OpenSSL Communities

Meeting Minutes: Board and TAC Monthly (2025-09-08)

AA Anton Arapov Public Seen by 97

OpenSSL Corp BoD & TAC Monthly Meeting – 2025-09-08

Participants: Aditya Koranga, Anton Arapov, Dmitry Belyavskiy, Nicola Tuveri, Shane Lontis

Also Invited/Didn't Attend: Tim Hudson, Craig Lorentzen, Paul Yang


1. Meeting Opening and Agenda

  • Anton Arapov opened the meeting, noting absences and late arrivals.
  • Agenda derived from the TAC group thread.

2. Contributor & User Survey (Presented by Aditya Koranga)

Scope & Demographics:

  • ~15–16 respondents; diverse experience (2 years to 20+ years).
  • 36% with 20+ years, 36% with 5–10 years.

Reported Uses:

  • Enterprise applications, MongoDB security, TLS/cert management, VPN integration, cryptographic functions, SSH keys, learning TLS/SSL concepts, API security.

Feedback Themes:

  • Performance: Multi-core issues in OpenSSL 3.x; requests to leverage AVX2 and optimize PQC algorithms.
  • Security: Lack of certificate revocation checks in CMS encryption.
  • Documentation: Strong need for discoverable, user/admin-focused guides.
  • Community Engagement: Desire for more transparency and interaction.
  • Modularity & Codebase: Calls for clearer separation of primitives, TLS, key management, and out-of-process key agents.
  • Official Binaries & Tooling: Demand for multiplatform binaries and GUI tools for certificate management.
  • Legacy Provider: Seen as unnecessarily complex.

Positive Feedback:

  • Transparency, strong community engagement, and clear release communication.

AI-Suggested Priorities:

  • Immediate: Certificate revocation checks, multicore performance.
  • Midterm: Documentation, official binaries, modularization, simplification of legacy provider.
  • Long Term: Legacy algorithm support, improved TLS tooling, advanced state machines.

Strategic User Segmentation:

  • Developers → performance & clarity.
  • Security Teams → revocation & cryptographic strength.
  • Enterprises → multiplatform binaries & compatibility.
  • Legacy Maintainers → support for older algorithms.
  • Community → transparency & collaboration.

Follow-ups:

  • Nicola suggested clearer presentation (timeline-based usage graphs, respondent counts).
  • Anton emphasized making findings public and actionable.
  • Aditya proposed reaching out to respondents for deeper use-case clarifications.

3. Auto-Generated Files in Repository

  • Debate between Dmitry and Shane:
    • Pros (commit): Prevent loss after make clean, simplify CI, avoid overwriting, assist navigation.
    • Cons (commit): Merge conflicts, redundancy, maintenance burden.
  • Dmitry suggested polling committers; Shane stressed avoiding repeat of past "num file" merge issues.
  • Consensus: conduct committer poll.

4. Committers’ Engagement & TAC Role

  • Shane: low committer response rates: 2–3 replies not representative.
  • Anton: polls may improve notifications/engagement.
  • Shane: TAC may lack technical depth of former OTC, suggested committers’ meetings for interactive discussion.

5. Issue Tracking, Decision-Making & Release Planning

Problems Identified:

  • PRs/issues with consensus often fall off radar.
  • Lack of clear process for moving issues into release backlogs.
  • Ambiguity on authority/responsibility between TAC, release teams, and committers.

Proposals:

  • Documented workflow for lifecycle: issue → backlog → release.
  • Process for reviewing “stacked” items (e.g., deferred to 4.0/5.0).
  • Consider TAC-hold model.

Next Steps:

  • Group to refine process at Brno in-person meetings (with BAC/TAC).

6. Scheduling Next Meeting

  • Next TAC meeting scheduled for October 13, 2025.
  • To decide during/after BAC/TAC in person gathering in Brno whether the meeting in October is needed.

Actionable Items

Responsible Action
Anton & Aditya Make survey results public; coordinate with BAC/Individuals group.
Aditya Reach out to respondents for detailed clarifications.
Dmitry Raise committer poll on auto-generated files.
TAC/BAC Members Develop formal workflow for issue lifecycle, prioritization, and decision-making.
TAC Members Decide next call timing.

CL

Craig Lorentzen Mon 8 Sep 2025 1:56PM

Providers are a topic I have in mind, the complexity of both build, and runtime configuration is something my customers encounter especially when using the FIPS provider. I'm wondering if a method to enable at build time and not require runtime configuration is something other customers would like, e.g. keep the flexibility of providers to bring new features, but make it so runtime does not affect what is enabled.

  • I realize this would require a change how openssl finds modules...

I also agree with Shane about technical depth compared to OTC. I think this was the idea of having PRs in github be tagged as TAC review instead of the former OTC review, is that correct?

PY

Paul Yang Tue 23 Sep 2025 6:41AM

The invitation was missed. I though it will be on Oct 13...