Proposed escalation policy
Jon Ericson
Wed 15 Oct 2025 11:31PM
Public
Seen by 125
The Foundation TAC has been discussion an escalation strategy when problems arise that need broader community feedback and eventually a decision. This policy would partially replace the OMC and OTC hold process. Critically, however, this is a bottom-up, rather than top-down, process. Anyone can initiate the process.
The first step would be to start a conversation in the General Discussion forum. If the concern was prompted by an issue, pull request or GitHub discussion, cross post links so that people on GitHub know the conversation is happening here and people here can see the relevant context. Anyone with triage access on the OpenSSL repository could also apply the "community feedback requested" label so that people can tell there's an outside conversation happening without reading all the comments. When a decision has been made, the label could be removed, but leave the links and discussion so that future readers can see the historical record.
The next step depends on the nature of the problem. If the problem is specific to a subset of the communities, someone (usually a TAC or BAC representative) could start a decision process in individual communities. An advisory committee might take up the question and discuss it in their next meeting. Some questions might need to be further escalated to the Corporation and Foundation directors.
Overall the goal of this process is to gather feedback and make decisions in a way that reflects the OpenSSL Mission and Values. It's not intended to be a barrier for people who don't (yet) understand how decisions are made, so the intent is for everyone to make a good faith effort to understand other people's point of view.
Please provide feedback below.
Jon Ericson Tue 21 Oct 2025 4:55AM
I think there are two use cases when this process will be especially useful:
- When a little discussion will reveal a general consensus. For instance, the discussion of how to support DTLS 1.3 helped the people interested in that feature make a plan. Sometimes it just takes someone passing around a concrete proposal to get a project moving. (I would also say that applies to this very escalation proposal!)
- When there isn't enough feedback to know how to proceed in a way that will be generally useful. For instance, Dmitry Belyavsky proposed a SIG for opaque symmetric keys because Red Hat contributed a feature that meets their needs and it would help the next step to have other use cases.
The problem, as @beldmit and @baentsch point out, is when there isn't an easy consensus just from discussing an issue. As @anton said, ultimately the buck stops with the Foundation and Corporation directors. I think were the escalation policy could help is that it gives the community a way to surface issues that need a decision. In particular, since we have regular meetings with the advisory committees, they can add items to the agenda so that the directors have a chance to consider them.
I don't think this is the be-all and end-all process. But I do think it's an important piece in the puzzle.
Dmitry Belyavsky Tue 21 Oct 2025 9:29AM
Speaking frankly, I'm more afraid about lack of feedback. This is what I need an escalation procedure the most :)
Aditya Koranga · Sun 19 Oct 2025 12:40PM
Thanks @Jon Ericson. The proposed escalation policy looks fine to me.
And I full agree with what @Nicola Tuveri has mentioned in the above replies and we should 'avoid conflating what the OTC did with what the TAC does'
Thanks @Anton Arapov for mentioning the scope and roles of TAC and BAC. And I think we need another thread or doc(if there isn't one) that clearly states the scope and roles of TAC and BAC (including the Foundation and Corporation) for the people to better understand the overall functioning of this system.