> everyone smart enough to snark after the fact could and
> should have been providing patches before all hell broke
> loose.
Could have? Sure. Should have? Not so fast. Quite a few of those people had pointed out that the complexity and sheer ugliness of the OpenSSL code created a large unnecessary barrier to contribution, and that people's time would be better spent on alternatives. It would be very interesting to look at the use:contribution ratios over time for OpenSSL and e.g. PolarSSL, which also happens to be GPL-licensed. Sometimes the people who made a mess bear primary responsibility for cleaning up, and there's nothing wrong with others saying so. Bringing pressure to bear on the people who can actually make that kind of fundamental change might be more productive than submitting patches that have to be rejected because they're based on wrong assumptions about complex code.
Now, if someone from one of those freeloading companies that have eschewed alternatives and continue to ship millions of copies of OpenSSL without contributing anything were to offer such criticism, that would be wrong. It would be wrong not because it's kibitzing from an outsider, but because it's ingratitude from an insider. That's a different thing. If contribution was always a precondition for comment, this would be a very quiet world. Comments like these might not be allowed:
> this is excruciating to read due to very strange page
> layout.
Now, if someone from one of those freeloading companies that have eschewed alternatives and continue to ship millions of copies of OpenSSL without contributing anything were to offer such criticism, that would be wrong. It would be wrong not because it's kibitzing from an outsider, but because it's ingratitude from an insider. That's a different thing. If contribution was always a precondition for comment, this would be a very quiet world. Comments like these might not be allowed:
Where's the patch for that?