OpenSSL 3.6: the Foundation perspective
On October 1, OpenSSL 3.6 was released. Since the Library operates on time-based releases, each version includes only features that have been merged when the code freeze happens. In this way, releases happen at a predictable time while allowing code improvements to be developed at the appropriate pace.
For instance, 3.5 included initial work on
EVP_SKEY
and that feature was fleshed out in 3.6 with support in the key
derivation and key exchange provider methods.
In order to be included in an OpenSSL Library release, a pull request needs to be reviewed by at least two committers. Originally all committers were individuals who volunteered their time and expertise to the project. These days, most committers contribute as a part of their paying job. Some work for businesses that integrate OpenSSL in their own products. Some work for the OpenSSL Corporation that employs developers out of revenue from selling service contracts. Three of the committers work for the OpenSSL Foundation thanks to our supporters.
According to the contributor statistics, Foundation staff did 41% of the reviews for 3.6 changes:
| Committer | Reviews | Percentage |
|---|---|---|
| Tomas Mraz | 1353 | 25.8 |
| Matt Caswell | 681 | 13.0 |
| Richard Levitte | 133 | 2.5 |
In addition, each of these developers serve on the Foundation’s Board of Directors and have other staff duties.
Not every pull request is created equal. Some require detailed and time-consuming review while others take just a few minutes to sanity check. What’s more, some changes implement features that only reviewers with specialized knowledge can properly evaluate them. One of the long-term goals of the Foundation is to nurture the next generation of OpenSSL experts. It’s one of the reasons we are bringing new developers, such as Daniel Kubec, on to the Foundation staff.
Photo by Agence Olloweb on Unsplash