> Brad, sorry, I didn't mean to come across as negative. The point I was > trying to make is that once a validation starts I can't afford to delay > it to deal with problems that are discovered in the already frozen > baseline, unless those problems are critical to the requirements of the > paying sponsors. Hence we don't solicit general public input for > in-process validations. Reports of problems with already validated > versions are welcome and I think Dr. Henson in particular has been very > proactive in addressing those issues in the trunk for future > validations. Reports of problems with the submitted code for pending > validations are also welcome with the understanding that we almost > certainly won't be able to effect any change for that validation.
Yes, that is understandable. Any code going through validation at that time cannot be touched. I think what Kyle asked for was prior to the next validation starting, a 2-week window where people could provide patches. Basically a 'last-call', or at least some projected timelines for when it would be submitted so we know if the code is 'close-to-final' before we try to provide patches (at least portability patches as is my selfish concern). > I'll plead guilty to the charge of inadequate communication. For most > of the duration of the first ground-breaking validation, a five year > ordeal, I was urged to minimize unnecessary public commentary while the > CMVP community sorted out some difficult policy and process issues with > this strange new open source thing. That sorting out has largely taken > place and I now have no excuse for not being more forthcoming. I'll try > to do better. > > The best way to provide feedback on the code for future validations is > to pull and test the head of OpenSSL-fips-0_9_8-stable. Problems found > and fixed there will be included in future validations, as well as > eventually merged into the main development trunk. I didn't actually know a public CVS branch existed for 0.9.8 fips until an e-mail last night. Is the only way to grab the current branch to rsync the _entire_ openssl cvs repository then do a local checkout? Are there any shapshots of that branch being made? (Since the CVS repository isn't publically accessible for checkout). > As an OSSI member you're also welcome to contract OSSI directly with any > questions, I think we're pretty good at being responsive to those > contributors. And Steve Henson is responsive to everyone. Ok, thanks, may give that a shot in the future... -Brad ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]