OpenSSL Communities

Meeting Minutes: Board and TAC Monthly (2025-12-09)

AA Anton Arapov Tue 9 Dec 2025 7:52AM Public Seen by 40

Below are the minutes from the recent TAC and Board of Directors meeting. Everyone is encouraged to review the minutes and actively participate in the discussion. This is an opportunity to talk directly with TAC members by replying in the thread below. Your input helps ensure the OpenSSL community remains transparent, collaborative, and responsive to your needs.

Attendees

@Anton Arapov, @Dmitry Belyavsky, @Aditya Koranga, @Craig Lorentzen, @Shane Lontis

High-level topics covered

  • Committers/community onboarding and process gaps

  • Pull request (PR) review workflow, backlog, and automation

  • Ownership and maintenance concerns for CMP (Certificate Management Protocol) and x509-related code

  • c-style rollover and tooling to update PRs

  • Supply chain and SBOM-related proposal

  • Administrative updates: TAC fund assignments and policy cleanup

  • Next meeting scheduling

Detailed points and discussion

1) Committers onboarding

  • Dmitry raised the need to add new committers to the committers community and to streamline the process so the committers community can serve its purpose.

  • Anton acknowledged it had been forgotten and committed to adding the new people to the committers community. Action: Anton to add new committers.

  • It was noted that there is no straightforward written process describing how committers should perform reviews or what thresholds/expectations exist for staying a committer. Creating such policies would be helpful for the TAC.

2) Pull request (PR) backlog, review process, and automation

  • Dmitry described the PR review process as “completely broken” in practice: many PRs remain open for extended periods (90+ days); labels like “waiting for committers” often do not reflect the real status (some PRs labeled as waiting for committers actually have unresolved comments awaiting contributor action).

  • He proposed writing a concrete proposal (targeting January) that defines a process and resource requirements (from both the corporation and the foundation), including throughput goals (e.g., reviewing N PRs per week)to prevent PR abandonment.

  • Anton and others discussed available data and tooling: GitHub provides metadata (last updated, activity timestamps) that can identify neglected PRs. Advanced search filters can be used to slice the backlog by update time.

  • Discussion on automation and notifications: Anton noted that once a process and its timeframes are defined, automation can be implemented (e.g., notifying responsible committers). Dmitry warned about notification noise; Anton suggested filtering by quality and responsibilities.

  • Ownership/triage contacts: Anton pointed to the "marshal" role (@Tomas Mraz) responsible for code coming through GitHub — Dmitry will schedule discussions with Tomas to explore triage improvements.

3) c-style / repository formatting rollover

  • Aditya asked about the c-style (coding style) rollover and whether there will be an automated way to inform PR authors to update their changes to the new style.

  • Anton confirmed there is interest and that @Tomas Vavra is working on tooling to explain how to update PRs, and that the team produces transformations and checks across build platforms (Windows/Linux) and compares outputs.

  • Shane suggested performing automated updates as part of the merge process (scripted mass update) if the project is confident in the scripts; Anton said the current practice includes multiple machines running the change and comparing results for correctness.

  • The style change tooling can also help identify very old/inactive PRs, supporting Dmitry’s backlog-cleanup proposal.

4) CMP (Certificate Management Protocol) codebase concerns and possible separation

  • Dmitry presented concerns about the CMP implementation being niche, primarily developed by Siemens (David), and that activity on its issues is neglected.

  • He proposed separating CMP into a separate subcomponent/library (initially built into OpenSSL) so it can evolve at its own pace without slowing the main tree.

  • Points raised:

    • Separation is appropriate for modules with different development or requirements speeds, similar to earlier separations (example discussed verbally in the meeting).

    • Practical limitations include internal API usage by CMP and x509 interactions — separation must handle these dependencies with agreement from maintainers (notably David) and allocated resources.

    • Dmitry also expressed concern that knowledge ownership is thin (Victor apparently being the main person understanding some code paths), implying a risk and a need to improve code ownership and maintenance.

  • Action: Dmitry will draft the proposal and bring it to the TAC/committer community for feedback (planned for after the holidays, in the January timeframe). Anton encouraged community consultation and the publication of the proposal for comments.

5) x509 code and ownership concerns

  • Dmitry observed changes in the X509 code and multiple maintenance areas; he expressed concern about single-person knowledge and low ownership across some areas.

  • Shane and others agreed that this is a complex area with many small pieces and potential bitrot.

  • Suggested action: improve code ownership and resource allocation for critical areas.

  • Anton reported on supply chain interest from companies, including AWS, and referenced a proposed SBOM implementation. This proposal exists and was reviewed internally; TAC technical reviewers are requested to review it. Action for @Tomas Vavra if the proposal reached shareable state.

7) TAC/admin updates

  • The first-time TAC vote to assign funds to Aditya (congratulated) occurred; the Business Advisory Committee also assigned funds to Jaroslav for a meeting room at FOSDEM for distribution representatives.

  • Jaroslav is drafting a document to formalize the process of assigning funds; this will be reused when ready.

  • Shane noted that the Technical Policies pages had been cleaned; Anton and Shane checked the policy locations (links provided during the meeting) and confirmed that the platform policy still exists under the general policy.

9) Miscellaneous

  • Aditya attended events representing OpenSSL and reported positive community interactions: multiple people approached him, saying they use OpenSSL for authentication/authorization.

  • Anton asked Aditya to pass on the contacts so that the OpenSSL team can follow up.

  • Anton confirmed that the next TAC meeting is scheduled for 12 January (the second week of January).

Decisions / Agreed actions

  • Anton: Add new committers to the committers community (task accepted).

  • Dmitry: Draft a formal proposal (January) for PR review workflow, processes, triage, throughput targets, and resource requirements; bring to the committers community and TAC for feedback.

  • Dmitry: Engage with Tomas Mraz to discuss incoming issues and PRs triage.

  • Dmitry: Draft a proposal to split CMP into a distinct subcomponent/library and circulate it to the TAC/committer community for feedback (planned after the holidays).

  • Tomas Vavra: Check the SBOM proposal state and share to collect technical feedback.

Risks / Concerns Highlighted

  • PR abandonment and poor signaling of PR status impede community contributions and slow development.

  • Over-notification and notification fatigue could reduce the effectiveness of automation if not carefully scoped.

  • CMP and some x509 areas appear to have low knowledge redundancy and limited ownership, risking maintainability.

  • Policy/process gaps (committers’ expectations and thresholds for performing reviews) need explicit documentation to avoid misunderstandings and abuse.

Follow-ups / Next steps

  • Anton is to complete the committers' onboarding task.

  • Dmitry to produce PR review process proposal and CMP separation proposal (January timeframe); solicit community feedback.

  • Dmitry to schedule conversations with Tomas to discuss triage responsibilities.

  • Craig to prepare the arm64/Graviton CI donation proposal.

  • Anton to verify and report back on web-style update tooling and whether automated PR updates on merge are feasible.

Next meeting

  • Planned for the second week of January — 12 January 2026.