Basic question on version number..

> Hi,
>  We're thinking of using openssl in our company but wondering
> about the version number.
> Why the latest version is still 0.9.x, why it hasn't bumped up
> to 1.x in last 8 years. Generally 1.x defines a stable version.

> Any insight would be helpful in making a decision.

> Thanks,
> Rach

http://thedailywtf.com/Articles/One_Version_to_Rule_Them_All.aspx

The decision in the case of OpenSSL was that 1.x would have a stable API,
permitting shared libraries to be used interchangeably. OpenSSL does not
have a stable API yet, officially.

"Shared library is currently an experimental feature.  The only reason to
 have them would be to conserve memory on systems where several program
 are using OpenSSL.  Binary backward compatibility can't be guaranteed
 before OpenSSL version 1.0."

OpenSSL, however, is very solid and probably the best-tested SSL
implementation in existence. I, personally, would be much more concerned
about the risk of *security* problems. OpenSSL's software is openly
available and has stood the test of time.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Hi,

> Why the latest version is still 0.9.x, why it hasn't bumped up to 1.x in
> last 8 years. Generally 1.x defines a stable version.

hmm, I personally would not get hung up on '1.x is stable' -
having used dozens of platforms and software versions
to run network delivery solutions I can tell you that NOTHING
means that stuff is 'stable' - certainly there are more
BETA releases with > 1.x numbers than there are sub
1.x releases  :-)

anyhow, the reasoning for the OpenSSL never going above 1.0
right now has been given in another post - but rest assured,
they'll have a dilemna with defining what is 2.0 once
they have finally breached the 'over 1.x the libraries
are more flexible' mantra

alan
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

> The decision in the case of OpenSSL was that 1.x would have a stable API,
> permitting shared libraries to be used interchangeably. OpenSSL does not
> have a stable API yet, officially.

If that's the rationale, I eagerly await 1.0.  The lack of a stable
API has hurt me far too many times.  I encourage the developers
to freeze the existing API.

> "Shared library is currently an experimental feature.  The only reason to
>  have them would be to conserve memory on systems where several program
>  are using OpenSSL.  Binary backward compatibility can't be guaranteed
>  before OpenSSL version 1.0."

I think this was the original idea.  For me, the more important reason
to use a shared library is the ability to upgrade the library when I
don't have access to the source/object code that uses the library.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kenneth Goldman wrote:
|  > The decision in the case of OpenSSL was that 1.x would have a
stable API,
|  > permitting shared libraries to be used interchangeably. OpenSSL
does not
|  > have a stable API yet, officially.
|
| If that's the rationale, I eagerly await 1.0.

Be prepared to wait a long time...
I don't think we see a OpenSSL 1.0 anytime soon.

If you think that a 0.9.9 indicates a pending 1.0, you are wrong.
The OpenSSL version numbering allows something like a version
0.255.255 ...
So I expect that the release after 0.9.9 will be a 0.9.10...


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIsYd92iGqZUF3qPYRAmFNAJ0d5F8fOB1ihoRg37VDc7uNIhSC3wCfe/Z8
qFcrCJO2nkk8NCl2Z1osryk=
=FoPM
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

On Fri, Aug 22, 2008 at 3:57 PM, Kenneth Goldman <kgoldman@...> wrote:
> If that's the rationale, I eagerly await 1.0.  The lack of a stable
> API has hurt me far too many times.  I encourage the developers
> to freeze the existing API.

The core OpenSSL developers already stick to that particular goal for
a long time.

I've been using OpenSSL since at least 1999 (0.9.4 / 0.9.5) and the
crypto and SSL API has been amazingly stable all those years. The only
changes that I have met are in rather 'obscure' areas, such as when
you want to custom process ASN.1 encoded data and particular custom
certificate extensions.

I don't recall the last time when I had to recompile my software which
was using OpenSSL for the reason that OpenSSL changed an API function.
However, I *do* remember twice in that same decade that (1 time) a
commercial supplier was merged with another company and our crypto lib
was 'phased out/replaced' on merger, so I had to convert the whole
bloody lot to a new API. Luck had it I switched to the OpenSSL crypto
code, because that was cheaper than buying the upgrade PLUS the extra
work, but that did not help me with another bit of software (1 time),
which was using (another) commercial, 'stable', crypto lib, which
suffered from a bug 'nobody' suffered from but me (according to their
extremely helpful helpdesk) and that little issue was resolved when
the company went bust or burst its bubble some other way two years
after. Good riddance.
?? ... Ah, yes. Both _their_ version numbers were way beyond v1.0
very stable indeed.


> I think this was the original idea.  For me, the more important reason
> to use a shared library is the ability to upgrade the library when I
> don't have access to the source/object code that uses the library.

With crypto, I'd rather have access to the source code so I can have
it reviewed when the project/customer requires such. Far better than
buying for several grand into faith and a glossy sheet. Because
OpenSSL doesn't come with a source code NDA so I can contract out
crypto analysis/review without any legal hassles, which invariable
take a lot of time to settle and are bad for your deadlines.
I use my own MSVC project files to create OpenSSL Windows DLLs and
it's worked flawlessly for several years. (OpenSSL also offers Windows
makefiles to do the same, BTW)


--
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--------------------------------------------------
web: http://www.hobbelt.com/
 http://www.hebbut.net/
mail: ger@...
mobile: +31-6-11 120 978
--------------------------------------------------
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...