It sounds to me like the way to solve this problem is to turn OpenSSL into a benevolent for profit company with an actual business model.
Why not give the software away as is current practice but then charge top-dollar to MSFT, Google, et al. for professional consulting? This way they could actually devote real resources to the project and implement some of the obvious process reforms that OP and others are suggesting.
The OpenSSL mission could & would be executed better if it was pursued as a business rather than a hobby. Capitalism doesn't cure all ills, but it might be able to cure this one.
Not sure why you're getting downvoted; it's a legitimate question.
I'm not sure OpenSSL is really a good match for that. I've never really studied this, but my impression is that open-source companies fall into two categories:
1) Very small consulting companies built around one or a few passionate people that scrape by rounding up contracts for specific features that businesses want, and
2) Larger companies that provide a substantial set of services around an open-source product (e.g., Chef, Puppet, RedHat, Ubuntu).
OpenSSL definitely doesn't match the latter, and I don't think it's great for the former. Having done consulting for years at a time, it's a giant pain in the ass. There's no reason to think people who are good at this sort of coding really want to spend half their time on sales, or would be good at it if they did. And adding features to OpenSSL is exactly what got us into this trouble.
This strikes me as the classic case for a tax: benefits are modest but spread widely. If you could painlessly charge each user $0.01/year, you could fund this work no problem. That leads you into all the issues you get with taxes, of course, but in this case I don't think they're obviously larger than the issues you get with capitalism.
It's a shame that the US Government has totally burned their reputation with security-minded techies, or they'd be an obvious way to collect and distribute, say, $100m/year for valuable internet infrastructure. Maybe this is a chance for Europe to step up.
EU and most its memeber states intelligence agencies mission is to secure national infrastructure. Oh like the internet.
They already have tons of money thrown at them from taxes.
Its just that surveillence and monitoring of citizens and industrial espionage has higher priority than...their stated goal? Theyre too busy analysing malware and making their own, exploiting openssl for their benefit while keeping and hoping none othet agency knows their exploits.
Why not give the software away as is current practice but then charge top-dollar to MSFT, Google, et al. for professional consulting? This way they could actually devote real resources to the project and implement some of the obvious process reforms that OP and others are suggesting.
The OpenSSL mission could & would be executed better if it was pursued as a business rather than a hobby. Capitalism doesn't cure all ills, but it might be able to cure this one.
Thoughts? Am I missing something?