I am not totally sure how many people would be working on this project, but is seems to me like it would make sense to split up into 3 groups.
One would do what Viktor suggested, and hunt down patches added in major OS platforms. Another would do what Matt suggested, and simply go from the newest submissions to the oldest ones. To resolve the issue Quanah was talking about with old issues remaining unpatched, the final group would do the exact same thing as the group that goes from newest to oldest, except they would go from oldest to newest. As far as I can tell this would resolve many of the issues that we are facing, as the group that looks at major OS stuff would hopefully find many of the "big" issues while the other two groups would prevent anything from falling through cracks. Just my 2 cents. On Thu, Apr 24, 2014 at 8:14 PM, Viktor Dukhovni <openssl-us...@dukhovni.org > wrote: > On Thu, Apr 24, 2014 at 04:56:09PM -0700, Quanah Gibson-Mount wrote: > > > > > The problem with this approach are significant requests that have > languished > > for years. One such example would be > > <http://rt.openssl.org/Ticket/Display.html?id=1365>, which is 8 years > old > > now. The best place to get the fix these days is probably directly from > > Debian (<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589520>). > > Perhaps patches that are added in major O/S platforms and are not > fundamentally specific to the platform in question should get a > higher priority. > > * They are in most cases proposed by relatively experienced users, > (the Debian PRNG fiasco aside :-). > > * They have been widely tested by users of said platforms. > > So the easiest approach may be for Debian, RedHat, ... to look > through the various patches they apply and decide which are generally > applicable, and, perhaps not today, but once new processes are more > clearly established, open new tickets clearly re-stating the status > and motivation of the patch, the origin platform and patch maturity. > > Then I would recommend that the OpenSSL team and volunteers look > at these before most other requests. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >
