Re: Legacy provider

2020-01-15 Thread Richard Levitte
On Wed, 15 Jan 2020 21:07:54 +0100,
Benjamin Kaduk wrote:
> 
> Hi Pauli,
> 
> On Tue, Jan 14, 2020 at 09:34:40PM +1000, Dr Paul Dale wrote:
> > The OMC vote is closed.
> > 
> > The vote text being:
> > 
> > The legacy provider should be disabled by default in 3.0
> > 
> > With the clarification that "disabled" in this context means "not loaded”.
> > 
> > The vote passed (two for, one against, four abstain)
> 
> It's good to have a decision here, but I'm kind of worried about the four
> abstains -- it's easy for me to leap to a conclusion that the individuals
> in question just didn't want to to spend the time to come to a considered
> position, even though this issue has substantial potential impact for our
> userbase.  I'm trying to not make faulty assumptions, so some greater
> clarity on the circumstances would be helpful, if possible.

This was a vote that I found extremely difficult.  This topic has been
disputed on and off for quite a while, both on github and within the
OMC, and I could never decide between the two sides.  Both have pros
and cons that outweigh each other.

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/


Re: Legacy provider

2020-01-15 Thread Viktor Dukhovni
My abstain vote was a carefully considered neutral stance backed
by many paragraphs of rationale.

The gist of which is that given that the decision to load or not
the provider is in the configuration file, the party ultimately
making the decision is whoever packages the software, not the
OpenSSL project.  OS distributions and users will make their own
choices, as they build packages and deploy systems.

Our "default" choice is just a "suggestion".  So the real change
is providing a mechanism to make the choice, the specific choice
we default to is IMHO not that important, and signalling that
the legacy algorithms are best left disabled when possible is
a reasonable outcome.  But, on the other hand we also want to
largely remain compatible with 3.0, and make compile and deploy
easy.  So there is some reason to take the compatible default.

I had the advantage of voting last, knowing that my abstain would
allow the vote to pass...

> On Jan 15, 2020, at 3:07 PM, Benjamin Kaduk  wrote:
> 
> It's good to have a decision here, but I'm kind of worried about the four
> abstains -- it's easy for me to leap to a conclusion that the individuals
> in question just didn't want to to spend the time to come to a considered
> position, even though this issue has substantial potential impact for our
> userbase.  I'm trying to not make faulty assumptions, so some greater
> clarity on the circumstances would be helpful, if possible.

-- 
Viktor.



Re: Legacy provider

2020-01-15 Thread Benjamin Kaduk
On Thu, Jan 16, 2020 at 06:57:49AM +1000, Dr Paul Dale wrote:
> I’m not sure what more I can write.
> 
> I proposed the vote text around the time I sent the notification here: no 
> comments.
> I created the vote, early in the voting period, the clarification was sought 
> and made.
> All OMC members registered their vote and the vote closed early.
> 
> The criteria for being valid as per the bylaws 
>  was met.  As votes go, 
> this one was quick taking two days of the two weeks.
> 
> Abstentions are frequent in votes for a number of reasons.
> The reasons each person uses are not revealed and not asked for.

Thank you for the quick response; I understand there's not anything more to
be said.

-Ben


Re: Legacy provider

2020-01-15 Thread Dr Paul Dale
I’m not sure what more I can write.

I proposed the vote text around the time I sent the notification here: no 
comments.
I created the vote, early in the voting period, the clarification was sought 
and made.
All OMC members registered their vote and the vote closed early.

The criteria for being valid as per the bylaws 
 was met.  As votes go, this 
one was quick taking two days of the two weeks.

Abstentions are frequent in votes for a number of reasons.
The reasons each person uses are not revealed and not asked for.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




> On 16 Jan 2020, at 6:07 am, Benjamin Kaduk  wrote:
> 
> Hi Pauli,
> 
> On Tue, Jan 14, 2020 at 09:34:40PM +1000, Dr Paul Dale wrote:
>> The OMC vote is closed.
>> 
>> The vote text being:
>> 
>> The legacy provider should be disabled by default in 3.0
>> 
>> With the clarification that "disabled" in this context means "not loaded”.
>> 
>> The vote passed (two for, one against, four abstain)
> 
> It's good to have a decision here, but I'm kind of worried about the four
> abstains -- it's easy for me to leap to a conclusion that the individuals
> in question just didn't want to to spend the time to come to a considered
> position, even though this issue has substantial potential impact for our
> userbase.  I'm trying to not make faulty assumptions, so some greater
> clarity on the circumstances would be helpful, if possible.
> 
> Thanks,
> 
> Ben



Re: Legacy provider

2020-01-15 Thread Benjamin Kaduk
Hi Pauli,

On Tue, Jan 14, 2020 at 09:34:40PM +1000, Dr Paul Dale wrote:
> The OMC vote is closed.
> 
> The vote text being:
> 
> The legacy provider should be disabled by default in 3.0
> 
> With the clarification that "disabled" in this context means "not loaded”.
> 
> The vote passed (two for, one against, four abstain)

It's good to have a decision here, but I'm kind of worried about the four
abstains -- it's easy for me to leap to a conclusion that the individuals
in question just didn't want to to spend the time to come to a considered
position, even though this issue has substantial potential impact for our
userbase.  I'm trying to not make faulty assumptions, so some greater
clarity on the circumstances would be helpful, if possible.

Thanks,

Ben