It's amazing that the OpenSSL Foundation seems to do so little work on their actual code base give that they actually seem to take donations and have developers.

OpenBSD by comparison gets things done with 10% of the OpenSSL budget?

The current maintainers of OpenSSL have been doing a shitty job. It's not that heartbleed itself was the problem.

OpenSSL scares people away, the code is such a mess. I've looked at it for 5 minutes years ago. You hope to compile it, let alone understand it.

Finally people had to take a look at it, and what they found was a scary unmaintained mess vs other open source projects.

Specifically considering the importance of OpenSSL the maintainers seem to do a terrible job.

As people have mentioned. OpenSSL is basically a "FIPS" consultancy.

http://en.wikipedia.org/wiki/Federal_Information_Processing_...

FIPS is real world useless to 99% of the population that doesn;t live in the US and do business with the US govt.

They are worried more about maintaining the FIPS then patching or improving the code base for something that has become so universal.

That's fine for them, but a couple million a year in consulting fee's is messing with a much larger audience.

OpenSSL will be able to keep its outdated code base and FIPS, while the rest of the world moves on.

Key takeaway from Bob, is they need to raise money to pay some super knowledgable developers to get some of the more lengthly parts done.