My abstain vote was a carefully considered neutral stance backed by many paragraphs of rationale.
The gist of which is that given that the decision to load or not the provider is in the configuration file, the party ultimately making the decision is whoever packages the software, not the OpenSSL project. OS distributions and users will make their own choices, as they build packages and deploy systems. Our "default" choice is just a "suggestion". So the real change is providing a mechanism to make the choice, the specific choice we default to is IMHO not that important, and signalling that the legacy algorithms are best left disabled when possible is a reasonable outcome. But, on the other hand we also want to largely remain compatible with 3.0, and make compile and deploy easy. So there is some reason to take the compatible default. I had the advantage of voting last, knowing that my abstain would allow the vote to pass... > On Jan 15, 2020, at 3:07 PM, Benjamin Kaduk <ka...@mit.edu> wrote: > > It's good to have a decision here, but I'm kind of worried about the four > abstains -- it's easy for me to leap to a conclusion that the individuals > in question just didn't want to to spend the time to come to a considered > position, even though this issue has substantial potential impact for our > userbase. I'm trying to not make faulty assumptions, so some greater > clarity on the circumstances would be helpful, if possible. -- Viktor.