I wonder what the “raft of complicated code changes” required by the government were, and whether any of them intentionally weakened OpenSSL.
I was really interested to see how the OpenSSL developers felt about the OpenBSD folks forking the project and making LibreSSL. The article mentions LibreSSL in passing, but there’s no further comment on the matter from either the author or the OpenSSL developers.
It also hero-worships the Steves as some kind of as semi-geniuses who are simply overworked/understaffed to the point of letting things like Heartbleed slip by under the fatigue, when the LibreSSL commit log makes the OpenSSL codebase look more like a indiscriminate accretion of every test data file and utility script ever written (or begun) by anyone who went near the codebase, along with every portability hack added by anyone who ever tried to build it on any platform. In the article this morphs into something more akin to them being busy coding up feature after feature.
The article also repeatedly implicitly conflates SSL with OpenSSL over long stretches, leaving the impression that anyone doing SSL relies on the two Steves’ work.
And it presents the idea of open source as a slightly eccentric/exotic ideal that the Steves are committed to despite the fact that none of this would quite have happened under a proprietary commercial model, presumably through the miracle of the throw-enough-money-at-it principle.
I read the entire thing and came away with nothing of interest learned; and if I hadn’t known anything about the subject matter, so as to know the article worthless, I would’ve come away misinformed.
It is the worst kind of glossy-magazine fluff: it reads as though the journalist knows nothing about his subject matter (in this case, not of programming and not of networking nor of cryptography or software development models), and the first he or she learned any of the subject matter relevant to their story was from the interviewees. The result is an article such as this which myopically elevates its protagonists and lacks the reference to contextualise their experience or any of its facts.
Hrmmm, they called the vulnerability a “breach.”