I am surprised by the lack of corporate sponsors [1].<p>1. <a href="https://www.openssl.org/support/acks.html" rel="nofollow">https://www.openssl.org/support/acks.html</a>
This is being discussed on the systemd-devel mailing list as well @ <a href="https://lists.freedesktop.org/archives/systemd-devel/2021-September/046869.html" rel="nofollow">https://lists.freedesktop.org/archives/systemd-devel/2021-Se...</a>
Maybe this is paranoid but they tell you how to check the hash of the download using openssl itself.<p>A compromised version of openssl could detect itself and return the "correct" hash.
Since there were so many TLS security bugs due to it's complexity, is there any push to replace it with something simpler and with less choices and attack surface?<p>Google gave us HTTP/2/3, but don't seem to care about fixing TLS.
Do you enjoy perl constructed header files? VMS support? Inconsistent error codes across APIs? Then OpenSSL is for you.<p>None of the problems have been fixed.