They can do what they want of course, for me it just sounds like hyperbole. People seem to be unable to give a realistic description of their software, everything always has to be the fastest, most scalable, most secure. Personally it's a red flag especially in regards to security as it shows a cavalier attitude. Using e.g. math/rand instead of crypto/rand is a really basic mistake and something that any decent security reviewer would flag immediately. Trusting headers that can be spoofed is also one of the most basic attack vectors that e.g. a penetration tester will try out when seeing that a server makes use of header information for a security-critical code path. I mean people use this stuff in production to secure personal and other sensitive data, and they do so because the website literally tells them "it's the most secure solution out there". I don't think most people get that the plugins are not part of the official distribution or have a different, much lower standard in terms of engineering security. That's the core issue for me, it's fine if your contributors are burnt out and don't have time to fix security issues, it's not day their job, but then stop telling people your solution is the best, most secure solution out there.
And if they want to support people then pay them, Caddy is owned by a large company so they should be able to pay maintainers for their most security-critical plugins. I really don't want to be too harsh, it's a great piece of software, but I'm tired of this marketing tendency to wildly exaggerate capabilities and properties of software systems.
Caddy isn’t owned by a large company. They can barely pay me to work on it full time. I’m striving to up our sponsorships to be able to pay others but right now our team is volunteers.
And this plugin isn’t built or maintained by our core team. It’s third party.
We definitely don't have the resources to do that. Matt receives some funding from ZeroSSL which helps cover his expenses, and the rest is from sponsorships https://github.com/sponsors/mholt. It's not yet enough to hire any help. That's something Matt would like to do though, as soon as enough companies sponsor.
In fact, while I'm a top contributor, I don't receive anything for my work. I do it as a volunteer. Matt has told me repeatedly he'd like to pay me for my efforts, but I have a full time job already and Caddy is a hobby for me, so I'm not looking to get paid.
But either way, we wouldn't onboard a plugin with such a wide scope as caddy-security. It would take way too much effort for us, and it would bloat the standard distribution with features only a small part of the userbase would need. We're already spread thin as it is, our time is best spent improving and maintaining the existing core feature set.
And if they want to support people then pay them, Caddy is owned by a large company so they should be able to pay maintainers for their most security-critical plugins. I really don't want to be too harsh, it's a great piece of software, but I'm tired of this marketing tendency to wildly exaggerate capabilities and properties of software systems.