While I agree that the OpenSSL code and procedures should have been
documented better, I don't think enough attention is being given to the
statement that Ben Laurie emphasizes:
** Never fix a bug you don’t understand. **
I would add that this especially applies to crypto code, and even more
especially to crypto code in a widely-used crypto library -- a library
that is widely used because people trust that library to get crypto right.
As a longtime Debian user I'm embarrassed and saddened that Debian screwed
this up so badly.