Foundation BAC meeting (July 29, 2025)

Attendees:
|
|
-
Removal of SSLv3 (Matt)
Off by default for about a decade
3.6 or 4.0?
Paul says yes for 3.6
Tomas wants to do it in 4.0 to avoid breaking semantic versioning. (Matt: +1)
Nicola says it’s not controversial to remove in the academic community
Dmitry mentioned distributions don’t have a problem
Corporation BAC has an action item to warn the communities (Paul)
PR is actually really straightforward (Matt)
SSLv2 Client Hello accepted by default (because of Windows XP, which is still in use) (Matt)
The SSLv2 Client Hello can get you TLS1.0, if it’s available. (Tomas)
If the SSLv2 Client Hello is disabled, you won’t be able to accept connections from IE 6.0 on XP.
https://gs.statcounter.com/ (Dmitry)
-
BIGNUM update (Matt)
We have some potential funding, but we can’t actually discuss it just yet. You will see some announcements in a week or so, if all goes to plan. (Matt)
[Editors note: we can now say the funding comes from the Sovereign Tech Fund. The agreement needed to be finalized before we could give this detail.]
Is there a problem statement for the update? (Dmitry)
BIGNUM constant time. Making BIGNUMs a fixed width as a solution. (Matt)
Will not be optimization of the sort of testing Red Hat is doing. (Matt)
We are not planning on doing a general BIGNUM library. We can make it constant time for the sizes of numbers needed for the algorithm. (Tomas)
Design and backward compatibility are part of the proposal. (Matt)
Could take up to a year to deliver, so not likely for 4.0. (Matt)
Could this go in a minor release? (Nicola)
Might require removing deprecated functions from 4.0 anyway. (Tomas)
We should be writing the design early on, so we will have time to deprecate things in time for 4.0. (Matt)
-
Conference/f2f update (Matt)
Join F2F with the TAC the day before the conference (Monday the 6th). (Matt)
Thank everyone for reviewing all the talks! (Matt)
Hana is putting together the agenda to put on the website soon as well as registration. (Matt)
[Editor's note: the agenda is now available and registration is open.]
Nicola says people at ITF are asking when the registration will open.
Will the portal for submitting talks close when registration opens? (Nicola)
Hana hasn’t said one way or another, but Matt will ask. Also check if we can take last submissions whether or not the portal is open.
Jon plans to moderate a panel at the conference with all TAC and BAC representatives for Q&A
-
Release strategy: more prominence to cut-off dates (even if estimates subject to change) (Nicola)
Even in this call the feature freeze date wasn’t exactly known. (Nicola)
The exact date isn’t definitely known. (Matt)
Shifting a little later isn’t usually a problem. (Matt)
If we give the dates, we will get many PRs just before the freeze date and they won’t get merged. (Tomas)
PRs are waiting to get reviews, so it’s not just getting them in before the release. (Paul)
Expected week doesn’t mean a feature will be accepted, but it can still help with planning. (Nicola)
Dates would need a lot of caveats, etc. (Matt)
Nicola pointed out the feedback wasn’t from his constituents, but that feedback can still be valuable. Might be useful to raise the issue in the Corporation BAC.
-
AOB
None
Action items
Reach out to your communities to let them know SSLv3 will be removed and get feedback on timing
BAC comes back with a decision before August 12 (Nicola)
Investigate whether we can publish projected dates for feature freeze, alphas, etc. (Matt)