[romanovic]

I also do not see much basis for the opening statements, as written. Which individuals or communities are pushing the dogma that you shouldn’t write anything yourself? I’d be interested to know where Erik has met resistance when writing software specialised for his set of problems. Anecdotally, this is the opposite of my experience as a programmer.

OpenSSL and other cryptography libraries are a special case - implementing your own crypto library is almost universally accepted to be a very bad idea for what should be obvious reasons. OpenSSL is used widely because it solves a problem that is best served by a universal solution - the need for standardised protocols to secure internet communications. Of course there are alternative crypto libraries out there, but it is not a bad thing that most of us rely on a single library that really is well-suited to solve this need for crypto. We benefit much more by focusing developer resources and eyeballs on OpenSSL rather than trying to diversify for the sake of diversification.

Heartbleed is a very poor example that doesn’t support the premise of this post. It was discovered, publicly disclosed, and immediately fixed because it is open source, widely used, and has so many developer eyeballs on it. This was a positive outcome to a severe vulnerability, not a consequence of failing to diversify. Closed-source crypto libraries (or any that do not undergo the scrutiny of many developers and crypto specialists) are the domain of persistent, equally severe vulnerabilities that go undiscovered and/or undisclosed, increasing our exposure to malicious actors.