As a US taxpayer, charge them.<p>Charge them, and make sure they understand <i>why</i> - they’re benefiting, and have been benefiting, from software developed at no cost to them. If they want anything, it <i>needs</i> to cost them; otherwise, …
There's going to be a lot more of this, as people in gov work out how tenuous their links to supply chain logistics behind software systems are. When shit hits the fan and you trace it back to libcurl, as a government employee you want to be able to show you at least tried to acknowledge the risk existed, no?<p>I love open source, I love free software. I do actually want my government to front up and acknowledge the risks in building systems to depend on it, and not understanding its precarious nature.<p>An example from nearly 20 years ago is the CMU SNMP library which was embedded in Cisco routers. Maaaaasive worldwide CVE risk which had to be ameliorated, all because of a rational free s/w inclusion. The code was already 10 years old at that point. I doubt anyone from CMU was in the loop.<p>I've also seen the other side: I wrote a 2 line patch to some free s/w and I had to invoke lawyers for a sign-off requested by the s/w org. We were happy, but it's not exactly zero-risk to accept inputs now, if you're in the business of giving code away.
Good, that's crazy and unreasonable to email a company demands (legal and otherwise) when you don't have any contract and have never paid them a dime.