Priorities for upcoming 12 months - distributions

I would like to see some coordinated efforts to reduce the amount of downstream patches in various distros

On behalf of RHEL

1. Make the code less obfuscated (and therefore debugging easier).  

Examples: It's near to impossible to follow the exact functions used, for example, for cipher implementation on the particular platform because of heavy macro usage and extremely high level of indirection. While macros are useful as a coding artifact, I think they should generally be expanded and the expansion stored in git so that code can be actually read, most of the time, and also gdb can show you actual code when debugging

The recent changes in OSSL_PARAM processing also have its downside causing code unreadable (at least until we autogenerate the files from the templates) 

1. Dropping ENGINE support (and as much of other deprecated stuff as it doesn't break our scenarios :) )

2. https://github.com/openssl/openssl/pull/19084 - we would like to revive this work

3. FIPS self-test should run on demand, especially for SLH-DSA

4. Expanding support of opaque symmetric keys (mostly for TLS)

From Fedora side and from FreeIPA as an upstream project, we would like to see some movement on upstreaming the support for crypto policies. These patches exist for quite some time (a decade?) and are very useful to unify crypto requirements for all applications on the same platform. While existing code in OpenSSL enables per application policy definition with a custom configuration, crypto-policies project allows to significantly ease the way how the configuration can be created by the system administrators.

The actual support is basically by allowing to treat `PROFILE=SYSTEM` as an indication of a pre-defined configuration snippet path to be loaded instead of pre-defined ciphers list.

Here is Fedora patch: https://src.fedoraproject.org/rpms/openssl/blob/main/f/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch