Meeting Minutes: Board and BAC Monthly (2025-10-27)

Below are the minutes from the recent BAC and Board of Directors meeting. All members receiving this notification are encouraged to review the minutes and participate in the discussion. That’s one of the opportunities to engage directly with BAC members by replying in the thread below. Your input helps us ensure the OpenSSL community remains transparent, collaborative, and responsive to your needs.

Attendees

@Anton Arapov, @James Bourne, @Jeff Johnson, @Lenka Luklová, @Paul Dale, @Randall Becker, @Tim Hudson

Absent: @Billy Brumley, @Jaroslav Reznik

Agenda

• Process for forming and submitting recommendations (BAC/TAC/Corporation/Foundation)

• Community feedback and polling on API deprecation, engine removal, and SSLv3

• Engine API strategy (removal vs stubs)

• Deprecation policy and communications planning

• Customer support, migration assistance, and education

• Contractual/business considerations and market positioning

• Forks and alternative implementations—impact of deprecations

• Next steps, follow-ups, and scheduling

Key Points

• Recommendation process: James led a discussion on how BAC recommendations should be developed, reaching community consensus first and then submitted formally to the appropriate body. A private, invite-only community thread exists to refine this process; a few members noted access or context issues which will be resolved.

• Community polling on deprecations: Mixed results across audiences. Community contributors and smaller organizations generally support removing long-deprecated APIs (including SSLv3 and engines), while large customers favor stability and minimal breaking changes. The group acknowledged the need to balance modernization with long-term support expectations.

• Engine APIs: Options considered included full removal, full stubbing, or partial stubbing. The emerging preference is removal with a minimal, compile-time stub option to ease transitions. Jeff noted ongoing outreach to major consumers to migrate from engines to providers.

• Deprecation policy: Agreement to publish a clearer written policy that documents phased deprecation and removal timelines. Paul reiterated the minimum multi-year deprecation expectations before removal; Randall emphasized advance warning for planning in larger organizations.

• Customer support and migration: BAC discussed strengthening migration assistance (hands-on help, webinars, potential training offerings). Jeff offered team support for educational sessions; Tim highlighted an opportunity to formalize commercial training materials.

• Contractual/business context: Randall outlined how support agreements could more explicitly cover API and version support expectations. OpenSSL’s position: compatibility with credible long-term support remains a market differentiator, even as the project pursues necessary cleanup.

• Forks/alternatives: The group noted that forks should track upstream changes; some maintainers lag. OpenSSL will continue executing its roadmap with clear notices to minimize disruption.

Community and Technical Engagement

• Formalize the recommendation workflow with open community discussion prior to BAC submission.

• Use targeted polls and broad feedback channels to surface differing needs (community vs. enterprise).

• Pair deprecation decisions with migration guidance, office hours, and webinars to reduce risk for adopters.

Future Releases and Transition Planning

• Proceed toward removing long-deprecated APIs, including engine-related items, with a minimal stub path as a transitional aid.

• Publish a concise deprecation policy that sets expectations for timelines, notices, and support horizons.

• Continue coordinated outreach to large customers to align on migration timelines and support options

Upcoming Actions

• Circulate a short note describing the recommendation formation and approval flow (including how to participate in the invite-only thread).

• Draft and socialize a written deprecation policy update with phased timelines and communication milestones.

• Prepare a migration assistance plan (FAQs, webinars, sample portability guides) for engine-to-provider transitions.

• Refine and publish a summary of polling results, calling out differences between community and enterprise perspectives.

• Schedule a focused follow-up within one week to confirm the engine strategy and deprecation policy wording before broader publication.

Future Meetings and Events

• Within one week: Follow-up BAC session on engine strategy and deprecation policy text.

• November 18, 2025: “Friends of OpenSSL” Community Event (North Carolina).

• Regular BAC monthly calls will continue; calendar coordination and access issues to be reviewed.

Action Items

• Jeff, Anton → Refine the agenda and documentation for API deprecation and engine removal; prepare materials for the follow-up session.

• Tim, Anton → Draft a proposal on BAC member term extensions and election timing for BAC review and consensus.

• James → Share the recommendation-process thread access details; collect input and propose a concise workflow description for publication.

• Paul → Validate deprecation policy timelines and confirm the minimum deprecation period language for the updated policy.

• Randall → Propose communication lead-times and enterprise-friendly warning periods; advise on contract language considerations.