Ben Laurie,
"It seems that the Debian maintainer did, indeed, mention his plan on openssl-dev. Openssl-dev is a list for people developing OpenSSL based software, not a list for discussing the development of OpenSSL itself. I don’t have the bandwidth to read it myself. If you want to communicate with the OpenSSL developers you need to use openssl-team@openssl.org."
Publishing contact information for the OpenSSL developers responsible for actually vetting patches to the OpenSSL source sounds like a great idea.
Of course, this address is prominently placed in the source archive so downstream people, and just plain interested users (such as professional cryptographers) will be aware of it, right?
$ wget http://openssl.org/source/openssl-0.9.8g.tar.gz --2008-05-14 01:56:41-- http://openssl.org/source/openssl-0.9.8g.tar.gz Resolving openssl.org... 195.30.6.166 Connecting to openssl.org|195.30.6.166|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3354792 (3.2M) [application/x-tar] Saving to: `openssl-0.9.8g.tar.gz'100%[===================================================================================================================>] 3,354,792 161K/s in 16s
2008-05-14 01:56:58 (200 KB/s) - `openssl-0.9.8g.tar.gz' saved [3354792/3354792]
$ tar xfz openssl-0.9.8g.tar.gz $ cd openssl-0.9.8g/ $ ls -1 CHANGES CHANGES.SSLeay ChangeLog.0_9_7-stable_not-in-head ChangeLog.0_9_7-stable_not-in-head_FIPS Configure FAQ INSTALL INSTALL.DJGPP INSTALL.MacOS INSTALL.NW INSTALL.OS2 INSTALL.VMS INSTALL.W32 INSTALL.W64 INSTALL.WCE LICENSE MacOS Makefile Makefile.org Makefile.shared NEWS Netware PROBLEMS README README.ASN1 README.ENGINE VMS apps bugs certs config crypto demos doc e_os.h e_os2.h engines include install.com makevms.com ms openssl.doxy openssl.spec os2 perl shlib ssl test times tools util $ grep -Fr openssl-team@openssl.org . $ grep -Fr openssl-team . $ grep team README $ grep -i team README $ grep -i team FAQ You can check authenticity using pgp or gpg. You need the OpenSSL team property rights, please consult a lawyer. The OpenSSL team does not $
Well, at least we'll be able to find this contact address in some reasonably conspicuous location on the OpenSSL website, right?
Let's try the front page. Hmm, nope.
How about the "Support" page, prominently placed on the site's navigation bar? Success! Er, kind of. We have openssl-announce, openssl-dev, openssl-cvs, and openssl-users. A pretty typical and idiomatic way of setting up mailing lists in Free and Open Source software projects. Kudos! Except, as you noted, none of these is actually the right list to contact the developers of OpenSSL. Well, I'm sure I'm the only person on earth whose intuition is challenged by that, so let's check some other places on the OpenSSL website wherein my howlingly erroneous assumption is put right.
Well, this is a patch we're talking about, so how about the Contribution page?
Hmm, perhaps:
Welcome to the User Contribution Area of OpenSSL. This area contains files maintained by the OpenSSL users and placed here by the OpenSSL team. They are provided AS IS without any kind of support or guaranty.
THIS AREA IS PROVIDED BY THE OPENSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
No, perhaps not.
The Source page is another dead-end; it shows me a lot of source I can retrieve, but does not inform me whom I can speak with about it. Undaunted, I press on.
Well, heck, how about the About page? Hey, this looks promising!
The OpenSSL Core and Development Team
The OpenSSL project is volunteer-driven. We do not have any specific requirement for volunteers other than a strong willingness to really contribute while following the projects goal. The OpenSSL project is formed by a development team, which consists of the current active developers and other major contributors. Additionally a subset of the developers form the OpenSSL core team which globally manages the OpenSSL project. Anyone wanting to join the development effort should subscribe to the developers mailing list openssl-dev@openssl.org, where all development efforts are coordinated.
But, silly me, of course I should utterly disregard the exclusive mention of openssl-dev@openssl.org in a section entitled "The OpenSSL Core and Development Team".
Several individual members are listed, yourself under "core team", and Ulf Möller under "development team". If Mr. Möller was a member of the "development team" at the time Debian developer Kurt Roeckx contacted the openssl-dev list, then I'm sure he should have known to disregard the advice he was given, right? (I'm sure you can correct me with appropriate fist-shaking indignation if your and Mr. Möller's status in the dev team was sufficiently different two years ago. You may, or may not, want to consult The Internet Archive's copy of the page as it existed on 1 and 2 May, 2006, before doing so.)
Well, I have one trick left up my sleeve—I can consult that device which has applied cluebats to addled heads for generations, the mighty FAQ! And do I find an answer?
Hallelujah!
3. How can I contact the OpenSSL developers? The README file describes how to submit bug reports and patches to OpenSSL. Information on the OpenSSL mailing lists is available from http://www.openssl.org.
(emphasis added)
By God, you've got me! Just read the README, for which a case-insensitive grep for "team" returns no matches! But never mind that, I can just go to www.openssl.org, find the...er...nonexistent...mention of mailing lists on the front page, stumble around until I find the aforementioned list of mailing lists, and, uh...don't find any mention of "openssl-team@openssl.org".
Hey, but you stand vindicated, because you shouted the correct contact address to the whole world in the 43rd comment to the 327th post on your blog (which must surely compare favorably to being posted on the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'.).
Your certificate of induction into the Good Communication Hall of Fame is forthcoming.
Which mailing list should I send it to?