3 <!--#include virtual="/inc/head.shtml" -->
6 <!--#include virtual="/inc/banner.shtml" -->
10 <div class="blog-index">
13 <h2>OpenSSL Bylaws</h2>
15 First issued 13th February 2017<br/>
16 Last modified 10th December 2019
20 <div class="entry-content">
22 <p>This document defines the bylaws under which the OpenSSL Project
23 operates. It defines the different project roles, how they contribute
24 to the project, and how project decisions are made.</p>
26 <h2>Roles and Responsibilities</h2>
30 <p>Users include any individual or organisation that downloads,
31 installs, compiles, or uses the OpenSSL command line applications or
32 the OpenSSL libraries or the OpenSSL documentation. This includes
33 OpenSSL-based derivatives such as patched versions of OpenSSL provided
34 through OS distributions, often known as "downstream" versions.</p>
36 <p>Users may request help and assistance from the project through any
37 appropriate forum as designated by the OpenSSL Management Committee
38 (OMC). Users may also report bugs, issues, or feature requests; or
39 make pull requests through any OMC designated channel.</p>
41 <h3><a name="committers">Committers</a></h3>
43 <p>Committers have the ability to make new commits to the main OpenSSL
44 Project repository. Collectively, they have the responsibility for
45 maintaining the contents of that repository. They must ensure that any
46 committed contributions are consistent with all appropriate OpenSSL
47 policies and procedures as defined by the OMC.</p>
49 <p>Committers also have a responsibility to review code submissions in
50 accordance with OpenSSL project policies and procedures.</p>
52 <p>Commit access is granted by invitation from the OTC and requires
53 a prior OMC vote of acceptance. It may be withdrawn at any time by
54 a vote of the OMC.</p>
56 <p>A condition of commit access is that the committer has signed an
57 Individual Contributor Licence Agreement (ICLA). If contributions may
58 also be from the employer of an individual with commit access then a
59 Corporate Contributor Licence Agreement (CCLA) must also be signed and
60 include the name of the committer.</p>
62 <p>In order to retain commit access a committer must have authored or
63 reviewed at least one commit within the previous two calendar
64 quarters. This will be checked at the beginning of each calendar
65 quarter. This rule does not apply if the committer first received
66 their commit access during the previous calendar quarter.</p>
68 <h3><a name="OMC">OpenSSL Management Committee (OMC)</a></h3>
70 <p>The OMC represents the official voice of the project. All official
71 OMC decisions are taken on the basis of a vote.</p>
75 <li>makes all decisions regarding management and strategic direction
76 of the project; including:
78 <li>business requirements;</li>
79 <li>feature requirements;</li>
80 <li>platform requirements;</li>
81 <li>roadmap requirements and priority;</li>
82 <li>end-of-life decisions;</li>
83 <li>release timing and requirement decisions;</li>
86 <li>maintains the project infrastructure;</li>
87 <li>maintains the project website;</li>
88 <li>maintains the project code of conduct;</li>
89 <li>sets and maintains all project Bylaws;</li>
90 <li>sets and maintains all non-technical policies and non-technical procedures;</li>
91 <li>nominates and elects OMC members as required;</li>
92 <li>approves or rejects OTC nominations for committers and OTC members;</li>
93 <li>adds or removes OMC, OTC, or committers as required;</li>
94 <li>adjudicates any objections to OTC decisions;</li>
95 <li>adjudicates any objections to any commits to project repositories;</li>
96 <li>ensures security issues are dealt with in an appropriate
98 <li>schedules releases and determines future release plans and the
99 development roadmap and priorities;</li>
100 <li>maintains all other repositories according to the policies and
101 procedures they define.</li>
104 <p>Membership of the OMC is by invitation only from the existing OMC
105 following a passing vote. OMC members may or may not be committers as
106 well. If an OMC member is also a committer then all rules that apply
107 to committers still apply.</p>
109 <p>The OMC makes decisions on behalf of the project. In order to have
110 a valid voice on the OMC, members must be actively contributing to the
111 project. Note that there are many ways to contribute to the project
112 but the ones that count in order to participate in the OMC
113 decision-making process are the ones listed below.</p>
115 <p>In general, the OMC will leave technical decisions to the OpenSSL
116 Technical Committee (OTC, see below) and not participate in
117 discussions related to development and documention of the OpenSSL
118 Toolkit. In exceptional cases however an OTC vote can be overruled
119 by an OMC vote. Such an exceptional case would be for example if an
120 OTC decision stands contrary to OMC policies or decisions.</p>
122 <p>OMC members may become inactive. In order to remain active a member
123 must, in any calendar quarter, contribute by:</p>
125 <li>a) Having authored, or been recorded as a reviewer of, at least
126 one commit made to any OpenSSL repository (including non-code based
128 <li>b) vote in at least two-thirds of the OMC votes closed in the
129 first two months of the quarter and the last month of the preceding
133 <p>The above rules will be applied at the beginning of each calender
134 quarter. It does not apply if the OMC member was first appointed, or
135 became active again during the previous calendar quarter. The voting
136 requirement only includes those votes after the time the member joined
137 or was made active again.</p>
139 <p>If an OMC member remains inactive for one calendar quarter then
140 they will no longer be considered an OMC member, but will be listed as
141 an OMC Alumni. OMC Alumni have no access to OMC internal resources
142 (including email lists) but may request a vote at any time to
143 reinstate their membership in the OMC.</p>
145 <p>Any OMC member can propose a vote to declare another member
146 inactive or remove them from OMC membership entirely.</p>
148 <p>An OMC member can declare themselves inactive, leave the OMC, or
149 leave the project entirely. This does not require a vote.</p>
151 <p>An inactive OMC member can propose a vote that the OMC declare them
152 active again. Inactive OMC members cannot vote but can propose issues
153 to vote on and participate in discussions. They retain access to OMC
154 internal resources.</p>
156 <h4><a name="omc-voting">OMC Voting Procedures</a></h4>
158 <p>A vote to change these bylaws will pass if it obtains an in favour
159 vote by more than two thirds of the active OMC members and less than
160 one quarter votes against by the active OMC members. A vote that does
161 not change these bylaws will pass if it has had a vote registered from
162 a majority of active OMC members and has had more votes registered in
163 favour than votes registered against.</p>
165 <p>Only active OMC members may vote. A registered vote is a vote in
166 favour, a vote against, or an abstention.</p>
168 <p>Any OMC member (active or inactive) can propose a vote. OMC Alumni
169 may only propose a vote to reinstate themselves to the OMC. Each vote
170 must include a closing date which must be between seven and fourteen
171 calendar days after the start of the vote. Votes to change these
172 bylaws must be fourteen calendar days in duration.</p>
174 <p>In exceptional cases, the closing date for non-bylaw changing votes
175 could be less than seven calendar days; for example, a critical issue
176 that needs rapid action. A critical issue is hard to define precisely
177 but would include cases where a security fix is needed and the details
178 will soon be made public. At least one other active OMC member besides
179 the proposer needs to agree to the shorter timescale.</p>
181 <p>A vote closes on its specified date. In addition, any active OMC
182 member can declare a vote closed once the number of uncast votes could
183 not affect the outcome. Any active OMC member may change their vote up
184 until the vote is closed. No vote already cast can be changed after
185 the vote is closed. Votes may continue to be cast and recorded after a
186 vote is closed up until fourteen days after the start of the vote.
187 These votes will count for the purposes of determining OMC member
188 activity, but will otherwise not affect the outcome of the vote.</p>
190 <p>All votes and their outcomes should be recorded and available to
193 <h3><a name="OTC">OpenSSL Technical Committee (OTC)</a></h3>
195 <p>The OTC represents the official technical voice of the project. All
196 OTC decisions are taken on the basis of a vote.</p>
200 <li>makes all technical decisions of the code and documentation for OpenSSL including:
203 <li>architecture;</li>
204 <li>implementation;</li>
206 <li>documentation;</li>
207 <li>code review;</li>
208 <li>quality assurance;</li>
209 <li>classification of security issues in accordance with the security policy;</li>
213 <li>produces releases according to OMC requirements;</li>
214 <li>establishes and maintains technical policies and technical procedures such as:
216 <li>GitHub labels and milestone usage;</li>
217 <li>coding style;</li>
220 <li>nominates to the OMC, addition or removal of OTC members and committers;</li>
221 <li>ensures technical aspects of security issues are dealt with in an appropriate
225 <p>Membership of the OTC is by invitation from the OTC and requires
226 a prior OMC vote of acceptance. OTC members must be committers and
227 hence all rules that apply to committers also apply.
228 OTC members may be OMC members and in which case all rules that apply
229 to OMC members also apply.</p>
231 <p>The OTC makes technical decisions on behalf of the project based on
232 requirements specified by the OMC. In order to have
233 a valid voice on the OTC, members must be actively contributing to the
234 technical aspects of the project. Note that there are many ways to contribute to the project
235 but the ones that count in order to participate in the OTC
236 decision-making process are the ones listed below.</p>
238 <p>OTC members may become inactive. In order to remain active a member
239 must, in any calendar quarter, contribute by:</p>
241 <li>a) Having authored, or been recorded as a reviewer of, at least
242 one commit made to any OpenSSL repository (including non-code based
244 <li>b) vote in at least two-thirds of the OTC votes closed in the
245 first two months of the quarter and the last month of the preceding
247 <li>c) maintain committer status.</li>
250 <p>The above rules will be applied at the beginning of each calender
251 quarter. It does not apply if the OTC member was first appointed, or
252 became active again during the previous calendar quarter. The voting
253 requirement only includes those votes after the time the member joined
254 or was made active again.</p>
256 <p>If an OTC member remains inactive for one calendar quarter then
257 they will no longer be considered an OTC member.</p>
259 <p>An OTC member can declare themselves inactive, leave the OTC, or
260 leave the project entirely. This does not require a vote.</p>
262 <p>An inactive OTC member can propose a vote that the OTC declare them
263 active again. Inactive OTC members cannot vote but can propose issues
264 to vote on and participate in discussions. They retain access to OTC
265 internal resources.</p>
267 <h4><a name="otc-voting">OTC Voting Procedures</a></h4>
269 <p>A vote will pass if it has had a vote registered from
270 a majority of active OTC members and has had more votes registered in
271 favour than votes registered against.</p>
273 <p>Only active OTC members may vote. A registered vote is a vote in
274 favour, a vote against, or an abstention.</p>
276 <p>Any OTC member (active or inactive) can propose a vote.
277 Each vote must include a closing date which must be between seven and fourteen
278 calendar days after the start of the vote. </p>
280 <p>In exceptional cases, the closing date
281 could be less than seven calendar days; for example, a critical issue
282 that needs rapid action. A critical issue is hard to define precisely
283 but would include cases where a security fix is needed and the details
284 will soon be made public. At least one other active OTC member besides
285 the proposer needs to agree to the shorter timescale.</p>
287 <p>A vote closes on its specified date. In addition, any active OTC
288 member can declare a vote closed once the number of uncast votes could
289 not affect the outcome. Any active OTC member may change their vote up
290 until the vote is closed. No vote already cast can be changed after
291 the vote is closed. Votes may continue to be cast and recorded after a
292 vote is closed up until fourteen days after the start of the vote.
293 These votes will count for the purposes of determining OTC member
294 activity, but will otherwise not affect the outcome of the vote.</p>
296 <p>All votes and their outcomes should be recorded and available to
297 all OTC and OMC members.</p>
299 <h4><a name="otc-transparency">OTC Transparency</a></h4>
301 The majority of the activity of the OTC will take place in public.
302 Non-public discussions or votes shall only occur for issues such as:
304 <li>pre-disclosure security problems</li>
305 <li>pre-agreement discussions with third parties that require confidentiality</li>
306 <li>nominees for OTC or committer roles</li>
307 <li>personal conflicts among project personnel</li>
311 <p>Full details (topic, dates, voting members, specific votes cast, vote result) of
312 all public votes shall be made available in a public repository.</p>
314 <h3>OpenSSL Software Foundation (OSF)</h3>
316 <p>The OpenSSL Software Foundation represents the OpenSSL project in
317 legal and most official formal capacities in relation to external
318 entities and individuals. This includes, but is not limited to,
319 managing contributor license agreements, managing donations,
320 registering and holding trademarks, registering and holding domain
321 names, obtaining external legal advice, and so on.</p>
323 <p>Any OMC member may serve as a director of OSF if they wish. To do
324 so they should send a request to any existing OSF director.</p>
326 <h3>OpenSSL Software Services (OSS)</h3>
328 <p>OpenSSL Software Services represents the OpenSSL project for most
329 commercial and quasi-commercial contexts, such as providing formal
330 support contracts and brokering consulting contracts for OpenSSL
333 <p>Any OMC member may serve as a director of OSS if they wish, subject
334 to certain contractual requirements. To do so they should send a
335 request to any existing OSS director.</p>
338 <h2><a name="leave">Leave of absence</a></h2>
340 <p>An active OMC member, OTC member, or committer may request a leave of absence
341 from the project. A leave of absence from the OMC, OTC or committer shall
342 suspend inactivity determination for the specified role. All access to
343 OMC, OTC or committer resources shall be suspended (disabled) and the OMC
344 or OTC member shall be excluded from voting and the committer shall be excluded
345 from reviewing or approving source changes. On return from a leave of
346 absence, the OMC or OTC member or committer will be deemed to have become active
347 as of the date of return.</p>
349 <p>All of the following criteria must be met in order to qualify as a
350 leave of absence:</p>
352 <li>a) the member must request via email to the OMC a leave of
353 absence at least one week in advance of the requested
354 period of leave;</li>
355 <li>b) only one leave of absence is permitted per calendar year;</li>
356 <li>c) the leave of absence must specify the date of return from
357 the leave of absence; </li>
358 <li>d) the length of the leave of absence shall be a minimum of one calendar
359 month and shall not exceed three calendar months (one quarter); and </li>
360 <li>e) the leave of absence applies to all the roles within the
361 project (i.e. OMC, OTC and committer if all three roles apply).</li>
364 <h2><a name="update">Bylaws Update History</a></h2>
366 The following changes have been made since the bylaws were first
367 issued 13-February-2017.
370 <li>21-November-2019.
371 Added <i>OTC</i>. and other related changes.</li>
372 <li>20-December-2017.
373 Added <i>Leave of absence</i> section.</li>
378 You are here: <a href="/">Home</a>
379 : <a href="/policies">Policies</a>
380 : <a href="">Bylaws</a>
381 <br/><a href="/sitemap.txt">Sitemap</a>
385 <!--#include virtual="sidebar.shtml" -->
389 <!--#include virtual="/inc/footer.shtml" -->