[bborud]

It has been a few years since I had to work with OpenSSL and I had much of the same reactions to the code.

OpenSSL has always been bad, so it is not likely that it will improve any time soon unless someone who has a talent for API design decides to spend an immense amount of time sanitizing the library. This is a crypto library, so it is code that requires a lot of scrutiny. You can't simply make changes willy-nilly. Undoing the damage is no simple matter of programming.

I think it is important to point out badly designed APIs and make an example of them so people can learn why it is important to care about API design. It doesn't matter if it is open source or not. That is completely beside the point. Lots of open source code gets worked on by people who get paid for it or whose companies benefit from it directly or indirectly, so let's just be grown-ups and not derail the discussion.

Something being open source is not an excuse for doing a poor job. Bad code is bad code and OpenSSL does deserve harsh criticism for being unnecessarily hard to use.

I find the thought that you should not be able to criticize someone for designing bad APIs just because a project is open source offensive.