https://www.openssl.org/policies/releasestrat.html
- Version 1.1.0 will be supported until 2018-08-31.
- Version 1.0.2 will be supported until 2019-12-31 (LTS).
We may designate a release as a Long Term Support (LTS) release. LTS releases will be supported for at least five years and we will specify one at least every four years. Non-LTS releases will be supported for at least two years.
In addition, during discussion about our OpenSSL version planning in Node.js, @kroeckx helpfully expanded on this with the following:
We currently don't know yet when to announce the next LTS release, and which version it's going to be. According to our release strategy we should announce a new LTS this year, and so it'll be a release we make this year. This could be the upcomming 1.1.1, or even a higher number (1.2.0, 1.1.2). We at least want to make this API compatible to 1.1.0, not sure if it's going to be ABI compatible.
We are now less than a year away from EOL for 1.1.0, it's clear that it's not the version to use for anything meaningful. But, we're also now less than 2 years away from 1.0.2 EOL, which makes it difficult for those of us looking at longer time horizons to plan.
To give you some insight into the Node.js dilemma:
- All versions of Node.js are pinned to 1.0.2, although Node.js 8.x and above now have the ability to compile against 1.1.0 and we test this support as part of our CI, but this is not something we recommend for users.
- Node.js designates a new LTS release line every 12 months. Prior to becoming LTS, a release line exists as what we call "Current" for 6 months then gets an LTS lifetime of 30 months beyond that—a total of 3 years of support where we attempt to guarantee no "breaking changes", either API or ABI. (more info about the schedule here)
- Node.js' latest LTS release line, version 8, started its LTS life in October 2017 and under normal circumstances, should be supported until April 2020. However, because it uses OpenSSL 1.0.2, we have artificially contracted its support timeframe by 4 months to coincide with 1.0.2 EOL (we've communicated this from the begining).
- Node.js is due to cut a new major version, 10, for release this April. It will become our next LTS in October and will then get support until April 2021 (that's the plan anyway).
So, the dilemma is what to do about OpenSSL support?
- Sticking with 1.0.2 would extend us beyond OpenSSL's support timeframe by 16 months, a burden we can't shoulder.
- Upgrading to 1.1.0 would give us only ~4 months of support.
- Waiting for 1.1.1 means we (a) have to cross our fingers that it'll be released before April, (b) need to ensure we can integrate it in time and (c) that it actually gives us a path to OpenSSL LTS and we have no indication that 1.1.1 will be LTS or that there is a clear path from 1.1.1 to an LTS.
- Having a hybrid approach where we switch versions of OpenSSL part-way through the lifetime of Node 10 leaves us in the position of potentially having to break ABI and/or API, which would be a nasty break to the stability that we've worked so hard to ensure since Node 4 (and have gained a lot of trust because of). We may be able to make this palatable if we had a plan to work with and could communicate that plan ahead of time, but we don't have timeframes, versions or much else to work with.
- FIPS is another dilemma. Node.js supports FIPS today, but my reading of the policies and comments about FIPS is that it we may not see new FIPS support for some time. This is not necessarily a big deal, it's a matter of communication as we could just be explicit that Node 10 doesn't support FIPS and if you want FIPS you'll have to use an earlier, supported version or wait for perhaps Node 12 which may have new FIPS support.
I'm acutely aware of the difficulty of roadmaps in open source software, and I hope this doesn't come off as entitled or rude. I'm genuinely grateful for the current team's work on OpenSSL and think you've done an amazing job at modernising both the code and the policies surrounding the project. Even the fact that the project has got to a place where we can have such a conversation as this is awesome.
Perhaps someone could provide additional insight into the thinking behind OpenSSL LTS planning, or whether there's even been much discussion about this? If not, I'd like to suggest that accelerating such a discussion would be of benefit to downstream users that are looking at a rapidly closing support window and need to do planning beyond that window.
https://www.openssl.org/policies/releasestrat.html
In addition, during discussion about our OpenSSL version planning in Node.js, @kroeckx helpfully expanded on this with the following:
We are now less than a year away from EOL for 1.1.0, it's clear that it's not the version to use for anything meaningful. But, we're also now less than 2 years away from 1.0.2 EOL, which makes it difficult for those of us looking at longer time horizons to plan.
To give you some insight into the Node.js dilemma:
So, the dilemma is what to do about OpenSSL support?
I'm acutely aware of the difficulty of roadmaps in open source software, and I hope this doesn't come off as entitled or rude. I'm genuinely grateful for the current team's work on OpenSSL and think you've done an amazing job at modernising both the code and the policies surrounding the project. Even the fact that the project has got to a place where we can have such a conversation as this is awesome.
Perhaps someone could provide additional insight into the thinking behind OpenSSL LTS planning, or whether there's even been much discussion about this? If not, I'd like to suggest that accelerating such a discussion would be of benefit to downstream users that are looking at a rapidly closing support window and need to do planning beyond that window.