If you followed the history of security problems of the non-portable OpenSSH/OpenSSL series of the past few years, you will notice that a lot of the problems unleashed were actual oracles and not typical programming errors like buffer overflows or the likes, but a lot of timing attacks or similar information disclosure vulnerabilities. In some case adding what people are looking for would make for a perfect oracle (e.g. "The key hash was invalid!" or other reasons why a cryptographic operation failed), or in some cases the developers simply got too much used to this non-disclosing programming style. Either way it's not really easy to find the correct balance.
Again, I think you're confusing security with a lazy programming practice. We're talking open source here. The perfect oracle is already there, just not in plain English.
-- Maurice Volaski, mvolaski@xxxxxxxxxxxx Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University
