Option 2 seems to be most democatic, and IMHO only projects that currently help AirVPN infrastructure should be candidates.
For example, LibreSSL seems like a very good idea, but unless we see and use it everyday, I don't think it should be a candidate.
I agree that Option 2 is best; it encourages participation and avoids creating a group of 'elite' members. In the light of this report yesterday http://www.securityweek.com/tech-titans-launch-core-infrastructure-initiative-secure-key-open-source-components I'm not sure how useful LibreSSL will be.
I agree with those two gentlemen.
And no, I don't like the people at LibreSSL. Would you change your girlfriend just because she accidentally sprained your leg? Your leg will be okay somewhen, and you can't know your new girlfriend's secrets.
Sure it's important to have a choice and maybe they are doing the right thing with "cleaning OpenSSL's code" (their own words). But let's just sit down, make a camp fire, sing a song and relax. Let's just find out the destiny of LibreSSL. If security researchers and the time likewise explicitly say "yes, we recommend everyone prefering LibreSSL over OpenSSL" then we can think about funding it. To me it's a newborn and doesn't deserve much attention for now; at least that's what I say.
I figured many would think my suggestion was premature. Part of me does as well.... however...
To play along with your analogy: Imagine you are a fitness and health guru and you met a lovely young lady that shared your passion for fitness. This girl is everything you have been looking for. Attractive, intelligent and the time you spend together is magic. You share your every bit of being. She's the only one for you.
Now imagine that once she got you hooked, knowing you loved her every bit of being, she no longer had to try. She's "the only show in town" and she knows it. She stops going to the gym with you. She stops jogging with you. She stops the healthy eating lifestyle you one shared. She lets herself go and is no longer the fitness queen you wanted to share your life with. She becomes "bloated". To top it off, now she ignores you, and starts to pay attention to other men.
Do you continue to hope she will get back to the woman you fell in love with? Do you look for alternatives? It's hard because we become invested in our relationships, and want/hope for the best concerning those we care about. But you have to do what is best for you. That is what dating is supposed to be about, finding out who is right for us. Sometimes, after dating the beauty queen who didn't appreciate you, you will give more attention to the nerdy girl who appreciates you back...
Privacy and security is our fitness and health passion, and OpenSSL is that girl that seemed to be everything you were looking for. They were not keeping up with you, and they were taking on code for government compatibility programs and code for systems that 99.9999% of the internet don't use and could potentially open vulnerabilities for you.
Whether or not OpenSSL gets fixed, I do not believe we can continue to trust to put all of our eggs in one basket. A little competition, if anything, will be good to drive change at this time. It will encourage them to keep "fit" knowing they could lose their partners. Whether one "likes" them or not is irrelevant, the code that the OpenBSD Foundation puts out has time and time again stood out as some of the best and most secure out there. Most people use code regularly that OpenBSD Foundation created, it even appears in some windows firewall software. PF is regarded as the most secure firewall, and many people rely on OpenSSH. Yet they almost had to shut down a year ago until a billionaire donated a decent sum. They still only brought in about $60,000 to use on hosting fees and fund developers. It would be a huge loss to the well being and security of ALL OF US and the internet as a whole if they had to "close shop".
My suggestion was not just for LibreSSL, it was for the OpenBSD Foundation in general.
I hope you all will take a moment to think about that, and the opportunity that security and privacy minded individuals that we all are have to drive change, rather than sit around and be taken for a ride by the same pretty girl who keeps hurting us.
That all being said, My vote won't count (I don't disagree with it either) if option 2 is a requirement, and I don't expect an exception to be made for me. I am most definitely a premium member, but I do not and would not post to the forums from any account I actually connected to the VPN with - I consider it a layer of "plausible deniability". Call me paranoid, but I doubt I am the only one who thinks that way considering how many lurkers there are each day.
So just some food for thought.