Mon 8 Sep 2025 1:34PM
Meeting Minutes: Board and TAC Monthly (2025-09-08)

OpenSSL Corp BoD & TAC Monthly Meeting – 2025-09-08
Participants: Aditya Koranga, Anton Arapov, Dmitry Belyavskiy, Nicola Tuveri, Shane Lontis
Also Invited/Didn't Attend: Tim Hudson, Craig Lorentzen, Paul Yang
1. Meeting Opening and Agenda
- Anton Arapov opened the meeting, noting absences and late arrivals.
- Agenda derived from the TAC group thread.
2. Contributor & User Survey (Presented by Aditya Koranga)
Scope & Demographics:
- ~15–16 respondents; diverse experience (2 years to 20+ years).
- 36% with 20+ years, 36% with 5–10 years.
Reported Uses:
- Enterprise applications, MongoDB security, TLS/cert management, VPN integration, cryptographic functions, SSH keys, learning TLS/SSL concepts, API security.
Feedback Themes:
- Performance: Multi-core issues in OpenSSL 3.x; requests to leverage AVX2 and optimize PQC algorithms.
- Security: Lack of certificate revocation checks in CMS encryption.
- Documentation: Strong need for discoverable, user/admin-focused guides.
- Community Engagement: Desire for more transparency and interaction.
- Modularity & Codebase: Calls for clearer separation of primitives, TLS, key management, and out-of-process key agents.
- Official Binaries & Tooling: Demand for multiplatform binaries and GUI tools for certificate management.
- Legacy Provider: Seen as unnecessarily complex.
Positive Feedback:
- Transparency, strong community engagement, and clear release communication.
AI-Suggested Priorities:
- Immediate: Certificate revocation checks, multicore performance.
- Midterm: Documentation, official binaries, modularization, simplification of legacy provider.
- Long Term: Legacy algorithm support, improved TLS tooling, advanced state machines.
Strategic User Segmentation:
- Developers → performance & clarity.
- Security Teams → revocation & cryptographic strength.
- Enterprises → multiplatform binaries & compatibility.
- Legacy Maintainers → support for older algorithms.
- Community → transparency & collaboration.
Follow-ups:
- Nicola suggested clearer presentation (timeline-based usage graphs, respondent counts).
- Anton emphasized making findings public and actionable.
- Aditya proposed reaching out to respondents for deeper use-case clarifications.
3. Auto-Generated Files in Repository
- Debate between Dmitry and Shane:
- Pros (commit): Prevent loss after
make clean
, simplify CI, avoid overwriting, assist navigation. - Cons (commit): Merge conflicts, redundancy, maintenance burden.
- Pros (commit): Prevent loss after
- Dmitry suggested polling committers; Shane stressed avoiding repeat of past "num file" merge issues.
- Consensus: conduct committer poll.
4. Committers’ Engagement & TAC Role
- Shane: low committer response rates: 2–3 replies not representative.
- Anton: polls may improve notifications/engagement.
- Shane: TAC may lack technical depth of former OTC, suggested committers’ meetings for interactive discussion.
5. Issue Tracking, Decision-Making & Release Planning
Problems Identified:
- PRs/issues with consensus often fall off radar.
- Lack of clear process for moving issues into release backlogs.
- Ambiguity on authority/responsibility between TAC, release teams, and committers.
Proposals:
- Documented workflow for lifecycle: issue → backlog → release.
- Process for reviewing “stacked” items (e.g., deferred to 4.0/5.0).
- Consider TAC-hold model.
Next Steps:
- Group to refine process at Brno in-person meetings (with BAC/TAC).
6. Scheduling Next Meeting
- Next TAC meeting scheduled for October 13, 2025.
- To decide during/after BAC/TAC in person gathering in Brno whether the meeting in October is needed.
Actionable Items
Responsible | Action |
---|---|
Anton & Aditya | Make survey results public; coordinate with BAC/Individuals group. |
Aditya | Reach out to respondents for detailed clarifications. |
Dmitry | Raise committer poll on auto-generated files. |
TAC/BAC Members | Develop formal workflow for issue lifecycle, prioritization, and decision-making. |
TAC Members | Decide next call timing. |

Paul Yang Tue 23 Sep 2025 6:41AM
The invitation was missed. I though it will be on Oct 13...
Craig Lorentzen · Mon 8 Sep 2025 1:56PM
Providers are a topic I have in mind, the complexity of both build, and runtime configuration is something my customers encounter especially when using the FIPS provider. I'm wondering if a method to enable at build time and not require runtime configuration is something other customers would like, e.g. keep the flexibility of providers to bring new features, but make it so runtime does not affect what is enabled.
I realize this would require a change how openssl finds modules...
I also agree with Shane about technical depth compared to OTC. I think this was the idea of having PRs in github be tagged as TAC review instead of the former OTC review, is that correct?