All of Howard Chu's analysis in that thread is great, but he didn't discover or report this bug. Reading that message should make it clear; he's talking about sloppy string handling and bad APIs, neither of which has anything to do with this bug, which was mixed-up return code semantics in an internal, static function. Look later in that thread for some other pretty sloppy code he tears apart, though.

The point is that the GnuTLS code quality was obviously crap, the developers were obviously incompetent, and only a fool would trust GnuTLS with their system security. I pointed out numerous problems - more in private emails to the GnuTLS authors and Debian maintainers, not just those published on the list - all related to the sloppy programming practices and inconsistent APIs. This mixed-up return code semantics is just another consequence of those sloppy programming practices. How many ways do you have to see that "this software sucks and the developers don't know WTF they're doing" before you realize you shouldn't be trusting them?