OpenSSL 3.0 LTS

2022-03-04 Thread Matt Caswell
OpenSSL 3.0 has recently been designated as a Long Term Support (LTS) 
release. This means that it will now be supported until 7th September 
2026 (5 years after its initial release).


Our previous LTS release (1.1.1) will continue to be supported until 
11th September 2023.


We encourage all users to upgrade to 3.0.

Yours,
The OpenSSL Project Team


OpenPGP_0xD9C4D26D0E604491.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature


OMC VOTE: The next LTS release

2022-02-16 Thread Matt Caswell

The OMC vote for the following proposal has now started:

"We should announce that the next LTS release will be 3.0"

OMC members please cast your votes here:

https://github.com/openssl/general-policies/issues/9

Matt


Re: [OMC VOTE PROPOSAL] macOS ARM64 Support in OpenSSL 1.1.1 LTS

2020-11-30 Thread Matt Caswell



On 27/11/2020 17:24, Matt Caswell wrote:
> 
> 
> On 27/11/2020 17:15, Matt Caswell wrote:
>>
>>
>> On 25/11/2020 20:17, Felix Bünemann wrote:
>>> Regarding inclusion of macOS ARM64 Support in OpenSSL 1.1.1 LTS:
>>>
>>> The OMC accepts the required configuration change, making an exception to 
>>> the
>>> LTS rule that prevents adding new platforms.
>>
>> I'm about to raise this vote, but I plan to tweak this wording to
>> instead say:
>>
>> Regarding inclusion of macOS ARM64 Support in OpenSSL 1.1.1 LTS:
>> The OMC accepts the required configuration change, making an exception
>> to the rule that prevents adding new platforms to stable releases.
>>
>>
>> This is just to make it a little more accurate. New platforms are
>> counted as new features, and the rule is that we do not add new features
>> to stable releases. The rule is not specific to an LTS release - its any
>> stable release.
> 
> I've started the vote. I'll report back once we have an answer.

This vote has now closed. It passed:

accepted:  yes  (for: 6, against: 1, abstained: 0, not voted: 0)


Matt



Re: [OMC VOTE PROPOSAL] macOS ARM64 Support in OpenSSL 1.1.1 LTS

2020-11-27 Thread Matt Caswell



On 27/11/2020 17:15, Matt Caswell wrote:
> 
> 
> On 25/11/2020 20:17, Felix Bünemann wrote:
>> Regarding inclusion of macOS ARM64 Support in OpenSSL 1.1.1 LTS:
>>
>> The OMC accepts the required configuration change, making an exception to the
>> LTS rule that prevents adding new platforms.
> 
> I'm about to raise this vote, but I plan to tweak this wording to
> instead say:
> 
> Regarding inclusion of macOS ARM64 Support in OpenSSL 1.1.1 LTS:
> The OMC accepts the required configuration change, making an exception
> to the rule that prevents adding new platforms to stable releases.
> 
> 
> This is just to make it a little more accurate. New platforms are
> counted as new features, and the rule is that we do not add new features
> to stable releases. The rule is not specific to an LTS release - its any
> stable release.

I've started the vote. I'll report back once we have an answer.

Matt


Re: [OMC VOTE PROPOSAL] macOS ARM64 Support in OpenSSL 1.1.1 LTS

2020-11-27 Thread Matt Caswell



On 25/11/2020 20:17, Felix Bünemann wrote:
> Regarding inclusion of macOS ARM64 Support in OpenSSL 1.1.1 LTS:
> 
> The OMC accepts the required configuration change, making an exception to the
> LTS rule that prevents adding new platforms.

I'm about to raise this vote, but I plan to tweak this wording to
instead say:

Regarding inclusion of macOS ARM64 Support in OpenSSL 1.1.1 LTS:
The OMC accepts the required configuration change, making an exception
to the rule that prevents adding new platforms to stable releases.


This is just to make it a little more accurate. New platforms are
counted as new features, and the rule is that we do not add new features
to stable releases. The rule is not specific to an LTS release - its any
stable release.

Matt


Re: [OMC VOTE PROPOSAL] macOS ARM64 Support in OpenSSL 1.1.1 LTS

2020-11-27 Thread Kurt Roeckx
On Fri, Nov 27, 2020 at 12:42:44PM +0100, Felix Bünemann wrote:
> Hi Kurt,
> 
> > Am 26.11.2020 um 18:57 schrieb Kurt Roeckx :
> > 
> > On Wed, Nov 25, 2020 at 09:17:13PM +0100, Felix Bünemann wrote:
> >> 
> >> It is also unique cause it requires no code changes to support a new 
> >> platform.
> > 
> > In a previous discussion we have talked about when a platform can
> > be added in an LTS release. I think that in general if it's only
> > configuration changes and there is a very low risk that it's going
> > to have issues requiring other changes, we should allow it.
> 
> Do you have a link to that discussion?

It was in one of our online meetings, that resulted in the LTS+
proposal.

> If there is a prior example where this has happened I should also remove the
> statement that it is a unique case and mention the prior incident instead.

As far as I know, there are no examples where we have allowed
adding a platform in the stable release branch.


Kurt



Re: [OMC VOTE PROPOSAL] macOS ARM64 Support in OpenSSL 1.1.1 LTS

2020-11-27 Thread Felix Bünemann
Hi Kurt,

> Am 26.11.2020 um 18:57 schrieb Kurt Roeckx :
> 
> On Wed, Nov 25, 2020 at 09:17:13PM +0100, Felix Bünemann wrote:
>> 
>> It is also unique cause it requires no code changes to support a new 
>> platform.
> 
> In a previous discussion we have talked about when a platform can
> be added in an LTS release. I think that in general if it's only
> configuration changes and there is a very low risk that it's going
> to have issues requiring other changes, we should allow it.

Do you have a link to that discussion?

If there is a prior example where this has happened I should also remove the
statement that it is a unique case and mention the prior incident instead.

> Kurt

Regards, Felix Buenemann





Re: [OMC VOTE PROPOSAL] macOS ARM64 Support in OpenSSL 1.1.1 LTS

2020-11-26 Thread Kurt Roeckx
On Wed, Nov 25, 2020 at 09:17:13PM +0100, Felix Bünemann wrote:
> 
> It is also unique cause it requires no code changes to support a new platform.

In a previous discussion we have talked about when a platform can
be added in an LTS release. I think that in general if it's only
configuration changes and there is a very low risk that it's going
to have issues requiring other changes, we should allow it.


Kurt



[OMC VOTE PROPOSAL] macOS ARM64 Support in OpenSSL 1.1.1 LTS

2020-11-25 Thread Felix Bünemann
This proposal is a result of the discussion on GitHub PR #12369:

https://github.com/openssl/openssl/pull/12369

Matt Caswell has agreed to raise the vote with the OMC.

Please provide any feedback you have on the wording, so it can be
Integrated into the original at:

https://gist.github.com/ee30b5c8f52e030629dc2de95f81d8b1

--

OMC VOTE: macOS ARM64 Support in OpenSSL 1.1.1 LTS

Background to the vote:

Apple has recently released new Mac computers that are powered by their own
ARMv8 compatible SoC called the Apple Silicon M1 or short M1.

This chip is an evolution of their previous ARM chips in the A series, most
similar to the A14 used in the latest generations of iPhones and iPads, but
with a chip configuration like the iPad Pro.

Since this is a CPU architecture that was previously used by iOS devices, it
is already well supported by OpenSSL including various assembly optimizations.

In order to support it on macOS on the current stable version OpenSSL 1.1.1,
a new build target needs to be added to the build configuration script, which
has been proposed and discussed in PR #12369 [1].

This is a problem, because the OpenSSL LTS rules state that only bug fixes and
security fixes are accepted into the stable codebase.

It is also unique cause it requires no code changes to support a new platform.

Since OpenSSL 3.0 is still in alpha and because the code is very low impact,
with only eight lines of configuration, I would like to ask the OMC to make
and exception to the rule in this case.

It is important that this patch is accepted upstream, because there is a good
amount of uncertainty for maintainers in downstream projects like Homebrew,
the most popular package manager for macOS, about keeping out of tree patches
for security sensitive software like OpenSSL.

Accepting the patch gives these maintainers the certainty, that it is safe to
use and removes the need vor various downstream projects to maintain the patch.

This is also important since I've seen multiple variations of the patch in the
wild that didn't actually work as intended, due to being incorrectly ported
from the master branch - leading to working, but fully unoptimized builds.

I would also ask to make this decision independent of the ongoing proposal
for LTS+ releases by Matt Caswell, that would allow for adding new platforms
with greater changes to the codebase. I think it has a much bigger scope and
is likely going to take some time to get right.

This should be seen as one time exception and is not intended as a precedent
for future cases, which should be covered by the LTS+ proposal.

[1] https://github.com/openssl/openssl/pull/12369

The vote text is as follows:

topic: Regarding inclusion of macOS ARM64 Support in OpenSSL 1.1.1 LTS:

The OMC accepts the required configuration change, making an exception to the
LTS rule that prevents adding new platforms.

Proposed by Felix Buenemann

-- 
Regards, Felix Buenemann

Re: LTS+

2020-10-19 Thread Dr Paul Dale
Unless the change can be argued to be security hardening — an improved entropy 
source would be IMO.

Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




> On 20 Oct 2020, at 9:10 am, Dr Paul Dale  wrote:
> 
> Not with the wording used.  The feature exists even if it’s rubbish.
> 
> 
> Pauli
> -- 
> Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
> Phone +61 7 3031 7217
> Oracle Australia
> 
> 
> 
> 
>> On 20 Oct 2020, at 5:07 am, Tomas Mraz > <mailto:t...@t8m.info>> wrote:
>> 
>> I wonder if something like adding a new entropy source on an existing 
>> platform especially on some that currently don't have adequate ones would be 
>> covered by this.
>> 
>> ⁣Tomáš​
>> 
>> 19. 10. 2020 18:29, 18:29, Matt Caswell > <mailto:m...@openssl.org>> napsal/a:
>>> 
>>> 
>>> On 19/10/2020 15:14, Matt Caswell wrote:
>>>> LTS+ releases may contain the following new features:
>>>> - Support for additional platforms
>>>> - Performance improvements
>>> 
>>> Based on the discussion in PR #13176, I'd like to add to this list:
>>> 
>>> - Extending existing features to existing platforms where that feature
>>> does not yet exist
>>> 
>>> Thoughts?
>>> 
>>> Matt
>> 
> 



Re: LTS+

2020-10-19 Thread Dr Paul Dale
Not with the wording used.  The feature exists even if it’s rubbish.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




> On 20 Oct 2020, at 5:07 am, Tomas Mraz  wrote:
> 
> I wonder if something like adding a new entropy source on an existing 
> platform especially on some that currently don't have adequate ones would be 
> covered by this.
> 
> ⁣Tomáš​
> 
> 19. 10. 2020 18:29, 18:29, Matt Caswell  napsal/a:
>> 
>> 
>> On 19/10/2020 15:14, Matt Caswell wrote:
>>> LTS+ releases may contain the following new features:
>>> - Support for additional platforms
>>> - Performance improvements
>> 
>> Based on the discussion in PR #13176, I'd like to add to this list:
>> 
>> - Extending existing features to existing platforms where that feature
>> does not yet exist
>> 
>> Thoughts?
>> 
>> Matt
> 



Re: LTS+

2020-10-19 Thread Tomas Mraz
I wonder if something like adding a new entropy source on an existing platform 
especially on some that currently don't have adequate ones would be covered by 
this.

⁣Tomáš​

19. 10. 2020 18:29, 18:29, Matt Caswell  napsal/a:
>
>
>On 19/10/2020 15:14, Matt Caswell wrote:
>> LTS+ releases may contain the following new features:
>> - Support for additional platforms
>> - Performance improvements
>
>Based on the discussion in PR #13176, I'd like to add to this list:
>
>- Extending existing features to existing platforms where that feature
>does not yet exist
>
>Thoughts?
>
>Matt



Re: LTS+

2020-10-19 Thread Matt Caswell



On 19/10/2020 15:14, Matt Caswell wrote:
> LTS+ releases may contain the following new features:
> - Support for additional platforms
> - Performance improvements

Based on the discussion in PR #13176, I'd like to add to this list:

- Extending existing features to existing platforms where that feature
does not yet exist

Thoughts?

Matt



LTS+

2020-10-19 Thread Matt Caswell
At the recent Committer and OTC meetings a proposal was discussed to add
further clarity to what is allowed in stable releases, and to introduce
a new "LTS+" type of release to go alongside the existing LTS release.

The idea is that an LTS release is restricted to bug fixes and security
fixes only (as now). However an LTS+ release would additionally be able
to accept additional platforms as well as performance improvements. LTS
and LTS+ releases would be issued simultaneously, have the same support
period, and would have the same minor and patch version numbers. The
LTS+ designation would be separate to the version number (e.g. in a text
label).

In order for this to happen an OMC vote would be required. My proposed
vote text (which incorporates the proposal text discussed in the
meeting) is as follows:

"The OMC should include the following text in its release strategy:

In order to maximise stability, Long Term Support (LTS) Releases are
eligible to receive bug and security fixes only.

Bug fixes are:
- Fixes for defects that impact behaviour that do not impact the API or
the ABI
- Minor fixes to existing code to correct major performance regressions
(e.g. larger than 10% performance regression compared to the previous
release)
- Inclusion of new API functions to correct missing accessor functions

Security fixes are:
- Fixes and changes as necessary as a result of a CVE
- Minor amendments for security hardening purposes

Security fixes should not change the API/ABI, although functional
behaviour may be changed if strictly necessary (e.g. changing defaults).

Following an LTS release additional releases may also occur in an LTS+
release. The LTS+ release support time will be aligned with the LTS
release.  Releases of the LTS+ version will be done at the same time as
the LTS release.

LTS+ releases may contain the following new features:
- Support for additional platforms
- Performance improvements

The LTS+ release major and minor and patch version numbers will be the
same as the LTS release. The designation of the LTS+ release will be
separate from the version number."


Feedback is appreciated on both the proposal, and the vote text.


Matt