Getting rid of any published references to "OTC"

I would like to know the answer to this also, (BAC + TAC != OTC).

I think this is a problem too.

I agree as well those policies are overdue for an update since OTC is no more, and the project is doing a disservice to its users being unclear or misleading about how those matters, that were important enough to become written policies, are being resolved now.

I would definitely raise this as an issue and advise to address it as soon as possible on my representative capacity, as this was part of the feedback as well that I got at the conference by those who engaged with me.

A formal combined recommendation should be made by C-BAC + F-BAC + C-TAC + F-TAC to respective boards to implement a regular review process of all website content and policies, where that cadence is at least annual. The key drivers for this are:

• Legal compliance

• Business evolution

• Risk management

• Industry standards

• Employee and stakeholder clarity

• Liability protection

The need for this is embodied in well-known cybersecurity frameworks, including ISO 27001, NIST 800-53, SOC2, etc. For example:

ISO 27001:2022 Annex A 5.1 - Policies for information security
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

I took a quick look at the CCLA, and while it doesn't contain a reference to OTC, it is versioned but undated. The same applies to all public-facing policies.

I don't believe any "vote" is required on this, as this is normal business practice. How do we proceed to a formal recommendation?

I don't think either that a "vote" is required as it seems common sense to update documents that are outdated. But it has happened despite a long "cutover time" between announcement & formation of *-B|TACs and dissolution of OTC. My very personal guess is that it's because no-one was in the "driver's seat", i.e., everyone could easily point to someone else.

In sum what I'm a bit concerned about is that there's 6 decision bodies (F|B-B|TACs+F|B-directors) involved and each may wait for another one to take action.

Looking at other such "distributed decision taking" organizations, say the UN, a (1!) "secretary general" could help move such things, e.g., by formulating a "common sense" policy that goes into effect by a given deadline if no dissenting bodies counter by then with alternative proposals (that then could be voted on).

Or, anyone paticipating in the discussion can make a proposal, that, if not rejected by some time, automatically gets adopted by all 6 entities (or, any, or all decision bodies create separate issues in their communities to develop an alternative proposal).

Following the latter logic, what about this:

"All documents published on an OpenSSL web site are held in a public github-based repository that is regularly updated as any other OpenSSL GH repo to follow and document the evolution of the project by way of PRs reviewed by the Documentation Review Committee (e.g., 1 rep of each *-BAC, or any other folks they appoint, e.g., marketing team members). All documents describing policies effecting the project are particularly marked as such and get reviewed in October of each calendar year by the Review Committee. Each document found to be in need of update is labelled as such in an issue raised in the documentation GH repo. It shall be the joint responsibility of all BAC and TAC members to provide suitable PRs with a reformulation proposal within 10 days of issue creation. All issues not receiving a PR within this time are then open to the community to provide a re-formulation PR that then is subject to usual GH remediation procedures using Reviewer approval, possibly in combination with discussion and votes in B|TACs. All documents with "update-required" issues not receiving any PR within 30 days are deleted."

-> This would define process, responsibilities, split the work load, define a timeline, cull no longer relevant material and allow the community to help as/if B|TAC members are busy doing more important things.

I think that technically only the 2 boards of directors count as decision bodies.

The 4 BAC/TACs only advise: in more controversial things as BAC/TACs we might need to tally votes or in some way evaluate if we reach consensus, but on this very matter I don’t expect any representative to object to proceed with the recommendation as outlined by James.

After we issue our recommendation, it is up to the boards to decide weather they want to act on it and how to do so, including assigning the people responsible for updating the user-facing pages across the various websites as necessary.

Independently of the boards decisions, nothing prevents BAC/TACs to autonomously review with whatever cadence we prefer, the outstanding policies and routinely nag the Corporation and Foundation for clarifications, improvements, changes, etc. or consult our communities for feedback on the ways these policies fit or don’t fit our users.

The "...routinely nag the Corporation and Foundation..." part I like :-).

More seriously, I'd like to support the work beyond nagging, e.g., by way of PRs -- and if it's only to say in which places changes appear due (but maybe also already propose new text such as to relieve of such tasks the people doing more relevant things, like real code or PR reviews). Right now, I cannot, though (e.g., where are all the WWW pages to scour them in a more "ready-to-act" manner for next steps)?

The top-level policy page for both general and technical have a note of "Note that the policies listed on this page are out of date and are in the process of review. They refer to governance structures that have been replaced and no longer exist (e.g. OMC and OTC). They are provided for guidance purposes only and are not definitive." which was put in place when things changed. All the responsibilities of the OMC and OTC were delegated co-equally to the Foundation and the Corporation (boards of directors).

See the note at https://openssl-library.org/policies/general/ and https://openssl-library.org/policies/technical/

This was discussed at the last joint meeting of the foundation and corporation and two individuals were tasked with drafting a set of updates for review and approval. This hasn't yet been completed. There was a clear consensus on what to do with most of the policies.

I will follow up and get a status update provided.