I used a question mark for a reason. But in a way OpenSSL exactly proves my point. Since there are no paid maintainers, no one had the time, understanding, or incentive to look for bugs like heartbleed. OpenSSL is generally useful to everyone, but specifically useful to no one. So, it is resistant to getting a full time, paid maintainer. There are dozens of other core OSS infrastructure out there that have the same problem. Last year there was a post about NTP and failing internet infrastructure. It’s all related.
8 Likes
