What the Brno F2F means for individual users and contributors — from someone who was in the room
Hi all — Aditya here. I was at the OpenSSL F2F in Brno this May, and this is the update I'd want as an individual user or contributor — no enterprise filter, just what changes for people like us. The short version: official Windows builds are coming, releases are easier to verify, post-quantum arrives without breaking anything, and contributing is genuinely getting friendlier.
The full write-up is running in two committee spaces, and they're worth a look separately: the BAC thread carries the business and governance discussion, while the TAC thread carries the technical conversation with the standards drafts behind it. Both are readable by anyone. Here's the cut that matters for personal and independent use.
Official Windows builds, finally. The OpenSSL Project will ship its own Windows installers — MSI and plain executable, with a lightweight option if you only want the command-line tools — so the days of hunting for a trustworthy third-party build are ending. Windows 10 and newer, latest release first. The FIPS module is in the box but off unless you turn it on in config.
Trust what you download. Releases are now signed on hardware security modules under a published process. The signing certificate, its fingerprint, and the verification steps are all on the official downloads page — checking a download takes a few minutes, not specialist knowledge.
Post-quantum, in plain terms. New post-quantum signatures (ML-DSA, FIPS 204) are on by default; post-quantum key exchange (ML-KEM, FIPS 203) is there if you opt in. For everyday use nothing breaks — the changes are additive. And the same algorithms are being made to run in much less memory, which is great news if you tinker with small or embedded devices.
Rust: provider choice, not a rewrite. You'll see headlines about OpenSSL "moving to Rust." It isn't a rewrite. The plan lets software choose its implementation underneath; nothing changes in how you use it, and announcements are being held until the code is tested rather than the other way round.
Contributing is getting friendlier — this is the part I care most about. A rotating contact will own incoming pull requests so external contributions stop going quiet, "help wanted" labels are being curated instead of left stale, smaller single-purpose PRs are encouraged, and a contributor rulebook will make the path explicit. If you use an AI tool to help with a contribution, you'll simply be asked to say so and confirm a human reviewed it. The code is where it always was: github.com/openssl/openssl.
One thing to check. Some rarely used older processor architectures (Tier 3) will be dropped in the next major release because they can't be reliably tested. The exact list is being confirmed and will be announced with notice — if you run OpenSSL on unusual hardware, keep an eye out.
A personal note from the week: I was one of the few people in that room not representing a corporation, and what struck me was how often the discussion came back to people like us anyway — who answers an outside contributor's pull request, who curates the issues a newcomer can actually pick up, who makes a Windows build a person can simply trust. The decisions above weren't made for enterprises and trickled down; several were made because individual users and contributors are the part of this ecosystem that keeps it honest.
So — over to you: What would make OpenSSL easier to use or contribute to for you personally? Which of the items above matters most, and what did the F2F miss? There's also a 6–24 month roadmap being assembled in the open, and individual voices are explicitly wanted in it. I'll carry the follow-ups from this thread into the committee discussions and the roadmap.
— Aditya
