|
| 1 | +# Legacy Provider Policy |
| 2 | +## Purpose |
| 3 | +The Legacy Provider exists to create an opt-in availability mechanism for |
| 4 | +algorithms that, for various reasons, should have their use discouraged. These |
| 5 | +reasons include, but are not limited to: |
| 6 | +* Discovered security issues leaving the algorithm in question unsafe for |
| 7 | + general use |
| 8 | +* Lack of popular use (i.e. balancing code size vs consumption frequency) |
| 9 | + |
| 10 | +OpenSSL recognizes that consumption of these algorithms may continue to be |
| 11 | +required by consuming applications after the conditions above have been |
| 12 | +recognized. The Legacy provider exists to provide a mechanism for such |
| 13 | +applications to continue to access these algorithms while allowing applications |
| 14 | +that don't require them to inadvertently continue to use them. |
| 15 | + |
| 16 | +## Constraints on moving an algorithm to the legacy provider |
| 17 | +1) Migration of an algorithm to the legacy provider must occur on a semantically |
| 18 | +versioned major release boundary. Once a major release includes a given |
| 19 | +algorithm in a given provider, it must remain there for every minor release in |
| 20 | +that major stream |
| 21 | + |
| 22 | +2) Prior to migration, the migration must be announced for at least 1 |
| 23 | +semantically versioned patch level release (see announcement mechanism below) |
| 24 | + |
| 25 | +3) Coincidental to the announcement above, the algorithm in question may be made |
| 26 | +available in both the source provider and the legacy provider. |
| 27 | + |
| 28 | +## Promotion of algorithms in the legacy provider to the default provider |
| 29 | +Should the need arise, legacy provider algorithms may be promoted to the default |
| 30 | +provider at any time. Removal from the Legacy provider should occur only on |
| 31 | +semantically versioned major release boundaries. |
| 32 | + |
| 33 | +## Migration announcement mechanism |
| 34 | +Announcements of migrations from a source provider to the Legacy provider is |
| 35 | +made via the ALG-DEPRECATIONS.md file in the source code root directory for |
| 36 | +OpenSSL. This file will list the algorithm SN, NID, the date at which the |
| 37 | +deprecation was announced, and the date at which the algorithm was removed from |
| 38 | +the source provider |
| 39 | + |
0 commit comments