January 15, 2026 meeting minutes
Jon Ericson
Fri 16 Jan 2026 2:46AM
Public
Seen by 7
Attendees:
|
|
Notes
-
We have a stand at FOSDEM. Please let your communities know.
Dmitry will attend, but his talk wasn’t accepted so people won’t hear about EVP_PKEYs on OpenSSL
-
New website! Have a look and let us know if you see anything we can improve.
Part of the goal is to attract a wider audience (Matt)
Blog post about the Conference videos? (Nicola)
Annual report preview.
-
Valgrind suppressions file
OpenSSL will no longer register functions to be run atexit. This solves a number of problems, but Valgrind will complain about leaks (that aren’t really memory leaks). So we will publish a Valgrind suppressions file for people who want to use Valgrind and don’t want false positives. (Matt)
Impact on providers? The destructor function of providers don’t currently get run on Red Hat where the atexit functions aren’t registered. (Nicola)
The application can call OPENSSL_cleanup() if needed.
If the destructor of the provider does more than trivial things, that could be a problem. (Tomas) “Don’t do more than trivial things!” (Richard)
Providers shouldn’t depend on destructors being called on exit. It’s fragile design. (Tomas)
Whatever the solution, provider developers should be made aware of the right way to handle this. (See: https://docs.openssl.org/master/man3/OPENSSL_init_crypto/#description) (Nicola)
-
Dropping legacy Windows stuff
https://openssl-communities.org/d/UkdEzIf2/change-minimal-supported-windows-version-for-openssl-4-0
It’s not clear what the benefit would be. Maybe an intermediate solution would be to not compile in Windows XP API by default, but could be optionally be compiled. (Matt)
Windows 7 is still widely used. (Richard and Dmitry)
Windows XP is still being used for critical software. Unlikely that the people who might be impacted are reading the thread and are hard to reach. (Nicola)
Too late in the development cycle to drop support. (Matt)
-
Disabling explicit EC curves by default
Committer votes: https://openssl-communities.org/d/eJfBZGV7/disabling-explicit-curves-in-openssl-4-0-by-default
Distribution votes: https://openssl-communities.org/d/WXQZAPnj/disabling-support-of-explicit-curves-in-openssl-via-compilation-options
Nicola will add a poll for the Academic community
-
Discuss the critiques from pyca and haproxy (Nicola):
can the TAC do something to engage these projects here on openssl-communities
can we get them to contribute to prioritize/mitigate/remediate the pain points, while still aligning with the project vision?
most of the pain points are of technical nature, and at least in the latest writeup from pyca, it is apparent that some of them are particularly painful because they seem to net no real gain. This suggests that maybe the TAC needs to recommend investing resources in documenting for the public the intent behind some of the controversial items raised in the complaints.
Nothing in the critiques are a surprise to people who have been a part of developing the changes. (Matt)
The OpenSSL communities are seeing the critiques, but might not be aware of the reasons for the changes or what was gained. (Nicola)
Some critiques are valid and we should just address the problems. (Matt)
Providers have to deal with the unknown. Applications might need to communicate to a provider information that libcrypto doesn’t know anything about. We need to do a better job explaining why these sorts of things are useful to some applications/providers. (Richard)
Missed understanding the benefit of flexibility and are only comparing to how things worked before the provider mechanism. (Nicola)
Action items
General discussion about the critiques and invite people to chime in. (But focus on solutions rather than questions about whether the critiques are fair, etc.) (Jon)
Foundation to consider spending resources to educate people about the reasons for the design changes.