How Heartbleed Happened →
By now the drama of the Heartbleed bug has mostly come and gone — though if you’ve not changed any passwords you’d be heartbroken to see comprised, you still need to — this little piece about the reality of the way the open source software that allowed it was being built is a pleasant little yarn.
The come-and-go, casual nature of the group means that hierarchies aren’t formalized. Marquess can’t say exactly how many people help out with its development at any one time, but directs me to a list on the foundation’s website naming seven active contributors. He points out that until April 23 the list was out of date — and included at least one person who is deceased.
As a result, OpenSSL’s code is a slurry of cobbled-together snippets that work — but only just. It’s strewn with developers’ comments to one another, sandwiched between slashes. Some of them are aesthetic, like, “BIG UGLY WARNING! This is so damn ugly I wanna puke … ARGH! ARGH! ARGH! Let’s get rid of this macro package. Please?” Some are outright petrifying, like the comment that reads, “EEK! Experimental code starts.” They’re unflinchingly honest, yes, but they give an insight into the chaotic nature of the code that makes the program.