i interpreted this as: this was written by security experts (cryptographers), not expert programmers. this means the algorithms are generally ok, but the implementation is wacky (and issue prone).
It was also written by cryptographers who for years asked for support, and got barely enough to keep the server running let alone live off it. Meanwhile the world and his wife joined in with feature requests and complaints about things they didn't like, but mostly without offering to help.
So it doesn't surprise me that unit testing, documentation, code review etc. weren't a top priority for spending more unpaid hours on - people literally got what they paid for.
I'll partly agree with that. Mostly even. I draw the line at expecting a security-critical library intending widespread adoption at least follow secure coding guidelines if nothing else. It really doesnt take much effort vs what was already done. Tiny fraction of it.
That plus the larger trend of developers ignoring basic, good practices is why I critique the project a bit. Plus, LibreSSL team illustrated my point nicely by doing 10x what I expected in a very short time with no pay.
So it doesn't surprise me that unit testing, documentation, code review etc. weren't a top priority for spending more unpaid hours on - people literally got what they paid for.