[mSparks]

Tell that to your bank manager when they make a mistake....

It is NOT the bug itself that is at issue here.

It is the "mistake" of an ENTIRE INDUSTRY relying on a security module with haphazard, proven flawed development process, and impenetrable code.

Then trying to pretend the exact opposite.

Unfair, attract me down votes - sure. True - without doubt.

[DasIch]

So? Nobody disagrees on the fact that there is a problem. Putting blame on people won't solve the problem. It will piss people off. People you want on your side, enthusiastically solving the problem. Your attitude is actually dangerous and counterproductive to solving the problem.

This toxic culture is a big part why we are in this mess. Who in their right mind would want to try work on OpenSSL to improve it while being called an idiot? Who'd be willing to stand up for the project as a representative? Speak out for the project?

[mSparks]

It's not a case of blaming. Its a case of choosing https://www.libressl.org/ or https://www.openssl.org/

Applying best practice development processes or Pretending someone else can do it all for you, and you can "bolt it on" at the end.

The article lists: Future plans and lessons learned: At the top of the list for future development is support for TLS 1.3.

Like adding yet another protocol to the already hacked mess of protocols is a "good" thing.

[DasIch]

LibreSSL is only better because it does less and much more human attention is wasted on producing bug free C code. That's an improvement but it's quite limited.