Status is that I didn't find the time to get moonshot-trust-router dealt with before buster and so I had deprioritized it. There is in fact a new upstream, and it does fix the issue. Blocking on moonshot-trust-router is silly: no one wants the version in unstable anyway. Is it possible to remove openssl and make moonshot-trust-router uninstallable? In my mind the only reason to keep moonshot-trust-router around now is to avoid needing to take a trip through new again when I do fix it post buster.
If you really need me to go deal with moonshot-trust-router now, I'll do that, but my preference for my Debian time is to focus on buster issues.