Security Poodle

OpenSSL Community Survey

OpenSSL is seeking community feedback on their mission statement and values. You can find details in their blog post, or you can just send email feedback@openssl.org or fill out their Google form survey. Note that the survey doesn’t give you a chance to get your answers mailed to you. I took screenshots and transcribed my answers, shown in bold below. Feel free to copy 🙂

Mission statement: We believe everyone should have access to security and privacy tools, whoever they are, wherever they are or whatever their personal beliefs are, as a fundamental human right.

Do you believe this should be openssl’s mission?  No.

Please provide the reason for your answer: This is a political statement that says nothing about delivering code or code quality.

To what extent do you believe OpensSL currently meets this mission statement? 1 (doesn’t meet it)

Please let us know any other comments you have regarding the Mission Statement: See answer above.  OpenSSL’s mission should be to provide *open source code of high quality.* With the mission statement as written, you are free to stop development and spend all your time drafting statements to the EU, etc.

OpenSSL Values:

  • We believe all our communities are important.
  • We believe in the principles of open source software, not only for its inherent values but also for the transparency and accountability it provides to our security and privacy tools.
  • We believe in behaving in a manner that fosters trust and confidence.
  • We believe that our governance and output should be transparent and open.
  • We believe that no Government, Organisation or Individual should have undue influence over the delivery of our mission.

Do you agree that these should be OpenSSL’s values? 3 (midpoint)

Please provide the reason for your answer: Where is the item for “listen to the community” And/or “strive to meet their desires”?

To what extent do you believe OpenSSL currently meets these values? 2 (doesn’t meet it)

Please give us any other comments you have around the Value Statement? There is no indication on the website who is funded by the OpenSSL project.

Which Communities best describe you?  Please check all options that apply.
GitHub Sponsor of the OpenSSL Project
Major Sponsor of the OpenSSL Project
OS distribution which packages OpenSSL
OpenSSL Committer
X Contributor (Submitted code &/or PRs to the project, whether or not accepted or merged)
X Developer working on a product that uses OpenSSL directly
X Developer working on a product that uses OpenSSL indirectly
X User of the OpenSSL command line utility
X User of the OpenSSL FIPS provider
X User – directly using OpenSSL Software
X User – indirectly using OpenSSL Software (e.g. using via an App.)
Security researcher/security issue reporter (whether or not the report was accepted)
X Bug reporter (submitted a bug report to the project, whether or not accepted)
X Asked questions &/or asked for help using OpenSSL (either directly or via third party websites e.g. StackOverflow)
Interested in Open Source but not using OpenSSL
Current OpenSSL Support Services Customer
Past OpenSSL Support Services Customer
Corporate Entity (non-Customer)
Other:
(This was tricky – do I answer about current involvement, past, or all of them? I answered just current involvement.)

Are you responding on behalf of an Organisation or are you affiliated with an Organisation? No – I am an individual.

If “Yes” to the question above please tell us which Organisation you represent or are affiliated with? As you know, I work at Akamai.

How long have you been aware of OpenSSL? 10+ years

Would you be willing to be contacted by OpenSSL to discuss the Mission and Value Statements further? Yes

If “Yes” What is your preferred contact method? Video conference (I want face-to-face discussion, so I can learn what they’re thinking)

If “Yes” please provide your preferred contact details: I can do zoom, WebEx, MSFT Teams, etc.

The following section is optional however completing it will give OpenSSL an idea of what we need to improve on.  It should take around 5 minutes to complete, do you wish to continue?  Yes, I want to continue the survey.

We know we have work to do to live up to our Values Statement, your answers to the following questions will provide us with an idea of where we need to improve and by how much.

To what extent does OpenSSL value your Community? 2 (not very valued)

How can we improve our relationship with your Community? Specific answers given above and below.

To what extent does OpenSSL demonstrate a commitment to Open Source values? 5 (full commitment)

How open and transparent is OpenSSL? 2 (not very open and transparent)

How accountable is OpenSSL? 1 (not accountable)

To what extend (sic) do you trust OpenSSL the organisation? 1 (Don’t trust it)

How confident are you in OpenSSL the organisation? 1 (no confidence)

How open and transparent is OpenSSL’s governance? 2 (Not very open and transparent)

How independent do you believe OpenSSL the organisation is? 4 (very independent)

To what extent do you believe Communities can influence OpenSSL’s direction and decision making? 1 (No influence)

Please provide reasons for your answer: I’ve answered these above. You provide freely usable open source, developed in an open manner on GitHub: good. We don’t know who your paid staff is: bad. We don’t know your budget: bad. In spite of universal public commentary that implementing, rather than *enabling* QUIC is not what the community wants, you’re plowing ahead. You’ve already said that DTLS 1.3 is not being done now. What other *open IETF standards* will not be done? You only accepted HPKE, a new crypto primitive, or cert compression, because someone pushed hard. What other algorithms will you not do?

Would you like to be included in other future surveys? Yes

If “Yes” what is your preferred method to receive these? Email

If “Yes” please provide your contact details: rsalz@akamai.com

If “Yes” how often would you like to be contacted? Other: whenever you want input

If “Yes” what sort of surveys / discussions would you be interested in?
X Future direction of OpenSSL
X OpenSSL Product Features
X Process Improvement
X Customer Satisfaction
Other: _____________

admin

Leave a Reply

Your email address will not be published. Required fields are marked *