The OpenSSL Management Committee (OMC) on behalf of the OpenSSL Project would
like to formally express its thanks to the following organisations
for agreeing to sponsor the next
FIPS validation effort: Akamai Technologies, Blue Cedar, NetApp, Oracle, VMware.
Four weeks ago, the OpenSSL team gathered with many of the organisations
sponsoring the next FIPS module for a face-to-face meeting in Brisbane,
Australia.
We got a great deal accomplished during that week. Having most of
the fips-sponsor organisations in the same location helps ensure that
we are all on the same page for the decisions we need to make going forward.
After two years of work we are excited to be releasing our latest version today -
OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we
are committing to support it for at least five years.
OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been
made from over 200 individual contributors since the release of OpenSSL 1.1.0.
These statistics just illustrate the amazing vitality and diversity of the
OpenSSL community. The contributions didn’t just come in the form of commits
though. There has been a great deal of interest in this new version so thanks
needs to be extended to the large number of users who have downloaded the beta
releases to test them out and report bugs.
Back around the end of 2014 we posted our
release strategy. This
was the first time we defined support timelines for our releases, and added
the concept of an LTS (long-term support) release. At our OMC meeting
earlier this month, we picked our next LTS release. This post walks through
that announcement, and tries to explain all the implications of it.
The following is a press release that we just put out about how finishing
off our relicensing effort. For the impatient, please see
https://license.openssl.org/trying-to-find
to help us find the last people; we want to change the license with our
next release, which is currently in Alpha, and tentatively set for May.
For background, you can see all posts in the
license tag.
At the face to face
last year we discussed future funding models, and we are exploring a range of
possible options. One suggestion raised was we could sell more support
contracts and give those support contract users patches for security issues in
advance.
But before we can even discuss this as an option we would have to change
our public stance. Our security policy since 2014 has stated we would
not do this and currently reads:
The OpenSSL OMC met last month for a two-day face-to-face meeting in London,
and like previous F2F meetings, most of the team was present and we addressed
a great many issues. This blog posts talks about some of them,
and most of the others will get their own blog posts, or notices, later.
Red Hat graciously hosted us for the two days, and both Red Hat and Cryptsoft
covered the costs of their employees who attended.
One of the overall threads of the meeting was about increasing the
transparency of the project. By default, everything should be done in
public. We decided to try some major changes to email and such.
Today I have had great pleasure in attending the Real World Crypto 2018
conference in Zürich in order to receive the
Levchin prize on behalf of the OpenSSL team.
The Levchin prize for Real World Cryptography recognises up to two groups or
individuals each year who have made significant advances in the practice of
cryptography and its use in real-world systems. This year one of the two
recipients is the OpenSSL team. The other recipient is
Hugo Krawczyk.
We had been invited to spend time with the open source community in China
by one of the developers - Paul Yang - who
participates in the OpenSSL project. A number of the team members had
communicated via email over the last year and when the suggestion was made
there were enough of us willing and interested to visit China for a “tour”
to make sense. So the tour was agreed as a good thing and that started
the journey that lead to spending a week in China (last week as I write
this on the plane on the way back to Australia).
Over the past few years we’ve come to the realisation that there is a surprising
(to us) amount of interest in OpenSSL in China. That shouldn’t have been a surprise
as China is a huge technologically advanced country, but now we know better thanks
to correspondence with many new Chinese contacts and the receipt of significant
support from multiple Chinese donors (most notably from Smartisan.
We have accepted an invitation from BaishanCloud to
visit China in person and meet with interested OpenSSL users and stakeholders in September.
We’d like to thank BaishanCloud for hosting us and Paul Yang and his colleagues there
for the substantial amount of work that went into arranging this trip.