I think it is important to understand that whatever the problems of the OpenSSL development
team (and I agree there are quite a few), Roeckx did one very wrong thing.
Roeckx introduced a patch into the Debian package without first trying to get it included
upstream. Trying to include your patch upstream will expose it to the many eyes that make
bugs shallow, and will give you useful feedback; after you've gone through that, and fully
understood why your patch was rejected, you can make an informed decision whether to include
it in your package.
It is unfortunate that many distribution maintainers (and Debian is far from being the worst
in that regard) find it easier, faster, cheaper to just include random hacks into their
packages without trying to push them upstream.