Skip to content

Commit

Permalink
fixup! Add a policy for migration of algorithms to the legacy provider
Browse files Browse the repository at this point in the history
  • Loading branch information
@nhorman
nhorman committed Apr 23, 2024
1 parent 4592ed3 commit d24a167
Showing 1 changed file with 11 additions and 8 deletions.
19 changes: 11 additions & 8 deletions policies/legacy-migration.md
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,23 @@
# Legacy Provider Policy

## Purpose
The Legacy Provider exists to create an opt-in availability mechanism for
algorithms that, for various reasons, should have their use discouraged. These
reasons include, but are not limited to:

* Discovered security issues leaving the algorithm in question unsafe for
general use

* Lack of popular use (i.e. balancing code size vs consumption frequency)

OpenSSL recognizes that consumption of these algorithms may continue to be
required by consuming applications after the conditions above have been
recognized. The Legacy provider exists to provide a mechanism for such
applications to continue to access these algorithms while allowing applications
that don't require them to inadvertently continue to use them.
applications to continue having access to these algorithms while preventing
applications that don't require them from inadvertently using them.

## Constraints on moving an algorithm to the legacy provider

1) Migration of an algorithm to the legacy provider must occur on a semantically
versioned major release boundary. Once a major release includes a given
algorithm in a given provider, it must remain there for every minor release in
Expand All @@ -31,9 +35,8 @@ provider at any time. Removal from the Legacy provider should occur only on
semantically versioned major release boundaries.

## Migration announcement mechanism
Announcements of migrations from a source provider to the Legacy provider is
made via the ALG-DEPRECATIONS.md file in the source code root directory for
OpenSSL. This file will list the algorithm SN, NID, the date at which the
deprecation was announced, and the date at which the algorithm was removed from
the source provider

Announcements of migrations from the default provider to the Legacy provider is
made via the DEPRECATIONS.md file in the source code root directory for
OpenSSL. This file will list the algorithm SN, NID, the version in which the
deprecation was announced, and the version in which the algorithm was removed
from the source provider

0 comments on commit d24a167

Please sign in to comment.