OpenSSL Library Bylaws

This document defines the bylaws under which the OpenSSL Library Project operates. It defines the different project roles, how they contribute to the project, and how project decisions are made.

Roles and Responsibilities

Users

Users include any individual or organization that downloads, installs, compiles, or uses the OpenSSL Library via the libraries or the applications produced by the project. This includes OpenSSL-library-based derivatives such as patched versions of the OpenSSL Library provided through OS distributions, often known as “downstream” versions.

Users may request help and assistance from the project through any appropriate forum as designated by either the OpenSSL Foundation or the OpenSSL Corporation. Users may also report bugs, issues, or feature requests; or make pull requests through any designated channel.

Committers

Committers have the ability to push new commits to the main OpenSSL Library Project repository. Collectively, they have the responsibility for maintaining the contents of that repository. They must ensure that any committed contributions are consistent with all appropriate OpenSSL Library policies and procedures as defined by the Foundation or the Corporation.

Committers also have a responsibility to review code submissions in accordance with OpenSSL Library Project policies and procedures.

Commit access is granted by invitation from the OTC and requires a prior acceptance by either the Foundation or the Corporation. It may be withdrawn at any time by a decision from the Foundation or Corporation.

A condition of commit access is that the committer has signed an Individual Contributor License Agreement (ICLA). If contributions may also be from the employer of an individual with commit access then a Corporate Contributor License Agreement (CCLA) must also be signed and include the name of the committer.

In order to retain commit access a committer must have authored or reviewed at least ten commits that were merged within the previous two calendar quarters. This will be checked at the beginning of each calendar quarter. This rule does not apply if the committer first received their commit access during the previous calendar quarter.

The Foundation and the Corporation

The OpenSSL Software Foundation (the Foundation) and OpenSSL Software Services (the Corporation) represent the official voice of the project.

The Foundation primarily focuses on non-commercial communities.

The Corporation primarily focuses on commercial communities.

The Foundation and the Corporation are run by a board of directors for each company. Directors are elected by the members of each company. Membership of each company is determined by votes of the existing members of each company.

The Foundation and the Corporation co-equally:

  • make all decisions regarding management and strategic direction of the project; including:
    • business requirements,
    • feature requirements,
    • platform requirements,
    • roadmap requirements and priority,
    • end-of-life decisions,
    • release timing and requirement decisions,
  • maintain the project infrastructure,
  • maintain the project website,
  • maintain the project code of conduct,
  • sets and maintain all project Bylaws,
  • sets and maintain all non-technical policies and non-technical procedures,
  • approve or reject OTC nominations for committers,
  • add or remove OTC, or committers as required,
  • adjudicates any objections to OTC decisions,
  • adjudicates any objections to any commits to project repositories,
  • ensures security issues are dealt with in an appropriate manner,
  • schedules releases and determines future release plans and the development roadmap and priorities,
  • maintains all other repositories according to the policies and procedures they define.

The boards of the Foundation and the Corporation share all responsibilities and authorities co-equally. Co-equally means that the Foundation and the Corporation can operate independently and make decisions autonomously.

The Foundation and the Corporation will be advised about technical decisions by Technical Advisory Committees. Until such time as these are established, the Foundation and the Corporation will generally leave technical decisions to the OpenSSL Technical Committee (OTC) and not participate in discussions related to technical aspects of the OpenSSL Library. In exceptional cases however an OTC vote can be overruled by the Foundation or the Corporation. Such an exceptional case would be for example if an OTC decision stands contrary to the Foundation or the Corporation policies or decisions.

OpenSSL Technical Committee (OTC)

The OTC represents the official technical voice of the project. All OTC decisions are taken on the basis of a vote.

The OTC:

  • makes all technical decisions of the code and documentation for OpenSSL including:
    • design,
    • architecture,
    • implementation,
    • testing,
    • documentation,
    • code review,
    • quality assurance,
    • classification of security issues in accordance with the security policy,
  • establishes and maintains technical policies and technical procedures such as:
    • GitHub labels and milestone usage,
    • coding style,
  • nominates to the Foundation or the Corporation the addition or removal of committers,
  • ensures technical aspects of security issues are dealt with in an appropriate manner.

The OTC will be replaced in the future by elected technical advisory committees. Until that time membership of the OTC is frozen. OTC members must be committers and hence all rules that apply to committers also apply.

The OTC makes technical decisions on behalf of the project based on requirements specified by either the Foundation or the Corporation. In order to have a valid voice on the OTC, members must be actively contributing to the technical aspects of the project. Note that there are many ways to contribute to the project but the ones that count in order to participate in the OTC decision-making process are the ones listed below.

OTC members may become inactive. In order to remain active a member must, in any calendar quarter, contribute by:

  • a) having authored, or been recorded as a reviewer of, at least one commit made to any OpenSSL repository (including non-code based ones) and
  • b) vote in at least two-thirds of the OTC votes closed in the first two months of the quarter and the last month of the preceding quarter and
  • c) maintain committer status.

The above rules will be applied at the beginning of each calendar quarter. It does not apply if the OTC member was first appointed, or became active again during the previous calendar quarter. The voting requirement only includes those votes after the time the member joined or was made active again.

If an OTC member remains inactive for one calendar quarter then they will no longer be considered an OTC member.

An OTC member can declare themselves inactive, leave the OTC, or leave the project entirely. This does not require a vote.

An inactive OTC member can propose a vote that the OTC declare them active again. Inactive OTC members cannot vote but can propose issues to vote on and participate in discussions. They retain access to OTC internal resources.

OTC Voting Procedures

A vote will pass if it has had a vote registered from a majority of active OTC members and has had more votes registered in favor than votes registered against.

Only active OTC members may vote. A registered vote is a vote in favor, a vote against, or an abstention.

Any OTC member (active or inactive) can propose a vote. Each vote must include a closing date which must be between seven and fourteen calendar days after the start of the vote.

In exceptional cases, the closing date could be less than seven calendar days; for example, a critical issue that needs rapid action. A critical issue is hard to define precisely but would include cases where a security fix is needed and the details will soon be made public. At least one other active OTC member besides the proposer needs to agree to the shorter timescale.

A vote closes on its specified date. In addition, any active OTC member can declare a vote closed once the number of uncast votes could not affect the outcome. Any active OTC member may change their vote up until the vote is closed. No vote already cast can be changed after the vote is closed. Votes may continue to be cast and recorded after a vote is closed up until fourteen days after the start of the vote. These votes will count for the purposes of determining OTC member activity, but will otherwise not affect the outcome of the vote.

All votes and their outcomes should be recorded and available to all OTC and members of the Foundation or Corporation.

OTC Transparency

The majority of the activity of the OTC will take place in public. Non-public discussions or votes shall only occur for issues such as:

  • pre-disclosure security problems,
  • pre-agreement discussions with third parties that require confidentiality,
  • nominees for committer roles,
  • personal conflicts among project personnel.

Full details (topic, dates, voting members, specific votes cast, vote result) of all public votes shall be made available in a public repository.

Leave of absence

An active OTC member, or committer may request a leave of absence from the project. A leave of absence from the OTC or committer shall suspend inactivity determination for the specified role.

All access to OTC or committer resources shall be suspended (disabled) and the OTC member shall be excluded from voting and the committer shall be excluded from reviewing or approving source changes. On return from a leave of absence, the OTC member or committer will be deemed to have become active as of the date of return.

All of the following criteria must be met in order to qualify as a leave of absence:

  • a) the member must request via email to the Foundation or the Corporation a leave of absence at least one week in advance of the requested period of leave,
  • b) only one leave of absence is permitted per calendar year,
  • c) the leave of absence must specify the date of return from the leave of absence,
  • d) the length of the leave of absence shall be a minimum of one calendar month and shall not exceed three calendar months (one quarter), and
  • e) the leave of absence applies to all the roles within the project (i.e. OTC and committer if both roles apply).

Bylaws Update History

The following changes have been made since the bylaws were first issued 13-February-2017.

  • 16-September-2024. Major update for the new governance structure. Raised minimum number of commits/reviews for committers to 10 in two quarters.
  • 17-July-2022. Added a clause on minor edits of these bylaws.
  • 21-November-2019. Added OTC. and other related changes.
  • 20-December-2017. Added Leave of absence section.