It appears that most people do not need this by default. It does represent relatively recent extra code, and thus added attack surface. It's also not enabled by default in upstream. On these grounds, I think we should not enable it by default.
not sure why you think it's not enabled by default upstream because it is. the code might be confusing because it negates the definition (OPENSSL_NO_HEARTBEATS) and it isn't explicitly *disabled* by default. hence the ebuild enables it by default.
I gave three reasons for disabling, you dismissed just one. Do you think the others are completely worthless?
well, you've provided no data to back up the first claim. that leaves the "extra code" part which isn't really enough to sway me -- upstream enables it by default is good enough for me.
*** Bug 507322 has been marked as a duplicate of this bug. ***
Some more arguments to consider: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ssl/Makefile?rev=1.29;content-type=text%2Fx-cvsweb-markup https://news.ycombinator.com/item?id=7568921
*** Bug 507566 has been marked as a duplicate of this bug. ***