I don't think CSSU is that relevant in this case. You could easily replace libssl0.9.8 with the latest 0.9.8-compatible version (0.9.8y?, we have 0.9.8n), regardless of CSSU or not. It's just libssl.so.0.9.8 and libcrypto.so.0.9.8

If you do apt-cache rdepends libssl0.9.8 (or http://maemo.org/packages/package_in...-1+maemo4+0m5/) you see a whole bunch of packages depending on this specific version. So upgrading to a non-compatible version (1.0.1x) would require recompiling all those packages, some of which we don't have the source code for.

CSSU does not magically provide the source code for closed programs. CSSU merely works around the (arbitrary, non-technical) restriction that some packages cannot be provided in the extras repository, by simply providing another repository. Huh. We own Maemo now, so maybe it's time to dump this restriction and allow safe-upgrading of core packages, without the need to buy the whole CSSU.