How are we to take Ory entreprise licensing seriously if we can't even bump the OSS SDK release for self hosted in 6 months after a security fix was applied on Kratos ?

Hello @sparse-cricket-59561, maybe there is some confusion on the Ory Enterprise License (OEL) - the reason that OEL (and Ory Network to some extent) exists is that so maintainers can be paid to work on the open source product. If you need updates/bugfixes/etc. to any Ory components on a timeline - that is what is guaranteed with OEL or a non-OEL support agreement! At the moment the dart SDK bump does not seem to affect many users, so its not a high priority and can take longer. Other support contracts are also possible if you dont want OEL. I guess the point is if you rely on open source software and it is a critical component of your business you should have some kind of support contract with the supplier. Ory is as flexible as humanly possible with contracts etc. to offer support - but it wont be for free.

I'm self hosting Keycloak and am looking at Ory self hosting as a potential replacement. But seeing this post made me reconsider. Open source/self hosting should not be used as a marketing tool for bait and switch to force users to pay. You're either open or you're not. I hate that Keycloak is old and clunky but love the fact that they are honestly open.

Hey @rapid-baker-84835 Thanks for following up. There is no bait and switch - Ory projects are provided as is under the Apache 2 license. The SDK is not needed to run Ory Kratos/Hydra etc. - it is just a wrapper around the API. You can build your own SDK from the API spec if you want! What is not guaranteed is to do free unpaid work for you to provide these SDKs and other "non-essential" tooling (for example helm charts) on the latest versions - after all this is volunteer work done by Ory employees in 99% of cases.