[ggm]

There's going to be a lot more of this, as people in gov work out how tenuous their links to supply chain logistics behind software systems are. When shit hits the fan and you trace it back to libcurl, as a government employee you want to be able to show you at least tried to acknowledge the risk existed, no?

I love open source, I love free software. I do actually want my government to front up and acknowledge the risks in building systems to depend on it, and not understanding its precarious nature.

An example from nearly 20 years ago is the CMU SNMP library which was embedded in Cisco routers. Maaaaasive worldwide CVE risk which had to be ameliorated, all because of a rational free s/w inclusion. The code was already 10 years old at that point. I doubt anyone from CMU was in the loop.

I've also seen the other side: I wrote a 2 line patch to some free s/w and I had to invoke lawyers for a sign-off requested by the s/w org. We were happy, but it's not exactly zero-risk to accept inputs now, if you're in the business of giving code away.

[defrost]

It's a beautiful response:

    Hello Department of Energy,

    I cannot find that you are an existing customer of ours, so we cannot fulfill this request.

    libcurl is a product we work on. It is open source and licensed under an MIT-like license in which the distribution and use conditions are clearly stated.

    If you contact support@wolfssl.com we can remedy this oversight and can then arrange for all the paperwork and attestations you need.

cut to: Support and Maintenance

    24x7 & Long Term Support (1 year): $50,000

https://www.wolfssl.com/products/support-and-maintenance/

I imagine for the DoE to get the guarantees they want it might expand somewhat.