Meeting Minutes: Board and TAC Monthly (2026-02-09)

Below are the minutes from the recent TAC and Board of Directors meeting. Everyone is encouraged to review the minutes and actively participate in the discussion. This is an opportunity to talk directly with TAC members by replying in the thread below. Your input helps ensure the OpenSSL community remains transparent, collaborative, and responsive to your needs.

Attendees

@Anton Arapov, @Dmitry Belyavsky, @Hana Andersen, @Lenka Luklova, @Nicola Tuveri, @Tim Hudson

High-level topics covered

• Community and distro engagement following FOSDEM / Boston meetings

• FIPS 140 and the need for unified, documented positions for labs

• Provider packaging, configuration, and multi-version coexistence

• Configuration, security, and maintainability concerns

• Performance notes from Java / JNI ecosystem discussions

Detailed points and discussion

1) Distros meeting report and community engagement

Dmitry summarized outcomes from the Distros session, noting that while participation was limited, the discussion surfaced several technical requirements relevant to Linux distributions and other stakeholders. Attendees included both traditional distro maintainers and non-traditional participants such as Microsoft and ChainGuard.

Community follow-up materials (blog post, photos, and shared documents) were referenced. Hana will circulate links, and Dmitry shared relevant community resources for continued engagement.

2) FIPS 140 – unified positions for labs

From a business perspective, inconsistent lab interpretations create incompatible downstream requirements. From a technical perspective, the TAC must provide clear, well-justified technical documentation to support consistent guidance.

The group agreed that TAC technical write-ups are required to enable the business-facing messaging and improve alignment with validation labs.

3) Separating provider folders for major OpenSSL releases

Dmitry raised concerns about shipping multiple OpenSSL versions and providers within a single installation tree, highlighting file collisions and package relationship issues faced by distributions.

Tim requested a clearer articulation of the underlying problem and desired outcomes (e.g., shared vs separate configuration trees, runtime vs compile-time concerns). Dmitry acknowledged that current discussions mix problem statements and solution proposals and committed to producing a clearer, consolidated problem description for community review.

4) Configuration files, paths, and security

Tim emphasized that absolute paths in configuration files negatively impact portability and maintainability. Configuration should be relative to installed locations, and security-sensitive loading mechanisms should be clearly separated from non-security configuration.

It was noted that allowing redirection of configuration via environment variables can introduce security risks, and that absolute paths do not inherently mitigate those risks.

5) Packaging and cross-platform considerations

The group agreed that these challenges are not Linux-specific. Windows and other platforms also require approaches that allow multiple OpenSSL builds to coexist while managing both runtime behavior and developer expectations.

File collisions and overlapping packages were acknowledged as a long-standing packaging issue that needs deliberate design support.

6) Community visibility and follow-through

Tim stressed the importance of visible follow-up in community forums. Even decisions not to address an issue should be communicated clearly to maintain trust and transparency.

Dmitry will consolidate related discussions and ensure progress (or lack thereof) is visible to the wider community.

7) Java / JNI performance note

Nicola shared observations from benchmarking in the Java ecosystem, where the Jostle OpenSSL provider showed stronger-than-expected throughput.

Tim noted that JNI performance is highly dependent on careful implementation, including reference pinning and avoiding per-call overhead, and briefly discussed best practices.

Decisions / Agreed actions

• Dmitry: Produce a clear problem statement for separating provider folders and post a consolidated discussion to community forums;

• Prepare technical write-ups to support unified, lab-facing FIPS 140 guidance in coordination with BAC.

Next meeting

Planned for March 9, 2026 (UTC).