I agree with you that there's a complicated problem to be solved, but I'm not sure I agree with your perspective on a few points.

If the OS is only providing insecure primitives, it should not be each portable program and library's job to fix or work around the security issues individually. Someone's going to get it wrong and do worse.

Using the OS primitives forces them to improve, working around them only promotes the status quo.

Considering these two statements together, I think I understand your position - don't build an intermediate-layer, portable library whose only job is to implement a secure pool allocator; force every operating system to do so instead. But why? Why should that be true for a secure pool allocator, and yet in the same breath not apply to SSL implementations? By your position, OpenSSL and LibreSSL should not exist.

Furthermore, it's easy to have the position that "the operating system should do it, and if they don't well fuck em until they do" when you happen to work for an organization that both owns an SSL implementation and an OS - OpenBSD in your case.

In the end someone has to write the code. And while a secure pool allocator is a much simpilier task than an SSL implementation, I don't see why the concept should be any different:

• Take the time to build a common foundation that works across a reasonable set of targets.
• Have that common foundation use the OS where it can and do it itself where the OS can't.
• Use that common foundation and build upon it to make new and more specific things (secure pool allocators are used in more places than just SSL implementations: hypervisors, red-black implementations, etc).
• Standardize the interface of such a common foundation so that competing implementations can easily exist, hoping that competition will raise the standard of quality.

The above is true for both a secure pool allocator and an SSL implementation. And if such a software culture existed, heartblead might have been better mitigated.

In the end, I feel like your opinion boils down to "OpenBSD's got theirs, screw everybody else". If that's what you want, if you want to use this situation to give OpenBSD an advantage, that's your right (it's your work, you get to decide how it gets used), but I feel like it's poor form if you're going to participate in the open source community. But I want to engage you because I value your opinion and discussion, especially as someone who is an insider.

It might boil down to our difference of perspectives. I'm of the opinion that software should not be used to push agendas; I dislike the GPL for this reason. I'm more of a problem solver - lets make good software, lets try to make our software as universal as reasonable, and lets try to raise the tide for everybody around us. You on the other hand seem to be in favor with using software to effect change in culture/push an agenda, much like those that support and use the GPLs do.