The OpenSSL development team typically don't comment on a request until they've fixed it. (I believe this is "poor customer service", but I also believe that I'm not entitled to "good customer service" until I've paid for it.)
What appears to happen is this: 1) bug submitter sends an email to r...@openssl.org 2) rt records it, along with any attached patches, and mails openssl-dev and the core committers 3) One of the core committers (eventually) looks at it 4) One of the core committers (eventually) integrates it 5) The core committer comments on the bug about when the patch was checked in, or other pertinent details 6) Eventually, the next release of OpenSSL comes out, with the patch included. OpenSSL isn't an "open" open-source software, in that the core committers appear to maintain a separate mailing list where they coordinate how they're working on new pieces and how they're supposed to interact. (If I had to guess, I'd think that this was primarily done for the FIPS validation effort [since the CMVP is used to non-open-source development strategies], but it might have been that too many people without any knowledge of security were trying to suggest things that were completely and inexplicably just not getting the concepts of "security is a chain of components, which is only as strong as its weakest link". I am not a member of the core committing team, and in fact I have no direct correspondence with them, so these are guesses.) It would be nice to interview the developers, and ask them what's different in 1.0.0 over 0.9.8, as well as to get an idea of their plans for the future and some of the flavors of their personalities. However, I'm also not a journalist, so I'm not the appropriate person to do that, either. However: the best way to add comments (including comments on how long it's taking to process your patch) to your bug report is not to complain on the openssl-users list, it's to reply to r...@openssl.org with your bug number in the Subject line. That will cause it to add your correspondence to its record, and bounce it to openssl-dev and all the developers. I wish there were a customer service organization for it as good as Debian's... but there are other issues there. -Kyle H On 7/27/10 1:31 PM, Jake Goulding wrote: > Thanks for the information about the rt address. We sent the > explanation and patch as you suggested, and can now see the issue on > the tracker list. However, no one has commented on it. Are there > additional steps we can take to further the process of accepting the > patch? > > Thanks! > > Jake Goulding | Software Engineer > gould...@vivisimo.com | Connect: www.vivisimo.com > Vivisimo - Information Optimized > > ----- "Ger Hobbelt" <g...@hobbelt.com> wrote: > >> Don't be sorry, this is great work!! I'm glad the culprit has been >> found (and fixed)! >> >> BTW: To help the OpenSSL core team help track and fix this, it would >> be good to submit your message + patch to r...@openssl.org so it ends up >> as an issue ticket in the tracker and this material does not disappear >> off the horizon of an ever progressing discussion list. A reference to >> this email thread in the RT would be handy, e.g.: >> http://www.bluequartz.us/phpBB2/viewtopic.php?t=131309 (the entire >> thread is easily viewable as a set of forum messages there, so one >> page carries all) > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME Cryptographic Signature
