To me the situation has been exactly the opposite. I had a job where I had to fight to get old crapware rewritten because "it provably works" (although it has e.g. access after "free"). I have never seen an old software that would work with the new requirements in the new environment. Quite contrary, old software slowly but surely deteriorates with #ifdefs, code nobody dares to remove, hacks that just happen to work as they change timing, you name it. Just like good-old OpenSSL.

Same with bridges btw, 20th century bridge would hardly suffice today (price, time to build, etc.).

But the companies exists solely to make profit to their owners. Which means "time to market", which means "security is not an option - until it is really needed".

For example, I am certain that 99% of Facebook/Twitter/... users don't give a shit how secure it is - especially as they know NSA has unlimited and unaccountable access into it.

Wrong. Open source can provide advantages, but only if all processes etc. are followed. Most often they are not.

So what you are effectively saying is "we (foss) did a great job, let's pat each other on the back! Then let's continue our marvellous path of joy and glory".

(translation: we, the cowboy coders, are totally ignoring fatal problems in processes and attitude and won't fix them 'cause we "are better". if the sarcasm was lost in translation, your bad).

First, I detest the excuse "some one is worse - or at least you cannot prove it is not, therefore we are actually quite good!"
Then, I call bullshit. Closed source do get "CVE'd" and the companies can be held liable. Foss developers cannot be sued (and get as much money as from G/M/A/...).

But do continue with the same attitude. After next exploit, and 10 more later, just say "yes, someone out there is worse, especially now as we have fixed ALL known vulnerabilities". Although the new version out next month will probably introduce more new holes than what were fixed.

I knew this excuse would used again and again, long before Heartbleed. I complained loudly (see my history) for your though to be fatally flawed.
The problem is, that this kind of thinking generates more holes than fixes.

But then, I think you were sarcastic and the moderators missed it.

You are a dangerous idiot. Quite ofthen the speed limit is not to protect you, but others. Quite often the (low) speed limit is due to "addition risk", a risk that might be difficult or impossible for the driver to see. Which you have decided to neglect, because you think you are a "better driver". Hint: your reaction time is most likely not significantly smaller than others.

No, that is not what they are after. They want you to pay for the information.
So that you would not get it freely from "illegal" or "gray" (hard to say whether illegal or not) sites.
So that if you do, they can send you the "600€ or face prosecution" -letter.

"taxi driver is thinking"

This is exactly my point. And you missed it.

If I have understood correctly, in (someparts of?) USA, if you drive the getaway car in a bank robbery and someone dies, you will be charged (and probably convicted) of murder. Although, in a way, what you did is nothing more than what a taxi driver does. Right?

Get real!

I have, and never will, understand the Coke-phenomenon.
To me all colas are "too strong", they kill the taste food - so they cannot be drank with food. But still people do. For thirst - no, again, too much sugar or other sweeteners, it does not take the thirst away. But still people do.

By far the best drink is tap water, for thirst and with most foods (unless you fancy a nice beer or wine, but that is different story entirely).

Apparently there are even cola-connoisseur like you (not that there's anything wrong about it).

Don't get me wrong, I occasionally do drink a soft drink, but that is mostly to get some sugar into blood stream.

Newspapers have editors who can be kept responsible for the content in the newspaper, search engines do not.
Then EU does have "government", "police", "judicial system" and "newspapers" as separate entities unaffectable by others (government cannot directly control police, judicial system or newspapers, neither can police control any of the other entities, and so on).

We should not stop bashing OpenSSL, ever (although I do admit it is "product of the community").
Just to remind people that this kind of development is not acceptable, not "even" in FOSS world.

The allocator was never "100% necessary". It might have been advantageous in some systems, but in vast majority of systems it have never been more than a hassle. Then when they made the OpenSSL unworkable without their allocator - or rather without the undocumented behaviour their allocator happened to have, they should have removed it immediately. But no, they were macho, they thought "we know better".

I do not believe you. If this were an isolated case, then you'd be right. But no, this kind of "oops, well now it is fixed" things happens all the time, over and over again. The culture of the programming never improves due to the error - no matter how simple, no matter that it should have been noticed earlier, no matter what.

I am willing to bet that after next hole the excuses will be same "it was simple, now it is fixed, should up" and "why don't you make better, shut up" or just "you don't understand, shut up". And still the cowboy-coding continues.

This was caused partially by unchecked parameter (this should have never happened, there is no excuse for it), partially because the idiots used their own allocator which created the covert channel and prohibited the use of malloc-debug libraries. Libraries which would have found the error - again this should not have happened.

But then, maybe I just should shut up ...