Yes, there could be a fake openssl-dev package. But this also needs a plan how to undo these for users who upgrade which is hard once there is a higher version number installed fake package. More and more hacks piling up until I cannot see through anymore.
Unknown.
Depending on the bug, it doesn’t just need reporting, depending on the gravity of the bug, it would either require fixing (which I could not) or reverting to openssl.
Debian doesn’t just need suggestions, they need contributions.
I haven’t seen anyone trying to contribute this to debian and hitting a wall yet.
LibreSSL might have similar APIs as OpenSSL but simply replacing the OpenSSL libraries with LibreSSL libraries and preserving the old names of the libraries in system without changing the code and recompiling the user program might not work as expected. It depends on implementation and compilation details and needs to be actually tested.
It would also help to ask LibreSSL developers explicitly if replacing the OpenSSL files which previously were provided by OpenSSL such as /usr/lib/x86_64-linux-gnu/libssl.so.1.1 is supported / sane / expected or if recompilation is advised.
LibreSSL was forked from OpenSSL in 2014. In these 6 years since, has one project have had a better track record then the other?
This would need some more citations. Also major distributions switching to LibreSSL or at least discussing this would help.