If your IDE is automatically coloring them out, you might as well actually throw them out. They do not help.
The code does not help me but it does help other people. Throwing it out just because I don't care is selfish and counterproductive.
They only take up space. They won't be tested. They will bit rot as the surrounding code changes.
See above.
It's a lot of mental work to remember all the subtle differences, and why bother if you can just use the standard functions that are everywhere and have been there for 15 years?
Back in the real world we often have to deal with decades old crap including ancient platforms with broken or missing implementations of basic functionality. Closing your eyes, pretending otherwise or not understanding this reality out of ignorance solves nothing.
Okay, I get it. You're a genius superhuman elite hero. You are better than the OpenSSL developers; you wouldn't make a mistake they made with one of these crazy functions that looks standard but isn't.
I'm a superhuman idiot zero who has been contributing to open source projects for decades. What crazy functions specifically are you referencing?
You are better than the OpenBSD developers who need to restyle the code and remove wrappers and layers to make it less confusing to work with.
It does not take a rocket scientist to see the hubris billowing out of unprofessional commit comments. Been around enough to see the difference between making a difference and scratching obsessive compulsive itch. See also hasty deletes subsequently being reversed.. "oops".
Why don't you make your own fork and show the world how much better you are? You could probably do it. The most secure SSL/crypto library. Or would you rather run upstream OpenSSL
I'm happy with OpenSSL project especially now they recently added crypto features I have been waiting the better part of a decade to become field deployable.
If I find any problem in the code I have no reason to believe a vigorous patch would not be happily accepted by the OpenSSL team. OpenSSL is also heavily used by tiny companies like Google. They have made a great number of important contributions.
Or would you rather run upstream OpenSSL since you seem to have disregarded all the bugfixes the OpenBSD developers did, and claim they have no security value?
I made no such claim. I have never said OpenBSD devs have done nothing of value. I simply question the aggregate value of the changes commensurate with the hype used to describe them and think most of the commits I have checked with my own eyes are counterproductive or worthless. Most of them by volume are nothing more than adjustments to spacing between variable names and equal signs.
Of course you know better. You probably audited all the code already...
I will say the absence of anyone publically announcing discovery of any new bugs of substance post heartbleed is telling in and of itself. While I assume OpenSSL is full of undiscovered (or at least undisclosed) security critical bugs if all the code "sucks" as bad as heartbleed did I would expect to see quite a different outcome.
Compared with other security critical system that is as widely deployed I don't know that OpenSSL 's vulnerability track record is out of line from what can be expected.
People talk about OpenBSD developers as if they are gods yet a few seconds of googling shows plenty of dangerous CVE's for OpenSSH flaws disclosed during OpenBSD ownership of the project.
I think more eyes are good. I think anyone who wants to contribute bug fixes or make the project better is good. My objection is in unnecessary removal of functionality others still need and the characterization of OpenBSD commits as substantive when they are mostly shallow format/delete/function swaps. I welcome any and all serious attempts at re-architecting OpenSSL to reduce complexity, chance of error and structures which promote systematic verification of correct behavior. I don't see OpenBSD team doing any of these things as of yet. If they do I am more than happy to cheer them on.
security critical bugs but look at OpenSSH they have had severe problems
important bugs in OpenSSL
headlines of all the shallow bugs in OpenSSL found thanks to increase in number of eyes is itself quite telling.
new eyes finding zillions of shallow actionable bugs