[pwg]

Indeed. However this is also the result of "checkbox security". Someone at the DOE has a security compliance form with a list of checkboxes they must check, one of which reads something like: "dependencies are developed in accordance with M-26-34 procedures". They have some custom project created by some contractor (who may or may not be around anymore) that links to libcurl. Therefore, in order to "check the box" on their compliance form about their custom project, they have to find out if libcurl is developed in accordance with M-26-34, and an email such as this one is created and sent.

[acdha]

I’d also bet that this was handed off to a contractor with minimal room for discretion, like when you have an absurd discussion on the phone with someone at a large company and have to remember that they were given rules and are choosing the “don’t get fired” option.