Ian Jackson writes ("Re: OpenSSL 1.1.0"): > Lots of people have posted in this thread that they see problems with > our current approach to the openssl transition. > > Do the openssl maintainers have an response ?
I count the following people who expressed concern[1] about this some time before the 11th of November (last activity from an openssl maintainer): Lisandro Damin Nicanor Prez Meyer Ian Jackson Pau Garcia i Quiles Colin Tuckley Jan Niehusmann On the 11th Kurt replied, but only to a specific technical aspect of Jan Niehusmann's message. (On the 10th there was a second openssl revision upload.) It seems to me that there has been no real answer to most of those comments, and ample time to do so. Since then I additionally count the following people who have expressed concern[1]: Jan Wagner Ondřej Surý Adam Borowski Russ Allbery Dimitri John Ledkov Jan Niehusmann Adrian Bunk Scott Leggett I appreciate that not everyone can be available all of the time, but a maintainer has a choice of when to initiate a transition and should arrange to do so at a time when they can be available in a timely manner to help steward their transition. A maintainer should be ready to explain, and if necessary change, decisions they have taken. (Ideally wider consultation before taking such a decision would be better.) In the absence of input from the openssl maintainers, I would like to ask the Release Team's opinion. If we are going to wind back on this change we should do it ASAP. We should not allow ourselves to make the decision to press on, simply by failing to decide otherwise. If we decide to wind back the transition and the openssl maintainers continue not to be available (within the short timeframes required), we have a lot of people who could competently prepare an NMU. Thanks, Ian. [1] I have had to make some judgements about the implications in people's mails. "Expresse concern" for me includes suggestions that the current situation would need a substantial slip to the release. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.