> It seems to me that the easiest thing to do is maintain that release of
OpenSSL by themselves.
> Which would be another variation of such unofficial work.
You could look at things like that. I consider it to be more like "your free
FIPS ride is done, time to pay up"
> That policy page is half the problem, the other half being the decision
not to make a FIPS module for the current 1.1.x series.
There are many problems with the current FOM. One notable example, is that you
cannot have a single executable that handles both FIPS and non-FIPS TLS
connections at the same time. Another is the way the whole integrity check is
done. I could go on and on, but won't. The project spent a long time
discussing and considering alternatives and decided a new start was the best
way to move forwards. It was a carefully-considered decision. The fact that it
"left a coverage gap" in FIPS/1.0.2 was also discussed.
It's too bad not everyone is pleased. Probably those who didn't plan well,
and/or who just got "FIPS for free" and expected that to last forever seem to
be among those particular unhappy. Speaking for myself, AND NOT THE PROJECT,
too bad.
