Proposal

[Nathan Dorfman]

First, the (unfortunately) necessary disclaimer: this is an honest
question to satisfy my curiosity, nothing more. Absolutely no
criticism of anyone is intended.

Is it implausible to suggest that before embarking on the task of
backporting, reviewing, testing and releasing the actual fix, an
announcement could have been made immediately with the much simpler
workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler
flags?

Given the severity of the issue, it doesn't seem that an immediate
advisory stating "here's an immediate workaround, a full fix will be
coming in the next day or two" would be terribly inappropriate.
Perhaps this workaround would have required more testing than I
imagine, but surely it'd be a tiny fraction of the time required to
release the full fix?

While I'm out here drawing fire, I might as well also ask if I'm crazy
to think that it might be a good idea for the base system OpenSSL (and
other third party imports) to just disable any and all non-essential
functionality that can be disabled at compile time? Non-essential
meaning everything not required for the base system to function --
there's always the ports version if anyone needs more.

Thanks for your thoughts, and of course, your ongoing efforts. They
are much appreciated.

-nd.