Let's cut the bullshit and spell out a few things. The IT security industry is about as trustworthy as the food supplement and vitamin industry, but somehow they escaped the same reputation. Their products are overwhelmingly based on flawed ideas, and the quality of their software is exceptionally bad. And while not everyone will agree with the harshness of my words, I'll say this: Essentially everyone in IT security who knows anything in principle knows this.

Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? https://16years.secvuln.info/

Given that I see calls for better support for those random opensource devs that happen to maintain some of the most important pieces of software on the planet: a good friend of mine is maintaining expat - possibly the most important+popular xml library out there - and he has a message in his latest changelog that you may want to read: https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes