Should we document that this project is abandoned?

[bneradt]

It seems like this project has been abandoned. My application cannot use an OpenSSL-3.1 based quic solution due to its locking performance issues which are resolved in OpenSSL 3.2 I was hopeful with this PR by @wbl that progress would be made in supporting a later OpenSSL version for quic:

#159

But that has gone months without landing due to what appears to me to be trivial issues (some docs and fuzzing CI tests are not running). Maybe I'm wrong about the issues being trivial? Regardless, the PR was opened May 8th and it has not landed yet three months later and there is hardly any progress at all on it. Just silence now for three weeks.

If the project is abandoned, then we should document as such on the website to alert people not to use this project anymore.

I do not say this bitterly. The project had been helpful to many. But it has been 7 months since a commit has landed in this repo. It would be helpful to be upfront and transparent with others about the situation and steer people away from this if later OpenSSL versions will not be supported so that they do not maintain a false hope for this.

Thank you.

Brian

[wbl]

Hi,

This project is actively used at Akamai, Microsoft, and others. I understand your frustrations about 3.3 not getting landed, however it requires significantly more review than most PRs given the complexity of the underlying changes and potential other impacts. We also have tests in dependent projects such as MsQUIC that have been run against it and had to solve issues there.

If you depend on it, it would be useful to run your tests on 3.3 and report to us that it works. We are actively trying to land the PR you mentioned.

[xl32]

@wbl, I would add here that Pull request #162 (with just rebased branch) stayed without any review and comments ftom the team for more than two months. At the same time, openssl 3.0.14 included fixes for bunch of CVEs that were very important for users and some them used unreviewed code. I made this PR after 3 days of no activity on releasing minor update version (June, 3).
Review came in 2 months and 9 days after CVEs published and fixes provided.

Furthermore, no other branches received updates, neither 3.1 nor 3.2 before August, 12.

Thank you for your work on the project, we really need it, but I agree with @bneradt, we need to understand its status.

[wbl]

I'm sorry we dropped the ball on the review of that PR. There's a bunch of internal work and things like vacations that got in the way and internally Akamai has moved to 3.1, so we've been less active on 3.0.x than we should have been. Changes are in the work to give the community more of a voice, but I don't want to get ahead of our readiness to announce them. I understand this is unsatisfying but in the next weeks I expect you will be a lot happier.

[xl32]

@wbl thanks for good news!

Regarding 3.1: do I understand correctly Akamai stand with vunerable 3.1 for more than two months also?
I am asking because, as I said, not only 3.0 had lack of activity: just check 3.1 branches and you will see there were no activity, then a PR #165 appeared from community.

CVEs fixed in April-May and new OpenSSL version released in June, 3 as 3.1.6.
Quictls 3.1.6 was released August, 12.

• CVE-2024-4741
• CVE-2024-4603
• CVE-2024-2511

Again, thanks for your efforts, just pointing out that any supported version: 3.0, 3.1, 3.2, had not vulnerability fixes from the project.

[wbl]

We had deployed the fix internally, in fact that was where it was developed. I agree that the delay was suboptimal, and we very much appreciate the community's interest and contributions.

[xl32]

Can I at last ask you to navigate to the releases page https://github.com/quictls/openssl/releases and observe that there are no releases for 3.1 and 3.2 branches (3.1.6+quic, 3.2.2+quic), thus people who package such releases, fail on supporting their CI/CD, trying to find ways to understand how to get/select correct branch, tag or something else and change their CD code.

Probably, the team can release 3.1.6 and 3.2.2, so the community is able to see that download paths still are the same?

@wbl thanks for all your patience and work!

[wbl]

We do have a release for 3.1.5+quic. 3.2 is getting skipped, 3.3 isn't quite ready to approve yet.

We will be doing releases for 3.1.7 and 3.0.17 next week with the new announcement, so that should clear things up.