David Schwartz wrote: > However, they generally require particular versions of OpenSSL or particular > build environments. They impose their own requirements. If you can state and > explain these requirements and reduce your question to one that is actually > about OpenSSL, then I agree with you. And yet there are folks like Thomas Hruska who are distributing installer packages for end users (not developers) that are claimed to be the "official OpenSSL win32 binary" and application developers who don't want to link to crypto code because they are afraid of the legal issues surrounding crypto in some countries.
Now when a user is told by their application documentation to go get OpenSSL and install it and there is someone claiming to provide the official build and there are packages specifically for non-developers, what are you expecting the non-developer users to do when they have a question? The application developer doesn't know enough to realize that they need to be careful about the OpenSSL version they use. The application developer wants to treat OpenSSL just like any other package that can be installed such as Kerberos or Perl. When they have a question they are going to come to the folks that developed the software they have a question about. Now perhaps the question should have been sent to Thomas Hruska because he distributes the builds he claims are official but when someone looks for OpenSSL they see the OpenSSL Users mailing list as free and Thomas' support costs money. Where do you think the user will go first? The best you can do is try to give end users a message to send back to the application developer and at the same time attempt to answer their question or point them at the "official" distributors and let Thomas deal with the fallout. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
