Sure, any consumer of this API really should fix it themselves to have a secure configuration. But I submit that basically none of them are. An API where almost everyone who uses it wrong is not a good API. When the consequence of using it wrong is poor security, that's a dangerous API.
Knowingly shipping dangerous APIs is irresponsible.
OpenSSL is a god damned shitshow, no questions from me, it's bad, it's dangerous, it's irresponsible.
But they shipped something based on OpenSSL, and now they're making a deliberate decision not to act to protect their users. That's not cool, and that's unacceptable to me. If I actually used Ruby, this would make me reconsider that.
Importantly, every layer in the stack is responsible for it's own security. A consumer of this API should be making sure that it's optimally configured and configure it differently where it's not. Any project that isn't doing that should have security reports sent to it to tell it to do that and if they refuse they are guilty of the same sort of negligence as ruby core.
However the fact that other people should also be claiming responsibility for their own security does not absolve ruby of it's own responsibilities.
Knowingly shipping dangerous APIs is irresponsible.
OpenSSL is a god damned shitshow, no questions from me, it's bad, it's dangerous, it's irresponsible.
But they shipped something based on OpenSSL, and now they're making a deliberate decision not to act to protect their users. That's not cool, and that's unacceptable to me. If I actually used Ruby, this would make me reconsider that.