i am, incidentally, going to continue posting "the openssl maintainers are irresponsible" threads every time they do something irresponsible and its brought to my attention. squeaky wheels get grease, after all.
it has been 8 years since heartbleed, and 7 years since The Linux Foundation began their experiment in ensuring OpenSSL maintenance was properly funded so that they had the correct incentives to properly manage their project in a responsible way.
in my opinion: this experiment has been a total failure. LF / ISRG could have spent this money on commissioning a replacement FIPS-validated TLS implementation and funding the work for projects to switch away from OpenSSL instead. it should have.
OpenSSL 3 is a total disaster from a technical perspective, the providers framework is unnecessarily complex, has introduced performance and backwards compatibility regressions, and only exists to satisfy commercial FIPS module licensing.
to say that LF / ISRG failed to get the desired return on investment is an understatement. their ongoing investment has gotten us a legally dubious relicensing effort, and functionality nobody wanted except for those responsible for selling FIPS modules