On Thu, Apr 24, 2014 at 04:56:09PM -0700, Quanah Gibson-Mount wrote:
>
> The problem with this approach are significant requests that have languished
> for years. One such example would be
> <http://rt.openssl.org/Ticket/Display.html?id=1365>, which is 8 years old
> now. The best place to get the fix these days is probably directly from
> Debian (<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589520>).
Perhaps patches that are added in major O/S platforms and are not
fundamentally specific to the platform in question should get a
higher priority.
* They are in most cases proposed by relatively experienced users,
(the Debian PRNG fiasco aside :-).
* They have been widely tested by users of said platforms.
So the easiest approach may be for Debian, RedHat, ... to look
through the various patches they apply and decide which are generally
applicable, and, perhaps not today, but once new processes are more
clearly established, open new tickets clearly re-stating the status
and motivation of the patch, the origin platform and patch maturity.
Then I would recommend that the OpenSSL team and volunteers look
at these before most other requests.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
