Rendered at 09:35:50 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
vessenes 2 hours ago [-]
The headline buried the lede -- this is a way to get some summer vacation (niiice) AND encourage enterprise support contracts, which will still have availability. I don't think I've heard of this particular open source / support / summer vacation business model before but I like it!
throwaw12 1 hours ago [-]
I liked the idea as well, maybe OSS should adopt 6 months availability and 6 months for enterprise support schedule. This way both could benefit, OSS gets more funding, enterprise gets support (cheaper than hiring full-time employee for specific OSS)
charcircuit 14 minutes ago [-]
Until someone races to the bottom to do 12 months of availability.
t-writescode 5 minutes ago [-]
Races to the bottom to … do work exclusively for free and not make any money out of the hopes that they become the most popular OSS toolkit, with an end goal of … what?
plantain 1 hours ago [-]
It's an extremely un-European approach. European companies normally ignore their paid customers too from May to August.
prmoustache 37 minutes ago [-]
ignore is not the right word.
zarzavat 3 hours ago [-]
> > The bad guys won’t rest
> Probably not. But we will.
A pleasant dose of humanity in decidedly inhuman times.
Timshel 3 hours ago [-]
Especially since it appears there is a solution if you truly need a fix.
> Or you get a support contract and we get to read about it earlier.
bawolff 2 hours ago [-]
> Especially since it appears there is a solution if you truly need a fix.
If you ever really need anything fixed in the open source world, there is always the option of doing it yourself
alibarber 1 hours ago [-]
[dead]
cat_plus_plus 2 hours ago [-]
In 2026 there is a considerably cheaper/quicker solution, but that in no way invalidates OSS maintainers' right to enjoy a summer vacation without interruption.
donw 3 hours ago [-]
That was just a beautiful, period.
Natsu 3 hours ago [-]
I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.
Cider9986 2 hours ago [-]
Mythos found only one. Would have to be pretty serious bad guys.
The bad guys wouldn't have submitted a vuln report anyway.
victorbjorklund 1 hours ago [-]
Pretty sure if you find a zero day in a software like that you don’t wait until a certain month.
bvcp 2 hours ago [-]
if a company has a problem with this pay for support if its not worth the money …
shevy-java 32 minutes ago [-]
Is this likely though? If you are an AI slop model that
spams out finding bugs and vulnerabilities, would you
want to become more active when you see that a project
is not actively fixing bugs? Because in my opinion, it
really would not matter for any AI model how active a
project is, when it comes to FINDING existing loopholes.
In other words, I would always go at full speed (as an
evil AI slop model) and most likely never release any
findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.
I am sure some AI slop models are used by criminals.
And they may exploit things at a later time, but they
most likely have found issues already. Not every AI
slop model would report.
The notion of "the bad guys will now be more active" is
strange really in the AI slop age. (We had the stone
age; now we have the slop age)
patates 3 hours ago [-]
For the people here who want to do the same when they are vacation (be completely detached from work): Make it impossible for you to work! Leave your work devices behind! Log out of all accounts, remove 2FA keys after backing them up on paper and tell your partner to not give them back to you for the duration of your vacation, etc. I actually went to a country from which I wasn't allowed to work remotely. Crazy but it was that bad for me.
Signed: Former workaholic.
nicbou 2 hours ago [-]
One of the reasons I left North America for Europe is that such things are normalised. The cultural difference is staggering.
In Germany, if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.
Another neat thing is that if you get sick on vacation, you get your vacation days back, because vacation days are for resting and recovering.
blauditore 21 minutes ago [-]
> if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.
It's funny because that's kind of the definition of a vacation in my book. I find it weird that some places in the world handle it differently.
Note that it's also much better for the company in the long run: It's a test of resilience and redundany, the famous bus factor. It simulates what happens if someone is not available, and forces the organization around to have a backup plan. Having those is important for cases where employees leave the company or team (switching jobs/teams, accidents, sickness, parental leave, death, burnout, layoffs etc.). It's mind-boggling how many leads at various levels just don't understand that.
fender256 2 hours ago [-]
Thanks for the reminder that this shouldn't be taken for granted. I am a German and sometimes this privilege feels so normal that it's unthinkable that it could be different elsewhere in the world.
nicbou 1 hours ago [-]
I help immigrants integrate for a living. Germany can be a frustrating country, but this is one of its best redeeming qualities.
I'd also add that the culture allows and encourages sick days. The average is 15 sick days per year IIRC.
patates 60 minutes ago [-]
Totally off-topic, but I read your profile to learn about this: https://allaboutberlin.com - you do awesome work, thank you!
Now I wonder if I could help the immigrants in my area (I'm in Hesse/Hessen), thanks for the inspiration too.
teruakohatu 27 minutes ago [-]
The average number of sick days used is 15 or the number of days offered?
In New Zealand we get a minimum of 10 sick working days per year but some companies offer more and allow unused sick leave to accumulate.
Genmutant 12 minutes ago [-]
You don't have an offered number of sick days in Germany. If you're sick, your sick. At some points (after 6 weeks) the employer stops paying for it, and the payment switches to the health insurance and drops down to 70% of your usual gross salary (with some more specifics).
tumdum_ 18 minutes ago [-]
Sick days are not “offered” by employers. Sick days are prescribed by the doctors and there is no upper limit. After all you sickness will not disappear just because it has been N days.
Autious 6 minutes ago [-]
Sweden has 14 sick days no questions asked before you need a doctors note. The German way of having to call your doctor for a flu note is a little odd to me. You do loose the first day's pay (the meme is that too many people were off sick when there was a world cup finals or something), and then 80% pay.
1 hours ago [-]
naturalmovement 54 minutes ago [-]
It can honestly be annoying, if you're not privvy to it.
I remember years ago needing urgent support for some bespoke European hardware we were developing software for. When we called support, we were greeted with a phone message stating the company was closed for the entire month due to vacation. This was not a one-man operation; the whole office closed for a summer holiday. We thought it was a joke.
Needless to say we started to look for a new vendor shortly thereafter...
my-next-account 42 minutes ago [-]
I'm surprised, typically we don't all take vacation at the same time, but stagger it.
prmoustache 31 minutes ago [-]
It really depends on the areas. On white collar jobs yes. It is more frequent in blue collars workers because it is easier to close completely or partially (several lines) in a factory than having to manage different vacations schedules. Constructions companies also do stop because you usually need most workers available + hot weather makes it harder anyway. Small/familiar companies also do it frequently because it doesn't make sense to work if you have dependencies on a number or unavailable persons.
calessian 35 minutes ago [-]
It's not entirely uncommon, even companies like Volkswagen have 3 weeks of summer vacation. Strictly speaking, some people still work there for maintenance, etc. that can't be done while making cars, but the majority is on vacation.
I know a handful of companies with a week of mandatory Christmas vacation as well (but there's typically not too many working days between Christmas and New Years' either way).
teruakohatu 34 minutes ago [-]
My advice is don’t ever buy anything that might need support from New Zealand between 24 Dec and 5 Jan. The entire country is just about closed (other than non-niche consumer stores).
Many companies force staff to take vacation days during this time, and there are four (yes four!) public holidays during this period.
breakingcups 34 minutes ago [-]
I mean, that's not usual at all in Europe either.
dspillett 53 minutes ago [-]
My company have accidentally forced this on me, and it is great.
I used to have a desktop that I could VPN+RDC into from my personal laptop or desktop to work away from the office¹. I've now got a laptop, that refuses to let me authenticate remotely and they have no interest in fixing that as there are other priorities, so I simply can't work if I don't have that laptop with me and I'm not carting it around when I'm already carting my own around (and if I'm not carrying my own, it is because it isn't a suitable situation to be bringing any laptop).
Not a workaholic, I don't think, but a 24/7 stress monkey when I think that I could be helping. Simply not being able to work away from the office actually helps with that: if there is literally nothing I can do, especially given it is work that has made that impossible, I don't stress the same way.
--------
[1] other than the VPN connector and the MFA doo-hicky on an old² phone, nothing work related, even Teams, even email, ever touches my personal devices
[2] a small old thing, factory reset with a dummy google account and just the MFA apps installed
thih9 18 minutes ago [-]
I now want to seek an on site role and request a desktop computer.
pjmlp 38 minutes ago [-]
Easy, that has always been my whole European life, want to reach me on vacations, pay for it.
As a manager, I will quite literally ding people for working when they are supposed to be off.
Work during work time, don't work during not-work time. Good practices mean that everyone is important, but nobody is irreplaceable, the team and the work will move along a little slower, but that's fine.
gertrunde 3 hours ago [-]
Quote from my partner's manager before a vacation:
"If I see you log on, I'll disable your account."
nottorp 2 hours ago [-]
Humm he means figure out everything you’re signed in to before going on vacation and log off?
Personally I’m sure I’d forget to sign out of something.
orphea 44 minutes ago [-]
No, they don't mean "you should log off everywhere" literally; rather, "don't open Teams/Slack/${our_corporate_chat_software}".
OoooooooO 46 minutes ago [-]
Probably more Teams autostart and suddenly you appear in the online list when you are officially on vacation.
My manager doesn't stop overworking. When told on peer performance review that we have people who are consistently overwork because they are swamped, he played it down.
But hey, at least he doesn't encourage overworking either.
sevenzero 2 hours ago [-]
Being the only dev in a startup since 2 years without a single day off where I wasn't messaged by my employer I want this. At least I'll have a 3 week out of country trip where I do not bring my laptop later this year...
vkazanov 1 hours ago [-]
You should really consider another place to work at, unless you own a massive, measurable chunk of the company in a legally binding way.
The only people who should suffer this much are the true busines owners.
GoblinSlayer 28 minutes ago [-]
That's exploitation, no? You're just scammed into it, because you let it slide.
donw 2 hours ago [-]
Honestly, that is just bad management. It can make sense if it's your company, but even then, the risk profile is just off the charts. What happens if your only developer leaves or gets sick?
Real engineers think about handling things when stuff goes wrong, not "everything will be on the happy path forever".
Yes, there are constraints, but to me this sounds like an unacceptable level of exposure.
throw93033 3 hours ago [-]
> Log out of all accounts, remove 2FA keys after backing them up on paper
Seems like a lot of extra work, just to go on vacation :)
I would suggest another approach. Automate your work, that you can work from your phone. I go on multi day hiking trips, or a week long family beach holidays, without taking PTO...
Edit: I do not get negative reactions. Big part of my work is to monitor system, and answer questions. I spend less time on my phone than most social app users! I still do heavy coding in office a few times a month. And I am self employed for nit pickers.
Work does not have to be sufering, you can enjoy it!
utopiah 2 hours ago [-]
>> Log out of all accounts, remove 2FA keys after backing them up on paper [...]
>> Signed: Former workaholic.
> Seems like a lot of extra work, just to go on vacation :)
That's the point, this person and plenty others, are NOT able to "just" go and disconnect. If you can do that, wonderful for you, but please don't assume others are like you precisely when they are humble enough to clarify that they do have a problem and try to help others to overcome it.
prmoustache 28 minutes ago [-]
Just not bringing the devices should be enough.
kelnos 2 hours ago [-]
Regarding your edit, you might be ok with going on a multi-day hiking trip or family holiday while still doing some amount of work from your phone, but many of us think that's a bad idea.
Truly disconnecting from our work is necessary for our mental health. When I'm on vacation, I want to be on vacation, which means not working.
Again, maybe you don't want to actually fully be on vacation from work. I guess that's fine; you do you. But I don't think that's healthy for most people, and regardless of health, many people do just want to completely disconnect from work for some number of days.
Dylan16807 2 hours ago [-]
You're basically saying to get a different job.
That's going to work in some situations, but it's not broadly applicable for many reasons. In particular it's way more work than the act of backing up 2FA and logging out of everything. So yeah, it makes a lot of sense for people to think that's not good advice.
ro_sharp 2 hours ago [-]
This is the ideal, but in practice you need to own the business to live this way..
sayamqazi 2 hours ago [-]
Also candy is enjoyable but 24/7 sucking on it is not.
missingdays 2 hours ago [-]
Living your life = sucking on candy?
throw93033 2 hours ago [-]
Imagine some people sleep at work... I get paid for being available, not LARPing at desk!
Much better than 2 hour daily unpaid commute at old job.
laszlojamf 3 hours ago [-]
as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_.
Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody.
And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
necovek 3 hours ago [-]
You'd be surprised to learn this about free and open source software, but if a maintainer is unavailable, you have both full rights and full source code to... wait for it... fix it yourself (or pay someone to)!
There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.
ValdikSS 2 hours ago [-]
This is true for the majority of open-source projects, but the most serious ones, on which a lot of software/businesses/infrastructure depends, are controlled by foundations or some kind of other management entity.
cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.
IshKebab 2 hours ago [-]
You don't really though. Sure you can fork it and fix your issue, but then what? Are you going to maintain your fork in perpetuity? Are you going to patch all the software that depends on the code you fixed to use your version instead of upstream? Are you going to get your users to do that too?
In most cases this is extremely impractical.
spiffyk 1 hours ago [-]
> but then what?
Then you send the patch upstream, they incorporate and maintain it for you. Congratulations, you just FOSSed.
ed_elliott_asc 3 hours ago [-]
They do, he said at the end if you have a support contract then they will respond and deal with security issues.
I guess the whole point of the article is to show that people should buy a support contract if they need support.
Nnnes 3 hours ago [-]
They do.
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
simjnd 1 hours ago [-]
And I'm assuming you're not going to pay for them to have that someone on-call, even though you're worried about this scenario
4ndrewl 3 hours ago [-]
It does. The article clearly says that if you have a paid support contract they will be on-call as per usual.
bawolff 2 hours ago [-]
> And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
Is it that they can't or don't want to. I'm sure curl is popular enough that it could attract a co-maintainer if it wanted to. Of course there is a cost to that. Software projects done effectively by a single person are often more focused and designed more coherently. I'm not sure curl would be as good a product if there were multiple maintainers with potentially conflicting visions.
2 hours ago [-]
eviks 47 minutes ago [-]
Consumers, not customers
simooooo 2 hours ago [-]
I wonder how far we are from the agents just maintaining the packages
andylynch 1 hours ago [-]
They do. You just seem to expect that it will somehow be free.
Imustaskforhelp 3 hours ago [-]
The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)
I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.
Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)
There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.
l23k4 2 hours ago [-]
>The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)
For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.
OpenAI is certainly not wasting the money they're spending on Openclaw, even if I personally wouldn't want to touch that particular piece of software.
Imustaskforhelp 1 hours ago [-]
> For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.
I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.
Surely curl has more use-cases and projects relying on it than OpenClaw.
The demand seems to be generated out of hype rather than sustainability. Openclaw project isn't even an year old and from my time hearing about it, it isn't safe or sustainable in any fashion and it seems that the hype around Openclaw has now started to slow down as I hear less about it (which to me is actually a good thing imo) but it shows what the market reality of these tools currently are (at the moment).
l23k4 20 minutes ago [-]
>I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.
I frequently run into people using it, they seem happy with it. I remain highly skeptical about this being a good idea, but I'm quite convinced that many people genuinely really like it and find it useful.
flaburgan 3 hours ago [-]
I can only applause this decision. Maintainers of FOSS project are constantly overwhelmed with close to 0 reward and with LLMs now the management of merge requests exploded even further.
The fact that they actually keep providing support to paying users is enough.
tempay 2 hours ago [-]
For anyone who thinks this might matter for security:
* curl is mature enough that the chance of an impactful bug is basically zero
* if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co
* if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.
veltas 2 hours ago [-]
> if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co
No, that is the point, they are not going to accept your vuln report. They are taking a holiday.
Sharlin 1 hours ago [-]
Except if you pay them for a support contract. So there is a way, and it's actually a pretty obvious way.
squigz 42 minutes ago [-]
There's a pretty big difference between a random report submitted via email, and, say, a close friend of the maintainers letting them know a serious vuln was found and they should login.
eviks 43 minutes ago [-]
> Contracts excluded
They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it
rzmmm 26 minutes ago [-]
Curl has a ton of features, I can imagine this means fixing small fraction of the vulns affecting only the supporters.
eviks 22 minutes ago [-]
Why would you imagine they have any clue about the area of effect if they ignore the report?
low_tech_love 3 hours ago [-]
I read one sentence into this and knew directly that the developer must’ve been Swedish!
robin_reala 3 hours ago [-]
For people who aren’t familiar, Sweden takes summer holidays seriously. 25-30 days + public holidays is a normal amount of annual vacation time, and if an employee requests it and has the time available, it’s basically legally required to allow them to take a four-week contiguous summer break.
Not only that but the vacation is real. If someone is off then you should not expect them to answer at all (because if you do you’ll get very disappointed).
Full-time and part-time employees get 4 weeks of annual leave, based on their ordinary hours of work.
RustyRussell 2 hours ago [-]
Yeah, but there's little culture of actually taking that time.
defrost 9 minutes ago [-]
I guess our experiences vary - our family had month long adventure vacations most years since the 1970s, and growing up we did a half year tour about the whole country when dad got cumulative long service year.
gib444 36 minutes ago [-]
Sweden is fairly unique in allowing the employee to a 4 week break. Is Australia the same?
2 weeks is the acceptable limit in the UK for example (where also has 20-35 holiday is common) though if you can convince your boss otherwise, you can take longer, but most people can't
defrost 5 minutes ago [-]
Likely varies by industry - a peer Australian (probably in private IT ?) stated it's uncommon to take a break, whereas I'd say in mining, oil, gas, civil service, police and a good number of structured contract employment its more common.
I've "retired" into agriculture and a lot of farmers take a month off after harvest time to go fishing or other wise relax (this generally means filling up a couple of deep chest freezers with fish for the rest of the year).
stavros 3 hours ago [-]
I work for a UK company and most people take basically all of August off (I end up with two months of vacation days a year so I take August off and sprinkle some leave around the year) and I can confirm that taking a month off is great. You forget what it's like to work, really.
jdsnape 2 hours ago [-]
That’s great! It’s very much not the norm here in general tho, in my experience two weeks would be the max people would take off contiguously.
gib444 33 minutes ago [-]
Wow literally never heard of people taking 4 weeks off in the UK. Is this a new thing to deal with child care in the summer holidays?
Is this at the executive level?
nsbk 2 hours ago [-]
Hahaha yeah same here! My $dayjob has offices in Sweden and their summer breaks are legendary. We also have offices in the US, and the culture shock with the Americans never gets old
pdnagilum 1 hours ago [-]
Yup, same thought in Norwegian. Norway basically shuts down during July.
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
NietTim 2 hours ago [-]
Properly euromaxxing, this is the way.
fnoef 2 hours ago [-]
Based! Amazing approach, enjoy the vacation!
vortegne 3 hours ago [-]
Wish them nothing but good rest!
intronic 3 hours ago [-]
down-under says: enjoy your summer :)
davidgerard 22 minutes ago [-]
I heartily endorse the Fuck You Pay Me support process.
shevy-java 35 minutes ago [-]
So it is holiday season.
I thought this was due to AI slop spam before I read the blog entry.
cat_plus_plus 2 hours ago [-]
SGTM, if I am worried about a curl exploit, I will type details into Zoo Code prompt and it will disappear in about 30 seconds and then I can upload a PR for others concerned. Enjoy your vacation and I will enjoy security for a lot cheaper than an enterprise contract!
maxbond 3 hours ago [-]
Atlas shrugged, but only for a month. I kid, it's well deserved. I do worry about their contract work loophole - if people disclose vulnerabilities publicly, their clients may pressure them to ship a fix anyway.
Cider9986 2 hours ago [-]
Why was this dead?
fc417fc802 1 hours ago [-]
I've been noticing an unusual number of spuriously dead comments from accounts in good standing for a while now. My suspicion is false positives due to holding back the AI wave yet some of the casualties really don't seem to make any sense.
maxbond 1 hours ago [-]
To be honest I don't think my account is in 100% good standing, but I can't say for certain. There's definitely some dead comments on my account that are deserved and I think there are some small limitations that are or have been placed on it (probably fairly). Mostly around flagging and vouching.
cubefox 1 hours ago [-]
Yeah, I have seen several people who are completely shadowbanned (all comments dead) without any visible reason. There seems to be no way to report this.
maxbond 1 hours ago [-]
Hmm. Interesting. If it was [dead], probably a false positive from a naughty comment filter; if it was [flagged][dead], difficult to say, potentially even an accident, or maybe people didn't like the joke. Given the non-negative karma, I would guess the first. Regardless, I appreciate the vouch.
dist-epoch 3 hours ago [-]
> I have been working full-time on curl since 2019. For me, this typically means doing 50 hour work weeks, as I spend all days on it and then I top them off with a few more hours every late night – all days of the week
I wonder what is there to work on curl 50 hour weeks for 7 years?
libcurl is highly portable, it builds and works identically on numerous platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX, IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOs, macOS, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS and more...
0x1ceb00da 25 minutes ago [-]
I'm 90% sure that even the monkey's paw curls.
kitd 2 hours ago [-]
TIL it supports mqtt. Happy 10000 day to me :)
hurtigioll 2 hours ago [-]
Linux started removing support for obsolete protocols and hardware
Maybe there is place for a minicurl which removes BeOS and Novell NetWare...
nubinetwork 2 hours ago [-]
I think the argument was that curl is fairly feature complete (as shown by your list), is there really that many bugs in curl that require immediate attention?
sph 2 hours ago [-]
Increasingly so, yes.
maxbond 3 hours ago [-]
It's massive and complex codebase. From the looks of it, pretty much what you'd expect, lots of chores, work on the test suite, keeping docs up to date, bug fixes. I didn't see any new features on my light skim but I'm sure they land occasionally.
That's just HTTP, curl supports 27 other protocols.
dist-epoch 2 hours ago [-]
HTTP/1.1 - June 1999
It's not like the standard changed since curl was created
0x1ceb00da 3 hours ago [-]
The entire http, http2, http3, tls, sftp spec for every operating system.
bawolff 2 hours ago [-]
When we are talking about one of the most used pieces of software in the world, there is always things to do.
3 hours ago [-]
rustyhancock 3 hours ago [-]
A curious approach, but I like it!
Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)
MatthewWilkes 3 hours ago [-]
I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.
SweetSoftPillow 2 hours ago [-]
It would certainly be irresponsible.
The responsible thing would have been to simply wait another month, considering you've been warned about the delay.
CamouflagedKiwi 2 hours ago [-]
Given that most of those users will not be capable of patching it directly, no, that seems like it would be irresponsible.
prmoustache 20 minutes ago [-]
Why not? Only a tiny fraction of curl user get it from the upstream website/repo. Most users get curl/libcurl from their OS/application vendor or package manager, all of them having their own maintainers. There is no reason a temporary patch couldn't be produced by them in the meantime.
cmxch 3 hours ago [-]
Just publish early due to a documented lack of cooperation. They don’t have to answer, but you dont have to wait.
Naturally some people find that this offensive since this puts a price to that “bliss”.
Dylan16807 2 hours ago [-]
Taking 1/3 of the standard time budget to get back to you isn't ideal, but it's not "a documented lack of cooperation".
And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.
maxbond 44 minutes ago [-]
Why are you interpreting clear communication of a window of downtime with 2 weeks notice as a "lack of cooperation"? That's what cooperation looks like. It's not explicit but my read was that they're not even taking a vacation - they're just doing the rest of their job, a lot of which is probably going to be shipping fixes for vulnerabilities that are already triaged.
chias 1 hours ago [-]
There are no "rules" for responsible disclosure. We have guidelines that we have broadly accepted, but at the end of the day whether or not you discussed responsibly is in the opinion of your peers.
There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.
DonHopkins 1 hours ago [-]
Wrong, but thanks for documenting how uncooperative you are.
> Probably not. But we will.
A pleasant dose of humanity in decidedly inhuman times.
> Or you get a support contract and we get to read about it earlier.
If you ever really need anything fixed in the open source world, there is always the option of doing it yourself
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...
In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.
I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.
The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)
Signed: Former workaholic.
In Germany, if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.
Another neat thing is that if you get sick on vacation, you get your vacation days back, because vacation days are for resting and recovering.
It's funny because that's kind of the definition of a vacation in my book. I find it weird that some places in the world handle it differently.
Note that it's also much better for the company in the long run: It's a test of resilience and redundany, the famous bus factor. It simulates what happens if someone is not available, and forces the organization around to have a backup plan. Having those is important for cases where employees leave the company or team (switching jobs/teams, accidents, sickness, parental leave, death, burnout, layoffs etc.). It's mind-boggling how many leads at various levels just don't understand that.
I'd also add that the culture allows and encourages sick days. The average is 15 sick days per year IIRC.
Now I wonder if I could help the immigrants in my area (I'm in Hesse/Hessen), thanks for the inspiration too.
In New Zealand we get a minimum of 10 sick working days per year but some companies offer more and allow unused sick leave to accumulate.
I remember years ago needing urgent support for some bespoke European hardware we were developing software for. When we called support, we were greeted with a phone message stating the company was closed for the entire month due to vacation. This was not a one-man operation; the whole office closed for a summer holiday. We thought it was a joke.
Needless to say we started to look for a new vendor shortly thereafter...
I know a handful of companies with a week of mandatory Christmas vacation as well (but there's typically not too many working days between Christmas and New Years' either way).
Many companies force staff to take vacation days during this time, and there are four (yes four!) public holidays during this period.
I used to have a desktop that I could VPN+RDC into from my personal laptop or desktop to work away from the office¹. I've now got a laptop, that refuses to let me authenticate remotely and they have no interest in fixing that as there are other priorities, so I simply can't work if I don't have that laptop with me and I'm not carting it around when I'm already carting my own around (and if I'm not carrying my own, it is because it isn't a suitable situation to be bringing any laptop).
Not a workaholic, I don't think, but a 24/7 stress monkey when I think that I could be helping. Simply not being able to work away from the office actually helps with that: if there is literally nothing I can do, especially given it is work that has made that impossible, I don't stress the same way.
--------
[1] other than the VPN connector and the MFA doo-hicky on an old² phone, nothing work related, even Teams, even email, ever touches my personal devices
[2] a small old thing, factory reset with a dummy google account and just the MFA apps installed
https://www.youtube.com/watch?v=5E7kBOH9owI
Work during work time, don't work during not-work time. Good practices mean that everyone is important, but nobody is irreplaceable, the team and the work will move along a little slower, but that's fine.
"If I see you log on, I'll disable your account."
Personally I’m sure I’d forget to sign out of something.
https://www.youtube.com/watch?v=5E7kBOH9owI
My manager doesn't stop overworking. When told on peer performance review that we have people who are consistently overwork because they are swamped, he played it down.
But hey, at least he doesn't encourage overworking either.
The only people who should suffer this much are the true busines owners.
Real engineers think about handling things when stuff goes wrong, not "everything will be on the happy path forever".
Yes, there are constraints, but to me this sounds like an unacceptable level of exposure.
Seems like a lot of extra work, just to go on vacation :)
I would suggest another approach. Automate your work, that you can work from your phone. I go on multi day hiking trips, or a week long family beach holidays, without taking PTO...
Edit: I do not get negative reactions. Big part of my work is to monitor system, and answer questions. I spend less time on my phone than most social app users! I still do heavy coding in office a few times a month. And I am self employed for nit pickers.
Work does not have to be sufering, you can enjoy it!
>> Signed: Former workaholic.
> Seems like a lot of extra work, just to go on vacation :)
That's the point, this person and plenty others, are NOT able to "just" go and disconnect. If you can do that, wonderful for you, but please don't assume others are like you precisely when they are humble enough to clarify that they do have a problem and try to help others to overcome it.
Truly disconnecting from our work is necessary for our mental health. When I'm on vacation, I want to be on vacation, which means not working.
Again, maybe you don't want to actually fully be on vacation from work. I guess that's fine; you do you. But I don't think that's healthy for most people, and regardless of health, many people do just want to completely disconnect from work for some number of days.
That's going to work in some situations, but it's not broadly applicable for many reasons. In particular it's way more work than the act of backing up 2FA and logging out of everything. So yeah, it makes a lot of sense for people to think that's not good advice.
Much better than 2 hour daily unpaid commute at old job.
There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.
cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.
In most cases this is extremely impractical.
Then you send the patch upstream, they incorporate and maintain it for you. Congratulations, you just FOSSed.
I guess the whole point of the article is to show that people should buy a support contract if they need support.
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
Is it that they can't or don't want to. I'm sure curl is popular enough that it could attract a co-maintainer if it wanted to. Of course there is a cost to that. Software projects done effectively by a single person are often more focused and designed more coherently. I'm not sure curl would be as good a product if there were multiple maintainers with potentially conflicting visions.
I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.
Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)
There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.
For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.
OpenAI is certainly not wasting the money they're spending on Openclaw, even if I personally wouldn't want to touch that particular piece of software.
I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.
Surely curl has more use-cases and projects relying on it than OpenClaw.
The demand seems to be generated out of hype rather than sustainability. Openclaw project isn't even an year old and from my time hearing about it, it isn't safe or sustainable in any fashion and it seems that the hype around Openclaw has now started to slow down as I hear less about it (which to me is actually a good thing imo) but it shows what the market reality of these tools currently are (at the moment).
I frequently run into people using it, they seem happy with it. I remain highly skeptical about this being a good idea, but I'm quite convinced that many people genuinely really like it and find it useful.
* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.
No, that is the point, they are not going to accept your vuln report. They are taking a holiday.
They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it
(See https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...)
2 weeks is the acceptable limit in the UK for example (where also has 20-35 holiday is common) though if you can convince your boss otherwise, you can take longer, but most people can't
I've "retired" into agriculture and a lot of farmers take a month off after harvest time to go fishing or other wise relax (this generally means filling up a couple of deep chest freezers with fish for the rest of the year).
Is this at the executive level?
I thought this was due to AI slop spam before I read the blog entry.
I wonder what is there to work on curl 50 hour weeks for 7 years?
Let me Google that for you.
supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, HTTP/2, HTTP/3, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more!
libcurl is highly portable, it builds and works identically on numerous platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX, IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOs, macOS, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS and more...
Maybe there is place for a minicurl which removes BeOS and Novell NetWare...
https://github.com/curl/curl/commits?author=bagder
Then there are also HTTP/2 and HTTP/3.
That's just HTTP, curl supports 27 other protocols.
It's not like the standard changed since curl was created
Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)
The responsible thing would have been to simply wait another month, considering you've been warned about the delay.
Naturally some people find that this offensive since this puts a price to that “bliss”.
And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.
There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.