[alrs]

If you're upset about the OpenSSL screwup, you're mad at the OpenSSL project for telling the Debian maintainer that commenting out some code would be OK.

Your beef is with ulf@openssl.org, not the Debian project.

http://marc.info/?l=openssl-dev&m=114652287210110&w=2

[makomk]

He didn't say that he was a Debian maintainer or planning to comment out the two lines and ship it in a distro, misdescribed what he was commenting out, and didn't provide enough context to make it clear that he'd misdescribed it. (Even knowing what functions the lines he was commenting out were in would probably have been enough to ring alarm bells.)

There's a limit to how much effort the OpenSSL developers should have to put into stopping people from shooting themselves in the foot, and tracking down lines of code identified only by their line number in an unspecified version of OpenSSL to make sure they do what some random guy on the mailing list thinks they do is way over that limit.

[vomitcuddle]

I'm upset that in the year 2014 we still think that having the package maintainers patch ancient software instead of providing latest upstream versions is a good idea. I'm a big fan of the *BSD package management model - they give you a stable core, you pick your own (upstream, possibly bleeding-edge) versions of everything else.