Re: Reducing the security bits for MD5 and SHA1 in TLS - OTC or OMC vote?

2020-05-27 Thread Matt Caswell



On 27/05/2020 15:33, Tomas Mraz wrote:
> On Wed, 2020-05-27 at 14:16 +, Dr. Matthias St. Pierre wrote:
>>> IMO it seems appropriate to have an OMC vote on this topic (or
>>> should it
>>> be OTC?). Possible wording:
>>
>> Personally, I would prefer if technical questions would by default be
>> discussed (and voted on)
>> by the OTC, unless an OMC member explicitly puts in his veto and
>> claims that higher level
>> strategical interests of the OpenSSL project are affected.
>>
>> But according to the current wording of the bylaws, I would say it is
>> a 'feature requirement' and
>> requires an OMC vote:
> 
> I do not understand this to be a 'feature requirement' - IMO if this
> was a 'feature requirement' it would mean that OMC decides that
> something must be implemented in such and such way that the OpenSSL 3.0
> does this and that as a feature. But we do not do that for every
> feature that is being added to master. So I do not even think this
> requires any formal vote, unless someone from OTC or OMC calls for it
> explicitly.
> 
> Of course it is kind-of API break but again I do not think every API
> break in OpenSSL 3.0 was voted upon by OMC.
> 
> I mean I am definitely not against having a vote if someone feels it
> should be done but if nobody requires it, I do not think it would be a
> violation of anything if this is merged without a vote.

I think there should be a vote. IMO such a significant break should be
done as a result of a positive decision and not on the basis of a very
small number of people approving a PR.

I can see arguments both ways for it being an OTC vote or an OMC vote.
To an extent it is purely a technical decision i.e. to answer the
question: "does it technically make sense to make this change?"

It also has a business requirements aspect to it i.e. to answer the
question "would this have such a significant impact on the OpenSSL user
base that, regardless of its technical merits, we still shouldn't do it?"

On reflection though I'm not sure that the technical merits of this are
particularly controversial. So I'm thinking that the OMC is still the
right forum for this. However if someone else thinks that the
*technical* arguments are controversial there is no reason why we
couldn't have an OTC vote *as well*. I won't be proposing that though.


Matt




RE: Reducing the security bits for MD5 and SHA1 in TLS - OTC or OMC vote?

2020-05-27 Thread Dr. Matthias St. Pierre
> I mean I am definitely not against having a vote if someone feels it
> should be done but if nobody requires it, I do not think it would be a
> violation of anything if this is merged without a vote.

Tomáš I dont't mind following your viewpoint at all, and if the OMC thinks
the same, that's fine. Also, I agree that an OTC/OMC discussion does not
automatically have to be resolved by an OTC/OMC vote.

Maybe my original post was a bit misleading. The main motivation behind it
was my impression that we tend to start many technical discussions with a
general discussion about whether it should be discussed/decided by the
OMC or the OTC.

Matthias




Re: Reducing the security bits for MD5 and SHA1 in TLS - OTC or OMC vote?

2020-05-27 Thread Tomas Mraz
On Wed, 2020-05-27 at 14:16 +, Dr. Matthias St. Pierre wrote:
> > IMO it seems appropriate to have an OMC vote on this topic (or
> > should it
> > be OTC?). Possible wording:
> 
> Personally, I would prefer if technical questions would by default be
> discussed (and voted on)
> by the OTC, unless an OMC member explicitly puts in his veto and
> claims that higher level
> strategical interests of the OpenSSL project are affected.
> 
> But according to the current wording of the bylaws, I would say it is
> a 'feature requirement' and
> requires an OMC vote:

I do not understand this to be a 'feature requirement' - IMO if this
was a 'feature requirement' it would mean that OMC decides that
something must be implemented in such and such way that the OpenSSL 3.0
does this and that as a feature. But we do not do that for every
feature that is being added to master. So I do not even think this
requires any formal vote, unless someone from OTC or OMC calls for it
explicitly.

Of course it is kind-of API break but again I do not think every API
break in OpenSSL 3.0 was voted upon by OMC.

I mean I am definitely not against having a vote if someone feels it
should be done but if nobody requires it, I do not think it would be a
violation of anything if this is merged without a vote.

> > The OMC:
> > 
> > * makes all decisions regarding management and strategic direction
> > of the project; including:
> > - business requirements;
> > - feature requirements;
> > - platform requirements;
> > - roadmap requirements and priority;
> > - end-of-life decisions;
> > - release timing and requirement decisions;
> 
> Matthias
> 
-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
  Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]




RE: Reducing the security bits for MD5 and SHA1 in TLS - OTC or OMC vote?

2020-05-27 Thread Dr. Matthias St. Pierre

> IMO it seems appropriate to have an OMC vote on this topic (or should it
> be OTC?). Possible wording:

Personally, I would prefer if technical questions would by default be discussed 
(and voted on)
by the OTC, unless an OMC member explicitly puts in his veto and claims that 
higher level
strategical interests of the OpenSSL project are affected.

But according to the current wording of the bylaws, I would say it is a 
'feature requirement' and
requires an OMC vote:

> The OMC:
>
> * makes all decisions regarding management and strategic direction of the 
> project; including:
> - business requirements;
> - feature requirements;
> - platform requirements;
> - roadmap requirements and priority;
> - end-of-life decisions;
> - release timing and requirement decisions;

Matthias