[clarry]

Did OpenSSL ever work right? If it were that simple, then it'd be easy to take that back into LibreSSL and fix the problem. Alas, the problem is not so simple.

I don't think anyone so far has been able to demonstrate a way to get entropy and reseed the rng after forks, in a manner that always works no matter what, on Linux. Everyone's got criticism, some people have suggestions, and when these suggestions are followed, more pitfalls are discovered. This is a problem with Linux -- Linux simply does not provide the right APIs and the right guarantees. Right now, it might very well be impossible to abstract the rng away on Linux like they do on OpenBSD.

So is Linux broken? Well, it sure likes to make things difficult. It is possible to work around the problem, but you cannot solve it in a library. No, OpenSSL could not solve it either. What did OpenSSL then do? It pushed the responsibility on to the applications, out of the library. Someone else's problem. Not solved! This might be a viable workaround as long as the problem is properly documented and all applications implement the workaround correctly (which apparently isn't the case).

OpenBSD isn't about workarounds. Much of what they do is about eliminating pitfalls that do not need to be there. This translates to less headaches for users & admins as well as developers. It's been demonstrated too many times that developers get things wrong. The OpenBSD people want to provide simple APIs that just work; ones you cannot use wrong. If there's a function that should provide randomness and the system is capable of providing randomness at all, then that function must work. Period. The programmer doesn't need to dance around it until it starts working. And the programmer shouldn't need to dance around it every once in a while again to keep it working. This is how we can get more secure software.

EDIT: Feel free to correct me if I am wrong. Can you show the world how to implement this right?