On Wed, Jun 04, 2014 at 09:14:18AM +1000, Peter Waltenberg wrote: > > This is NOT the Linux kernel, the Linux kernel is directly funded by > several of the larger companies, they have employees contributing directly > on the kernel, with access to internal hardware resources.
Yes, and I'm saying people aren't thinking big enough. OpenSSL is critical infrastructure. There's a reason why the Linux Foundation's Critical Infrastructure Initiative is funding two people to work full time on making OpenSSL better. (ObDisclosure: I'm on the CII technical advisory board.) If there are resources you need, people should *ask*. There may be solutions you haven't thought of. For example, one mechanism that has been used before is to have the hardware donated to the Oregon State University's Open Source Lab. IBM has used this to make Power systems available to open source developers, for example. So there are ways to get access to machines without requiring that you pay for the power and hosting fees. Don't assume that the answer is that can't be done, so we need to keep horrible macros and #ifdef's and be really hesitant making changes lest we break some dead architecture that might not being maintained, or for some router company that might not take an updated OpenSSL to support some hardware which is ten years old. There may very well be solutions you haven't thought of yet. > I think the best you'd manage is insisting that larger companies wanting > support run some sort of continuous build system internally and feed > results back to the OpenSSL team. And this is also not hard. Now that OpenSSL is using git, it's really trivially easy have companies do this and feed results back. Intel has a team in China doing this for pretty much every single major kernel developer's git tree. I can push an ext4 to a test git branch, and if I've forgotten to run sparse (a static code analyzer) and fix any problems, within *minutes* I'll get back an e-mail indicating that my pushed test code has introduced new code warnings. And this is done *before* my code hits linux-next, or Linus's mainline tree. You don't think OpenSSL isn't similarly important? And that companies won't provide similar continuous testing if you ask? Especially after all of notice that was raised after the Heartbeat scare (which admittedly wasn't even the worse SSL bug in the last couple of months), this is really a good time to ask companies for this kind of support. Cheers, - Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org