git tree? If I'm going to put time > in this, will someone take the time to get them applied?
With the very, very important caveat that I'm not one of the people who directly carry this burden: There is certainly room for improvement in the process by which patches are reviewed and merged into OpenSSL. For the more straightforward bug fixes and minor changes it might be useful to have a mechanism where a patch could be approved by multiple people and then committed to OpenSSL almost automatically. Obviously this wouldn't work for significant changes like whole new APIs and infrastructure mods. The "multiple people" could be a sufficiently large and diverse group of serious and committed stakeholders, both OpenSSL team members and others. Volunteers? Of course, a process like that wouldn't necessarily prevent future vulnerabilities like the Debian PRNG issue or the heartbeat bug. Even gross bugs are only truly obvious in hindsight. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
