What are you talking about? You argued that merely withholding any information is “security through obscurity”. I gave you an example where that’s obviously not the case. Also, it actually is pretty directly comparable? Curl devs are announcing they will be away from home and their valuables will be up for grabs, because they won’t be around to stop you.
Yes. Obviously.
Perhaps. That’s not really the point though, is it? Also, usually I would pay for a burglar alarm with the expectation it doesn’t just stop working for weeks at a time while the company announces to the world it won’t be working, obviously. As has been discussed, curl is an open source project, and not something I’ve paid for. That distinction is kind of the entire topic at hand. In your effort to obfuscate you’ve created an objectively prima facie worse analogy than the one I presented, especially for the purposes of the argument you think you’re making.
So you are arguing people concerned about security should stop using curl then???
Don’t get me wrong, it absolutely sucks that if there is a 0 day while they are off, it’s gonna suck. But I think the answer of applying pressure and heat to maintainers is also not the answer. Burnout is very real in FOSS, and they are humans doing literal volunteer work.
If this piece of software is so critical for the world, then it’s clear the system is broken in these cases. The world is propped up by FOSS, and it’s clear the gift aspect of said software is taken advantage of.
Last point, they will process security vulnerabilities. But that’s under wolfSSL. So anyone relying on the paid version will be OK. If curl is critical for your infra, consider paying for wolfSSL. So yes you can still get support in this period but ya gotta pay for it.
But what if there is an emergency
Then we get to read about it in August. Or you get a support contract and we get to read about it earlier.
Contracts excluded
Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
It’s good they told everyone that they are taking a break because it allows mission critical systems to have all the information so they can choose the best course of action.