From the IBM employee's perspective it should seem reasonable that if he's asking for specifics that take time to figure out and for answers to questions while not contributing anything to the project, that he should pay for those answers in a timely fashion for his benefit. He's treating the Github like a support page so I don't see anything wrong with the maintainer offering a support contract in response to that. It would be beneficial to both parties.
If the maintainer said "I'm not releasing this until you grant me a support contract", maybe that would be extortion. Until then, he's simply getting the service he pays for.
There was nothing OP could have done here. The fix was already merged. He's just asking for a tagged release. You cannot submit a PR or contribute to the project in a way to make this happen.
If you think any business will go through a multi-week procurement and contract negotiation process valued at multiple thousands of dollars just to get a release tagged on Github, I have bad news for you.
The work was already done per messages that the Twitter author/maintainer conveniently did not screenshot. The only thing they were waiting on was a release which something only the maintainer can do. Maybe it's just me, but I think it's unreasonable to be expected to paid to do the basic tasks of a project maintainer.
You do realize you're capable of maintaining internal company release right? It just costs money (to IBM), dishing out "thinly veiled demands" is free though.
The work is presumably publicly available in a branch at that point. Nothing is stopping that person from forking the repo, and bundling their own release.
They should fork the entire project and launch a competing project rather than ask for a ballpark for the next release so they can inform their stakeholders?
You seem to be incapable of understanding that it is quite possible and not at all unusual to internally carry patches to dependencies on which your commercial product is built. In this case, the patch merely involves changing two bytes[1], three if you include the pyOpenSSL bump, something a company like IBM should easily be able to do.
Which is why paid licenses have an "Enterprise license" where response times is hours or max a day. I feel all FOSS projects should stop being fully FOSS (yes even if I get hate for saying this so be it) and adopt a mixed model where it is free up until revenue X$ and then commercial. Commercial would automatically entail fast response times (including fixing bugs, tagged releases etc).
The revenue X$ can be something reasonable. Have slabs for various revenue levels starting from something decently high: million dollars and up.
If the maintainer said "I'm not releasing this until you grant me a support contract", maybe that would be extortion. Until then, he's simply getting the service he pays for.