On 16/07/2019 19:19, Kurt Roeckx wrote:
> On Mon, Jul 15, 2019 at 02:58:42PM +0200, Tomas Mraz wrote:
>> Wouldn't it be better to make the legacy provider opt-out? I.E. require
>> explicit configuration or explicit API call to not load the legacy
> I'm not even sure why they need to move to a different provider
> (at this time). Instead I think we should have a mechanism to
> enable/disable the individual algorithms, and still have
> everything in the default provider, possibly disabled by default.
> > At some point in the future we could remove the code from OpenSSL,
> and move it to different repository that only contains such legacy
> code that we no longer ship as part of OpenSSL.
I think the reasoning behind having the legacy provider was as a first step to
doing just that, i.e. we move the legacy stuff to a legacy provider and then at
some later point we could choose to separate out the legacy provider as a
separate thing which we don't release with mainline OpenSSL - but if people want
to add it back in then they download and build the legacy provider separately
and just drop it back in and it automatically becomes available again.