The problem with these sorts of discussions is both sides always want to have it both ways. When the complaint is they aren't doing something and that's against the spirit of the thing, the response is "show me the contract that says I have to do it". But when it comes to talking about how their opponent is being unfair, the words of the contract don't matter anymore. That's just not how things work, either the contract is all controlling, or the relative behaviors and non-contractual expectations matter.

Matt might well be throwing a temper tantrum, and almost certainly causing brand damage, and the result of the conflict might be actual harm to end users. BUT WP Engine doesn't get to hide behind the limits of their obligations under the open source licenses and then shift the blame they should rightfully be taking onto Matt because of his temper tantrum. Real users are not getting security updates or features they expected because the company / vendor they are buying their product from did not do due diligence to secure their supply chain. Matt could decide tomorrow to stop releasing new WP versions, or change the license (modulo CLA stuff). It's not like sudden, fundamental changes to the upstream licensing / sourcing hasn't been a constant source of headlines and conflicts for the last few years now. CentOS, Redis, HashiCorp, Akka, CockroachDB, and many more projects have fundamentally "altered the deal" and downstream customers relying on them have been caught in the crossfire. Heck, even the GPL2 vs GPL3 debate is an example of this. Are all the projects that switched to GPL3 for anti-TiVoization clauses guilty of throwing temper tantrums? Plenty of real world users were harmed by moves to GPL3, for example, Bash on macOS is stuck at 3.2 and users were forced to migrate to zsh over this move.

> There's no way to operate these features without WordPress infrastructure

Is WordPress not open source? What stops WPEngine from doing it themselves, they have the source. If its too hard, well that might explain then why their upstream vendor wants some compensation for the work. We (rightfully) criticize commercial companies for not putting resources into the huge numbers of open source projects and labor that underpins their very existence. Well this is another example of that. If an upstream source is so critical to your business that its loss would cripple you or your customers... maybe consider spending some money on securing and retaining access to that source.

> Real users are not getting security updates or features they expected because the company / vendor they are buying their product from did not do due diligence to secure their supply chain.

It's not WPE's supply chain, it's the end users' supply chain. There's no way they could have seen this coming. Targeting WPE was essentially arbitrary. Users are affected because WPE was cut off, not because they did anything wrong.

> BUT WP Engine doesn't get to hide behind the limits of their obligations under the open source licenses

I'm curious to know what you think they should have done, because other then just heap money on a literal direct competitor, I can't imagine what they could have done.

> Is WordPress not open source? What stops WPEngine from doing it themselves, they have the source.

How are they supposed to have a copy of all the updates if they're blocked? This is such a nonsense suggestion. Of course they could run the servers, but those are empty servers with no data.

> If an upstream source is so critical to your business that its loss would cripple you or your customers... maybe consider spending some money on securing and retaining access to that source.

You're only just defending Automattic's literally extortion tactics. Should I as a user be worried that Linode or Hetzner will be blocked next because they aren't paying a tithe to WordPress?

> I'm curious to know what you think they should have done, because other then just heap money on a literal direct competitor, I can't imagine what they could have done.

I suppose not pissing off their single and sole supplier of the product they're reselling to their customers might have been a smart move. If you buy your product from your competition, you probably need to stay on their good side. Maybe not re-selling a product when their continued access to the product was controlled by a competitor might also have been a good idea.

> Of course they could run the servers, but those are empty servers with no data.

Do they not have the source? Probably time to start hiring some developers and make their own patches for security issues in the product they're selling. No warranty express or implied is exactly that. They get the software, they get the source. Everything else is a bonus. Especially if the defense of their conduct is that there's no obligation for them to have done anything more than the license required of them.

> Should I as a user be worried that Linode or Hetzner will be blocked next because they aren't paying a tithe to WordPress?

Yes, you probably should be. Any time you're reliant on a single source of failure for a critical component of your business you should be worried about it. Sometimes you accept the risk and nothing happens. And sometimes you accept the risk and something does happen and you learn why redundancy is important.