Curl will not accept vulnerability reports during July 2026

Posted by secret-noun 2 days ago

Comments

Comment by vessenes 2 days ago

The headline buried the lede -- this is a way to get some summer vacation (niiice) AND encourage enterprise support contracts, which will still have availability. I don't think I've heard of this particular open source / support / summer vacation business model before but I like it!

Comment by throwaw12 2 days ago

I liked the idea as well, maybe OSS should adopt 6 months availability and 6 months for enterprise support schedule. This way both could benefit, OSS gets more funding, enterprise gets support (cheaper than hiring full-time employee for specific OSS)

Comment by bijowo1676 1 day ago

nice idea to time vacation in the summar, right around major security conferences (blackhat, defcon, etc), when large bulk of CVEs get published, to put some fire under the enterprise butts

Comment by jusob 1 day ago

Private disclosures happen well before the presentations.

Comment by charcircuit 2 days ago

Until someone races to the bottom to do 12 months of availability.

Comment by t-writescode 2 days ago

Races to the bottom to … do work exclusively for free and not make any money out of the hopes that they become the most popular OSS toolkit, with an end goal of … what?

Comment by jarym 1 day ago

End goal of complaining that no one pays for their efforts.

Comment by altairprime 1 day ago

Validation, often. Stars and installs make self-worth integer go up, etc.

Greed, sometimes. Gotta get those usercounts high to get acquihired / to sell out / to flip on the paid subs for formerly free features.

I can’t remember the word for “prosocial through lowering cost to zero” is but sometimes that too.

Comment by RetroTechie 1 day ago

> I can’t remember the word for “prosocial through lowering cost to zero” is but sometimes that too.

Wiktionary:

Benevolent, altruistic, unselfish, beneficent, philanthropic, selfless

Comment by altairprime 1 day ago

Philanthropic! Thanks.

Comment by 1 day ago

Comment by simonask 1 day ago

This works for a while. Then you - the programmer - grow up.

Wise customers know this.

Comment by saulpw 1 day ago

But a programmer is born every minute.

Comment by altairprime 1 day ago

Not so much these days.

Comment by embedding-shape 2 days ago

> at they become the most popular OSS toolkit, with an end goal of … what?

Look at how any "FOSS + VC + for-profit" company in the last 5-10 years worked out, and you'll see the playbook.

Comment by codercowmoo 2 days ago

bait and switch

Comment by fragmede 1 day ago

Comment by nkrisc 2 days ago

A race to the bottom of… unpaid work that eliminates the paid work? Can you elaborate?

Comment by zaphirplane 1 day ago

We don’t need to speculate do we, there are tons of real non company run OSS projects

Now I personally wish lawyers and plumbers also got into the free work thing but here we are

Comment by fragmede 1 day ago

Lawyers have a term for it, pro bono, and they do it for good causes. Turns out they're as human as software engineers.

Comment by bityard 1 day ago

> Turns out they're as human as software engineers.

Lawyers start out as humans but something about going into law school and then private practice, and feeding them after midnight turns them into... something else entirely.

Comment by bigiain 1 day ago

Arguably the same is true for some software engineers. One minute they're a good friend that you respect, next thing you know they're building killbots or AI non consensual porn generators or surveillance platforms that are illegal for government agencies to operate. Perhaps it happens more often to lawyers?

Comment by nosioptar 1 day ago

Water is a key ingredient to the transformation. Nerds are less likely to shower than bougie lawyers, so we transform less often.

Comment by mc32 1 day ago

Plumbers are realistic and don’t live on ideals. They set their rates and set their hours. Lawyers; well if if only people behaved we could have nice things in life, but here we are with people trying to screw each other and misbehave…

Digital assets or work are a bit different in that making a second copy is trivial. It’d be different if every computer in the world were bespoke and needed its own bespoke software. So that makes OSS a viable option for those who can but we also can’t expect everyone to default OSS. We can default to asking that the service and prices be reasonable though.

Comment by bigiain 1 day ago

Now I'm imagining a plumber who fixes a drain, then stands up a "fix drain as a service" website where people can put their credit cards in and their drain gets fixed remotely at effectively zero marginal cost to the plumber.

(And then, of course, the plumber gets VC money to expand the business and the drain fix becomes a drain fix subscription, and if you cancel or your credit card expires all your drains instantly block back up again.)

Comment by nextaccountic 2 hours ago

I mean.. isn't this basically open source?

Comment by DaiPlusPlus 2 days ago

AI-slop PRs automerged in response to AI slop bug reports.

Comment by pydry 1 day ago

Coz just about everyone wants to be that one guy in Nebraska thanklessly maintaining this bit of digital infrastructure, apparently?

Yeah me neither.

I think the only thing that would convince people to move away from curl at this point would be if curl had a heartbleed level vulnerability and failed to fix it quickly.

Comment by bombcar 1 day ago

Curl is so important that if it had a heartbleed and didn’t patch, someone would and people’d just apply it until it was fixed in tree.

Comment by inigyou 1 day ago

Individuals don't but lots of companies do, so that they can threaten to rugpull it later if you don't pay them millions.

Comment by throwaw12 2 days ago

then it is up to community to fork the project if they find it valuable and can convince people migrating to their fork.

many engineers actually work that way, right? We are employed for 12 months and give our availability fully to the company and we get salary for it, why isn't it allowed to others?

Comment by londons_explore 2 days ago

A fork of a project that does security patches only is an interesting idea...

Since then a diff of the two projects will be a perfect list of security issues and will make designing an attack rather easy...

Comment by bluGill 1 day ago

Only until the next feature lands in upstream, likely accompanied by some refactoring.

Comment by latexr 2 days ago

That’s just the status quo.

Comment by thunderbong 2 days ago

Please go ahead and fork curl

Comment by ralferoo 1 day ago

Isn't that what we have already?

Comment by nchmy 2 days ago

Ah yes, people will just be clamoring to use hURL

Comment by HugoTea 2 days ago

Or the Rust re-write rURL

Comment by JdeBP 1 day ago

Rusted Cu surely makes that, rather, verdigrURL. (-:

Comment by theandrewbailey 2 days ago

Here I was thinking that cURL's (non-existent) enterprise support contracts were a polite way to tell brain-dead paper pushers to GTFO: https://daniel.haxx.se/blog/2022/01/24/logj4-security-inquir...

Comment by akerl_ 1 day ago

https://curl.se/support.html

What do you mean by non-existent?

Comment by theandrewbailey 1 day ago

The paper pusher didn't have a contract.

Comment by 1 day ago

Comment by plantain 2 days ago

It's an extremely un-European approach. European companies normally ignore their paid customers too from May to August.

Comment by abc123abc123 2 days ago

Incorrect. In europe, either july or august, is the informally agreed upon "vacation month" which means that both customers and vendors scale down and go on vacation, and work slows down to very low levels. That means you need a lot less employees than usual in order to provide for the customers that do not go on vacation.

Comment by embedding-shape 2 days ago

To be fair, at least in Spain, things get really slow during the summer, basically from May to the end of August, even if "officially" everything is just "slow and closed" during August. During August, anything productive is basically impossible to get done, the months around are still slower than the rest of the year.

Of course, "European companies normally ignore their paid customers too from May to August" is factious, but there is a slight hint of truth in there, in that things generally is slower, at least in the South/West countries I'm more familiar with.

Comment by isodev 1 day ago

Vacation months*, plural. All project timelines were aligned to wrap up important things by the end of May. June is still operational but mostly focused on reporting, shaping and generally preparing for September when (mostly) everyone will be back, refreshed and ready for new adventures.

Comment by unethical_ban 1 day ago

Time to start looking for a work visa.

Comment by Muromec 1 day ago

Wait till you figure out what happens around the month of December

Comment by andrewinardeer 1 day ago

Having seafood lunch in 40C temperatures at the beach on Christmas Day?

Comment by unethical_ban 1 day ago

Fortunately December chills work out in the US (IT-wise) too, no one wants to mess with prod changes between Thanksgiving and Christmas.

Comment by patmorgan23 1 day ago

Kinda like how the aerospace industry basically shuts down for the month of December.

Comment by prmoustache 2 days ago

ignore is not the right word.

Comment by limaoscarjuliet 2 days ago

In Poland smaller companies tell you outright: this and that person is on vacation, but plese call back in 2 weeks. Bigger companies will often ignore you and drag your problem through the vacation time.

Comment by prmoustache 2 days ago

> tell you outright

That is not ignoring but announcing a delay.

Bigger companies may have only limited number of people checking the mailboxes in july and august, that doesn't excuse not sending a small reply announcing delays but I guess they take it so much for granted they don't realize other continents aren't used to those kinds of delays. However in May and June every company is totally operational ( that doesn't mean nobody take holidays ). If you request something to one named person, that sole person can have scheduled holidays, parental or medical leave any time of the year. If it is a team mailbox, you should get an answer.

Comment by embedding-shape 2 days ago

> That is not ignoring but announcing a delay.

I think maybe with the American PoV of "the customer is always right", that might basically feel like a slap and the face and being ignored. Of course, we should understand that every human needs to rest during the year, but if you don't have that opportunity yourself by law, maybe you're less knowing about that being a thing in other more modern countries?

Comment by bluGill 1 day ago

In America we generally ensure there are multiple people who can do the job. Somebody can go on vacation no nobody will know because the backup is just as good.

Every once in a while there is an exception. Then that guy says "If your sending me to Australia I'm going to use my vacation to scuba drive the Great Barrier Reef" - and his body is never found. True story, it took months for someone else to figure out everything that guy knew.

Comment by embedding-shape 1 day ago

> In America we generally ensure there are multiple people who can do the job. Somebody can go on vacation no nobody will know because the backup is just as good.

So every single business, everywhere in American, has at least two full-time employees or at least one other backup that is available when you want to vacation and the stores/businesses never close? I'm guessing the ones that don't have that (if they exists), just never have vacation, or how does that work? Sounds like a fever-dream, but I guess if that's what your experience tells you.

Comment by bluGill 1 day ago

Not every single one. Most do though.

Stores remain open because they ensure somebody isn't on vacation and thus able to work. They sometimes give extra pay if you work a holiday (this is rare though - generally there is somebody who wants the hours/pay more than this holiday off - they can take time off a different day).

For small business (think a plumber) it is common to arrange a competitor who will take care of your emergency customers needs.

Comment by SpicyLemonZest 1 day ago

I wouldn't say "every single business", there's no universals. But there's a lot of American business owners who basically don't take vacations until they have enough staff to run things in their absence, and American culture in general treats vacations as much less sacrosanct. I usually check Slack every few days when I'm on vacation, in case something's come up I can quickly help with.

Comment by pinkgolem 2 days ago

I mean, looking at most us company's.. What support?

Comment by zarzavat 2 days ago

> > The bad guys won’t rest

> Probably not. But we will.

A pleasant dose of humanity in decidedly inhuman times.

Comment by Timshel 2 days ago

Especially since it appears there is a solution if you truly need a fix.

> Or you get a support contract and we get to read about it earlier.

Comment by bawolff 2 days ago

> Especially since it appears there is a solution if you truly need a fix.

If you ever really need anything fixed in the open source world, there is always the option of doing it yourself

Comment by matthewdgreen 1 day ago

Doing the fix yourself is almost always the easy part. Disclosing it and getting a patch shipped across the entire Internet is the hard part.

Comment by layer8 1 day ago

Why would you personally need the entire internet to receive a fix?

Comment by matthewdgreen 22 hours ago

I'm thinking of something on the order of Heartbleed. Sure, you fix it in your own servers. Are you sure you're ok with the entire Internet being vulnerable for two months? You don't have any data stored on servers that are outside of your control?

Comment by toast0 1 day ago

It's handy if you run a service and the internet runs clients you didn't write to access said service. (or vice versa)

Also handy if the internet is running a DDoS reflector and you're being targetted.

Otherwise, usually no sense of urgency for fixes I did for me/my employer and want the rest of the world to benefit. My problem is solved now, everyone else can get it when it ships.

Comment by arwineap 1 day ago

Running a fork is a lot of work. You need your fixes upstreamed so that you don't need to backport other people's fixes

Comment by lokar 1 day ago

For a couple months? Not a big deal

Comment by bawolff 1 day ago

Nobody said doing it yourself was neccesarily easy. Its just an option that is there.

Comment by layer8 1 day ago

You don’t need to backport other people’s fixes. You only need to re-merge your patches into updated versions of the upstream (aka vendor branch), which usually is straightforward.

Maybe you mean that if there are many people like you, they’d want to integrate each other’s fixes. But then you’d probably have the combined manpower to start maintaining a true fork.

Comment by alibarber 2 days ago

Yes - and realistically, if you're $BIGCO who's shipped a billion devices with some obscure curl vulnerability you just discovered, then the hard part is going to be rolling out a patch to all of them anyway, which is still a 'you' problem.

Comment by cat_plus_plus 2 days ago

In 2026 there is a considerably cheaper/quicker solution, but that in no way invalidates OSS maintainers' right to enjoy a summer vacation without interruption.

Comment by donw 2 days ago

That was just a beautiful, period.

Comment by Scroll_Swe 19 hours ago

>A pleasant dose of humanity in decidedly inhuman times.

As opposed to when?

Do tell.

I see this crap so much online. You just want an excuse to give up and be a victim. I hear it online and irl. You young people are broken, broken yet you have everything.

How old are you, and where do you live?

Life is better now than ever. I in Sweden can buy everything, access everything, and I own my apartment. Problem?

As opposed to what?

WW1? WW2? Vietnam war and corrupt nixon? The cold war when Russians accidentally invaded Sweden? Nuclear bomb fear? the 90s debt crisis? 90s balkan war? And refugee crisis? 9/11 and all that? 2015 refugee crisis?

When?

What do you compare to?

The truth is, life is getting better. All the time. We had 10% unemployment in 2016 and even worse in 2008 when I graduated. Grow up.

Comment by Natsu 2 days ago

I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.

Comment by Cider9986 2 days ago

Mythos found only one. Would have to be pretty serious bad guys.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...

Comment by bluGill 1 day ago

Remember though that many other AIs had already run and found issues that were fixed. If you had a time machine and took Mythos back a year it probably would have found a lot more. (if anyone has access to mythos it wouldn't be hard to test - download a release from last year and check)

Comment by etn_se 21 hours ago

> if anyone has access to mythos it wouldn't be hard to test - download a release from last year and check

Mythos might have seen last years bug reports so that might be cheating, kind-of. Bug reports ought to be great study material for LLM training.

Comment by timeinput 1 day ago

Imagine the bugs you'd find in curl from five years ago! I bet there are tons!

Comment by prmoustache 2 days ago

The bad guys wouldn't have submitted a vuln report anyway.

Comment by PunchyHamster 2 days ago

Actually, submitting hundreds of bogus/low impact AI generated ones while you sit on something big might be a viable strategy to delay a project from fixing a hole you're using

Comment by victorbjorklund 2 days ago

Pretty sure if you find a zero day in a software like that you don’t wait until a certain month.

Comment by bvcp 2 days ago

if a company has a problem with this pay for support if its not worth the money …

Comment by Cthulhu_ 2 days ago

Cool, then it's down to everyone using this library to figure out how they can minimize the impact of a zeroday in curl - security should never be down to a single part of a system.

Comment by shevy-java 2 days ago

Is this likely though? If you are an AI slop model that spams out finding bugs and vulnerabilities, would you want to become more active when you see that a project is not actively fixing bugs? Because in my opinion, it really would not matter for any AI model how active a project is, when it comes to FINDING existing loopholes.

In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.

I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.

The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)

Comment by patates 2 days ago

For the people here who want to do the same when they are vacation (be completely detached from work): Make it impossible for you to work! Leave your work devices behind! Log out of all accounts, remove 2FA keys after backing them up on paper and tell your partner to not give them back to you for the duration of your vacation, etc. I actually went to a country from which I wasn't allowed to work remotely. Crazy but it was that bad for me.

Signed: Former workaholic.

Comment by nicbou 2 days ago

One of the reasons I left North America for Europe is that such things are normalised. The cultural difference is staggering.

In Germany, if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.

Another neat thing is that if you get sick on vacation, you get your vacation days back, because vacation days are for resting and recovering.

Comment by blauditore 2 days ago

> if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.

It's funny because that's kind of the definition of a vacation in my book. I find it weird that some places in the world handle it differently.

Note that it's also much better for the company in the long run: It's a test of resilience and redundany, the famous bus factor. It simulates what happens if someone is not available, and forces the organization around to have a backup plan. Having those is important for cases where employees leave the company or team (switching jobs/teams, accidents, sickness, parental leave, death, burnout, layoffs etc.). It's mind-boggling how many leads at various levels just don't understand that.

Comment by alibarber 2 days ago

I remember vaguely from interning at a bank that there you were actually obliged to be totally isolated from the company for a continuous period of time by policy.

The thinking was that if you were cooking the books of doing some dodgy dealing on the side it would come to light without you there to actively 'manage' it.

Comment by gacgacgac 1 day ago

I'm a senior at a big tech company. You can do this in America too. Just communicate with your manager and set the boundary. "By the way, when I'm on vacation I'm away from devices, so let's coordinate beforehand if there's anything critical path."

Comment by coldpie 1 day ago

100%, and it extends beyond vacations, too. Unless you have a formal on-call arrangement, then any time you spend doing work stuff outside of your work hours is time you are choosing to donate to your company. It's fine if you want to do that, but you don't have to. I work 8-4 every day. I am not contactable outside that window and definitely not contactable on my days off. I haven't worked at a ton of different places, but at the places & teams I have worked with, I've never had anyone object to this policy.

Comment by ryandrake 1 day ago

In the USA at least, I've found that this kind of "not working means not available" arrangement is easier or harder based on your seniority and the kind of company you work for. I am able to hold the line on this now, 25 years into my career, but it took a long time to get to this point, and I never would have been able to swing it when I was a junior programmer, and when I was working in a hyper-work-obsessed startup.

Back in the early 2000s when I was Junior Engineer Number 32204, and not particularly valuable to my medium sized company in a competitive industry, I could never have gotten away with "Oh, by the way, boss, I am totally unreachable nights and weekends, and don't bring work with me on vacation." But, now, quite a bit more senior in my career and working in a "comfortable" big tech role, it's possible.

Comment by ethagnawl 1 day ago

> Back in the early 2000s when I was Junior Engineer ...

I tried something like this over July 4th weekend last time I was full-time anywhere (startup; 2010) and it very quickly devolved into an i-quit-you-cant-quit-i-fired-you situation and the company withholding my final paycheck. (New York State employment law does not mess around and I was eventually paid after dragging the deadbeat through Small Claims.)

It traumatized me and is in large part why I've been a freelancer / running my own consultancy ever since. My self-employed situation is better in some way and worse in others but I can't even imagine what it's like to not have my back against the wall 24/7/365. :(

Comment by lokar 1 day ago

This was mostly my experience. Once I was very Sr and reporting to the VP my solution was people could get in touch via the VP, his admin or my admin. Worked well (there were some things I really did need to be called for).

But not a general solution. But with a good manager can work more broadly. And I did see a couple managers do something similar for their teams, making it clear that if you need emergency attention contact the oncall, if for some reason that won’t do call the manager. This friction alone deals with most issues.

Comment by coldpie 1 day ago

It's a small number of data points, but neither of my two early-career jobs had any expectations like that. I've never explicitly said "I'm not reachable," I just have never worked or responded to work communications outside of work hours, and no one has ever questioned me on it.

Comment by SoftTalker 1 day ago

I've lived and worked in America my entire life, and in my approximately 40 years of working I've never had a job where I was expected or had to arrange to be available during a vacation. For the odd unplanned personal day maybe I'd try to check email and have my phone with me. But vacation, never.

Comment by jayd16 1 day ago

It doesn't need to be arranged. Like you said, we would check email ourselves of our own volition.

Comment by BadBadJellyBean 2 days ago

Not to forget that you get a minimum of four weeks of vacation per year with 30 days being offered most of the time.

This year I used my vacation time well and I already had 3 weeks off while I still have almost 4 weeks left.

Comment by jayd16 1 day ago

> if you get sick on vacation, you get your vacation days back,

This slightly blew my American mind but it makes sense. What about getting sick on calendar holidays?

Comment by zvr 1 day ago

No, you don't get the holidays back -- nor do you get weekends, if you're sick.

On the other hand, I've been in a company where there were long discussions about whether the extra day on leap years is a working day or a vacation day...

Comment by Cthulhu_ 2 days ago

This is how it should be though - nobody should be irreplaceable. Look up bus factor etc.

Comment by fender256 2 days ago

Thanks for the reminder that this shouldn't be taken for granted. I am a German and sometimes this privilege feels so normal that it's unthinkable that it could be different elsewhere in the world.

Comment by nicbou 2 days ago

I help immigrants integrate for a living. Germany can be a frustrating country, but this is one of its best redeeming qualities.

I'd also add that the culture allows and encourages sick days. The average is 15 sick days per year IIRC.

Comment by patates 2 days ago

Totally off-topic, but I read your profile to learn about this: https://allaboutberlin.com - you do awesome work, thank you!

Now I wonder if I could help the immigrants in my area (I'm in Hesse/Hessen), thanks for the inspiration too.

Comment by 2 days ago

Comment by teruakohatu 2 days ago

The average number of sick days used is 15 or the number of days offered?

In New Zealand we get a minimum of 10 sick working days per year but some companies offer more and allow unused sick leave to accumulate.

Comment by Genmutant 2 days ago

You don't have an offered number of sick days in Germany. If you're sick, your sick. At some points (after 6 weeks) the employer stops paying for it, and the payment switches to the health insurance and drops down to 70% of your usual gross salary (with some more specifics).

Comment by tumdum_ 2 days ago

Sick days are not “offered” by employers. Sick days are prescribed by the doctors and there is no upper limit. After all, your sickness will not disappear just because it has been N days. That's at last how it is in Poland.

Comment by Autious 2 days ago

Sweden has 14 sick days no questions asked before you need a doctors note. The German way of having to call your doctor for a flu note is a little odd to me. You do loose the first day's pay (the meme is that too many people were off sick when there was a world cup finals or something), and then 80% pay.

Comment by lionkor 2 days ago

This is not accurate. In Germany, you usually only have to get a doctor's note at 2 or 3 days, if youre only sick for a day or two you don't need one.

And there's an unlimited number of sick days. As long as you have a doctor's note, you still get paid, up to some ridiculous limit at which you might have to get government support instead.

Comment by fabian2k 2 days ago

It's up to the employer, they can ask for a doctor's note from day 1. Many employers have more lenient rules, though.

Comment by inigyou 1 day ago

I think at some limit the health insurance pays back the employer, right?

Comment by jorvi 2 days ago

> You do loose the first day's pay

Many countries have this system and the usual effect is that the duration people are sick for is magically never less than 2 days. It's dumb policy.

Comment by msh 1 day ago

yeah, when denmark switched from loosing first days pay to the first day also being paid sick rates dropped more than enough to pay for it.

Comment by sensanaty 2 days ago

Even the concept that you need permission from your employer to take a sick day is crazy to me. After all, if you're sick, you're sick, not like a hard deadline of 15 days (or whatever) is going to make the sickness go away?

Comment by degamad 1 day ago

The point of the deadline is not that you can't be off work, but that you stop getting paid for not working.

For example, the way it works in Australia is that after you have used up your sick days, you have to take any further absences from work out of your annual leave balance, and once that is exhausted, you switch to leave without pay.

I had a downline team member who once needed to extend their time away from work for over 5 months due to illness. They had been with the company for several years at that point, so they had a reasonable sick leave balance, probably 10 weeks. When it became clear that they needed longer, they used their remaining 4 weeks of annual leave, then took a month of leave without pay, then another. They were still employed, I approved their leave requests each time they needed to extend, and we just used the most appropriate tool that was available at the time.

The thing you're getting permission for is not to be sick, it is to be considered still employed while not doing work, rather than being fired/disciplined for being AWOL.

Comment by account42 1 day ago

And you'd think that it would be in the interest of the employer too to not have people come in with a flu and infect everyone in the office.

Comment by nicbou 1 day ago

I wrote a primer about sick days here: https://allaboutberlin.com/guides/sick-leave

15 is the average. I use it to reassure people that it's okay to take sick days, and not one of those rights that no one dares to use.

Usually, employers ask for a doctors' note after 3 consecutive sick days, but the reason for the sickness remains hidden from the employer. The note just gives a time range, nothing more.

Comment by naturalmovement 2 days ago

It can honestly be annoying, if you're not privvy to it.

I remember years ago needing urgent support for some bespoke European hardware we were developing software for. When we called support, we were greeted with a phone message stating the company was closed for the entire month due to vacation. This was not a one-man operation; the whole office closed for a summer holiday. We thought it was a joke.

Needless to say we started to look for a new vendor shortly thereafter...

Comment by my-next-account 2 days ago

I'm surprised, typically we don't all take vacation at the same time, but stagger it.

Comment by prmoustache 2 days ago

It really depends on the areas. On white collar jobs yes. It is more frequent in blue collars workers because it is easier to close completely or partially (several lines) in a factory than having to manage different vacations schedules. Constructions companies also do stop because you usually need most workers available + hot weather makes it harder anyway. Small/familiar companies also do it frequently because it doesn't make sense to work if you have dependencies on a number or unavailable persons.

Comment by knollimar 2 days ago

I've seen construction companies use all their vacatiom in December in America (since it sucks to work in in the cold)

Comment by calessian 2 days ago

It's not entirely uncommon, even companies like Volkswagen have 3 weeks of summer vacation. Strictly speaking, some people still work there for maintenance, etc. that can't be done while making cars, but the majority is on vacation.

I know a handful of companies with a week of mandatory Christmas vacation as well (but there's typically not too many working days between Christmas and New Years' either way).

Comment by Symbiote 2 days ago

In England, I had summer jobs in factories when I was a teenager, since they needed extra hands to help with cleaning / maintenance during the annual shutdown.

I don't know if this work would have been offered to staff who turned it down, or if they preferred to have their staff on holiday at the same time.

Comment by teruakohatu 2 days ago

My advice is don’t ever buy anything that might need support from New Zealand between 24 Dec and 5 Jan. The entire country is just about closed (other than non-niche consumer stores).

Many companies force staff to take vacation days during this time, and there are four (yes four!) public holidays during this period.

Comment by ffaccount2 1 day ago

Four? Poland has five! (Counting 6th Jan)

Comment by breakingcups 2 days ago

I mean, that's not usual at all in Europe either.

Comment by 542458 2 days ago

I think my POV on this is a bit different than what others are expressing… I don’t mind answering the occasional email while on vacation, but I view it as a fair trade - as long as the company doesn’t mind me handling the occasional personal obligation during work hours I don’t mind handling the occasional work obligation during personal hours. If the company wants to be strict about clock in/out hours or taking PTO for every 30 minute errand or the work trends in a way that routinely exceeds 40 hours per week total then I’ll stop doing work “off the clock”, but so long as they’re willing to be reasonable I’m willing to be reasonable.

Comment by BadBadJellyBean 1 day ago

The idea with vacation is that you don't think about work. When I start vacation I disable all the channels that people usually use so that no one asks me even by accident. There needs to be a time when you are completely undisturbed and disconnected. If you are disturbed by work you will think about work while you answer and maybe even after that. That's not good.

I also think you should normalize for yourself and your workplace that there are times when you are not there. If only you can answer a question then there needs to be better documentation. See it as a trail run for when you get hit by a bus. If they will struggle without you then that is a problem that needs to be fixed. If you are always reachable these problems will never surface.

Comment by 542458 1 day ago

> There needs to be a time when you are completely undisturbed and disconnected. If you are disturbed by work you will think about work while you answer and maybe even after that. That's not good.

IMO this is not a universal truth - I’m sure some people need that level of disconnection, but I don't find I'm one of them. I generally like my job, and don't find that forcing myself to disconnect does me any particular mental good. But other people report needing that separation, and that's fine! I don't think there needs to be a one-size-fits-all answer here.

I do agree with your bus factor argument though.

Comment by jon-wood 1 day ago

I generally work for small companies, and while I'll do something very similar when taking leave (or just at the weekend) I do also make sure someone has contact details for me in the case of anything that truly can't wait until I get back. My experience of doing this has been that people will be judicious about whether something actually warrants interrupting someone's holiday, and it also results in me being less inclined to check in on email/Slack now and again just in case something is up.

Comment by BadBadJellyBean 1 day ago

I was the only full time sysadmin of a 20 person company. I went on vacation for three whole weeks. I was half way around the globe and not reachable. The company still existed after I came back. They did have a problem. They tried to reach me. They couldn't. They figured it out by themselves.

I think we believe ourselves to be more irreplaceable than we are. And if you really think you are irreplaceable then the problem is not going on vacation but being irreplaceable. Because then if something were to happen to you they are screwed.

Comment by jon-wood 22 minutes ago

In one case I was the only full time technical person in the company. This was a very early stage startup that had literally nobody else who would know how to even start reading the code, never mind find the particularly gnarly bug that was causing paid for orders to disappear which surfaced while I was on holiday. (Because I was the only person capable of writing code I could also be pretty certain the bug was one I'd introduced and missed, so I wasn't too grumpy at debugging it from the back of a moving vehicle while on holiday).

Yes, ultimately the problem there is having a bus factor of one, and we resolved that in time but in those early days sometimes there really is nobody else who can fix things.

Comment by Sohcahtoa82 1 day ago

I'm the same.

If I can answer a question with a 30-second response to a Slack message, I will, and I won't mind it as long as it's not frequent. I won't join a call, and I'm only logged into Slack and Outlook on my phone, so if answering requires checking something on Confluence or Jira, I can't help.

Maybe I feel this way because actually being asked something is exceptionally rare. I'll be gone for a week and MAYBE I'll get one message.

Comment by oasisbob 1 day ago

Lock-out vacations were one of my favorite things about being at a bank. Auditors cared about the ability for employees to keep a thumb on the scale, so it was a policy requirement that all workers with a certain amount of access needed to take an uninterrupted vacation of N days, with login ability disabled.

Fantastic tool for shaking out hidden bus factors.

Comment by donw 2 days ago

As a manager, I will quite literally ding people for working when they are supposed to be off.

Work during work time, don't work during not-work time. Good practices mean that everyone is important, but nobody is irreplaceable, the team and the work will move along a little slower, but that's fine.

Comment by gertrunde 2 days ago

Quote from my partner's manager before a vacation:

"If I see you log on, I'll disable your account."

Comment by sensanaty 2 days ago

I had a colleague at my previous company where we had to log her out of everything and ask IT to keep her logged out until their vacation was done every single time. Her water broke during her pregnancy leave and she still replied to someone asking her a question in Slack near real-time, after which we made her uninstall Slack from her phone altogether lol

Some people are just workaholics and need interventions to actually take a proper holiday.

Comment by nottorp 2 days ago

Humm he means figure out everything you’re signed in to before going on vacation and log off?

Personally I’m sure I’d forget to sign out of something.

Comment by orphea 2 days ago

No, they don't mean "you should log off everywhere" literally; rather, "don't open Teams/Slack/${our_corporate_chat_software}".

Comment by nottorp 1 day ago

Do these things even close on mobile? I'm pretty sure I'm always on on everything. I'm good at ignoring them though.

Comment by OoooooooO 2 days ago

Probably more Teams autostart and suddenly you appear in the online list when you are officially on vacation.

Comment by xeonmc 2 days ago

extremely relevant recent Kai Lentit skit:

https://www.youtube.com/watch?v=5E7kBOH9owI

Comment by sevenzero 2 days ago

Being the only dev in a startup since 2 years without a single day off where I wasn't messaged by my employer I want this. At least I'll have a 3 week out of country trip where I do not bring my laptop later this year...

Comment by vkazanov 2 days ago

You should really consider another place to work at, unless you own a massive, measurable chunk of the company in a legally binding way.

The only people who should suffer this much are the true busines owners.

Comment by sevenzero 2 days ago

I don't, but I enjoy a lot of perks that I would not get anywhere else. Thats why I stay. Basically work when I want, where I want. 100% remote if I choose to do so. Very flexible days off (maybe that's also why I am contacted a lot during those days). Almost no meetings, and relatively good pay.

Comment by ffaccount2 1 day ago

>Very flexible days off (maybe that's also why I am contacted a lot during those days).

But... That's not how days off work.

Comment by donw 2 days ago

Honestly, that is just bad management. It can make sense if it's your company, but even then, the risk profile is just off the charts. What happens if your only developer leaves or gets sick?

Real engineers think about handling things when stuff goes wrong, not "everything will be on the happy path forever".

Yes, there are constraints, but to me this sounds like an unacceptable level of exposure.

Comment by GoblinSlayer 2 days ago

That's exploitation, no? You're just scammed into it, because you let it slide.

Comment by orphea 2 days ago

You're a good person.

My manager doesn't stop overworking. When told on peer performance review that we have people who are consistently overwork because they are swamped, he played it down.

But hey, at least he doesn't encourage overworking either.

Comment by dspillett 2 days ago

My company have accidentally forced this on me, and it is great.

I used to have a desktop that I could VPN+RDC into from my personal laptop or desktop to work away from the office¹. I've now got a laptop, that refuses to let me authenticate remotely and they have no interest in fixing that as there are other priorities, so I simply can't work if I don't have that laptop with me and I'm not carting it around when I'm already carting my own around (and if I'm not carrying my own, it is because it isn't a suitable situation to be bringing any laptop).

Not a workaholic, I don't think, but a 24/7 stress monkey when I think that I could be helping. Simply not being able to work away from the office actually helps with that: if there is literally nothing I can do, especially given it is work that has made that impossible, I don't stress the same way.

--------

[1] other than the VPN connector and the MFA doo-hicky on an old² phone, nothing work related, even Teams, even email, ever touches my personal devices

[2] a small old thing, factory reset with a dummy google account and just the MFA apps installed

Comment by dust-jacket 2 days ago

> Not a workaholic, I don't think, but a 24/7 stress monkey when I think that I could be helping

I er... think you might be a workaholic.

But I'm glad for you that your current setup is helping :)

Comment by dspillett 1 day ago

Does it count as being a workaholic when work is just one place it manifests? I class it more “being-useful-aholic”!

Comment by thih9 2 days ago

I now want to seek an on site role and request a desktop computer.

Comment by dminik 2 days ago

This seems like a lot of extra work. If at all possible, just keep your work stuff on your work laptop/computer. And then keep that at home/at work. No need to sign in and out of 20 different accounts.

Comment by patates 2 days ago

> This seems like a lot of extra work

Music to the ears of a workaholic :)

Seriously, that'd be nice if everyone would do this (and I do it now, very strictly) but I also know how easy for one to start blurring the lines between work and personal lives.

Comment by throw0101a 2 days ago

> Leave your work devices behind!

Specifically, if your job offers (a) to pay for your personal phone line, or (b) a work mobile phone, choose (b).

We have the choice at $WORK, and many teammates chose (a) as it allows them to save some money each month on their phone bill, but now you're basically constantly tethered.

Comment by davidgerard 2 days ago

Kai Lentit just dropped a video on precisely this

https://www.youtube.com/watch?v=5E7kBOH9owI

Comment by pjmlp 2 days ago

Easy, that has always been my whole European life, want to reach me on vacations, pay for it.

Comment by coldpie 1 day ago

This is one of the reasons I work in an office every single day. I leave my work laptop there. I don't have any work software on any of my personal devices, including my phone. If I had the ability to check in on work things while out of the office, I probably would, so I make it impossible.

Comment by nunez 1 day ago

This is exactly the move. Work and life should be separate. No work stuff on your personal devices; no personal stuff on your work devices. This way, you can be your best self in both worlds.

Comment by cmxch 1 day ago

Or maybe don’t have devices doing double duty such that 2FA and work devices can be partitioned out from any incidental personal use. That way, even if you have one half of it, you still don’t have enough to attempt work.

Comment by throw93033 2 days ago

> Log out of all accounts, remove 2FA keys after backing them up on paper

Seems like a lot of extra work, just to go on vacation :)

I would suggest another approach. Automate your work, that you can work from your phone. I go on multi day hiking trips, or a week long family beach holidays, without taking PTO...

Edit: I do not get negative reactions. Big part of my work is to monitor system, and answer questions. I spend less time on my phone than most social app users! I still do heavy coding in office a few times a month. And I am self employed for nit pickers.

Work does not have to be sufering, you can enjoy it!

Comment by utopiah 2 days ago

>> Log out of all accounts, remove 2FA keys after backing them up on paper [...]

>> Signed: Former workaholic.

> Seems like a lot of extra work, just to go on vacation :)

That's the point, this person and plenty others, are NOT able to "just" go and disconnect. If you can do that, wonderful for you, but please don't assume others are like you precisely when they are humble enough to clarify that they do have a problem and try to help others to overcome it.

Comment by prmoustache 2 days ago

Just not bringing the devices should be enough.

Comment by utopiah 2 days ago

I regularly advocate for offline moments so I definitely agree on the "how" ... but that's still not my point though.

What I was trying to highlight was that HOW depends on whom you are talking to. Here they just mentioned a deep behavior problem. Saying "just" or "simply" or "should" or "ought to" or anything implying it's really not that hard is probably not going to be encouraging to them.

Comment by prmoustache 2 days ago

yeah but I mean it is the same about logging out accounts or removing 2FA which is what I was really replying to.

If that person doesn't have the mental strength to do any action on their own, I totally agree that they probably need therapy first.

Comment by kelnos 2 days ago

Regarding your edit, you might be ok with going on a multi-day hiking trip or family holiday while still doing some amount of work from your phone, but many of us think that's a bad idea.

Truly disconnecting from our work is necessary for our mental health. When I'm on vacation, I want to be on vacation, which means not working.

Again, maybe you don't want to actually fully be on vacation from work. I guess that's fine; you do you. But I don't think that's healthy for most people, and regardless of health, many people do just want to completely disconnect from work for some number of days.

Comment by Dylan16807 2 days ago

You're basically saying to get a different job.

That's going to work in some situations, but it's not broadly applicable for many reasons. In particular it's way more work than the act of backing up 2FA and logging out of everything. So yeah, it makes a lot of sense for people to think that's not good advice.

Comment by ro_sharp 2 days ago

This is the ideal, but in practice you need to own the business to live this way..

Comment by sayamqazi 2 days ago

Also candy is enjoyable but 24/7 sucking on it is not.

Comment by missingdays 2 days ago

Living your life = sucking on candy?

Comment by throw93033 2 days ago

Imagine some people sleep at work... I get paid for being available, not LARPing at desk!

Much better than 2 hour daily unpaid commute at old job.

Comment by spyc 1 day ago

Both libexpat ("Expat") and uriparser are following the curl security vacation and will not accept new vulnerability reports before 2026-08-01, starting today.

[1] https://github.com/libexpat/libexpat/issues/1277

[2] https://github.com/uriparser/uriparser/issues/323

Comment by tempay 2 days ago

For anyone who thinks this might matter for security:

* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.

Comment by veltas 2 days ago

> if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co

No, that is the point, they are not going to accept your vuln report. They are taking a holiday.

Comment by squigz 2 days ago

There's a pretty big difference between a random report submitted via email, and, say, a close friend of the maintainers letting them know a serious vuln was found and they should login.

Comment by akerl_ 2 days ago

Curl maintainers are clearly going to still be using computers to provide support for paid customers.

But the message is pretty clear: if you’re not a paid customer, you are not getting patches or support from upstream during this month.

Plan accordingly.

Comment by BadBadJellyBean 2 days ago

Not if it's a real vacation. If it was me then there would be no way I'd log in. Maybe this will increase the sales of support contracts.

Comment by Sharlin 2 days ago

Except if you pay them for a support contract. So there is a way, and it's actually a pretty obvious way.

Comment by chaz6 2 days ago

I wonder if the likes of Red Hat, SuSE and Canonical have a support contract as they are commercial redistributors.

Comment by inigyou 1 day ago

Probably not. Why pay someone who's willing to work for free? When he stops working for free, then you pay him. Open source is not exempt from economic principles.

Comment by swiftcoder 2 days ago

> curl is mature enough that the chance of an impactful bug is basically zero

Curl is also something that should be thoroughly sandboxed to begin with, because even if there are no vulnerabilities in curl itself, its a tool for downloading arbitrary data over the internet, and you may well accidentally trigger vulnerabilities in every other part of your environment just by downloading arbitrary data to your shell...

Comment by inigyou 1 day ago

curl is the sandbox. It exchanges packets with the internet and then outputs a safely sanitized byte stream.

Comment by swiftcoder 1 day ago

curl is only the sandbox if you don't then do anything with the byte stream.

Pipe it to bash? game over

Pipe it to less/more? Better hope your distro keeps those patched

Open the file in a browser or PDF reader? Hey, look at all this shiny new attack surface!

Comment by inigyou 1 day ago

Well yeah, that's true for any sandbox. If you pipe stuff outside of the sandbox, outside of any sandbox, and run it there, then you're not running it in a sandbox.

Comment by swiftcoder 1 day ago

Right, but nobody actually uses curl as the end destination, right? You use it to download something so that you can run another tool on it.

And as such, you need to already be sandboxing the tool (since it processes untrusted data you received over the internet).

Comment by inigyou 1 day ago

How would sandboxing curl help with vulnerabilities in your pdf reader?

Comment by swiftcoder 1 day ago

Obviously, you need to sandbox all tools in the chain that handles untrusted data. This is security 101 stuff

Comment by layer8 1 day ago

How do you set up the sandbox without having downloaded anything from the internet? I guess there’s still places where you can buy Linux CDs.

Comment by niij 1 day ago

curl is not anti-virus.

Comment by flaburgan 2 days ago

I can only applause this decision. Maintainers of FOSS project are constantly overwhelmed with close to 0 reward and with LLMs now the management of merge requests exploded even further. The fact that they actually keep providing support to paying users is enough.

Comment by laszlojamf 2 days ago

as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_. Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody. And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...

Comment by necovek 2 days ago

You'd be surprised to learn this about free and open source software, but if a maintainer is unavailable, you have both full rights and full source code to... wait for it... fix it yourself (or pay someone to)!

There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.

Comment by ValdikSS 2 days ago

This is true for the majority of open-source projects, but the most serious ones, on which a lot of software/businesses/infrastructure depends, are controlled by foundations or some kind of other management entity.

cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.

Comment by IshKebab 2 days ago

You don't really though. Sure you can fork it and fix your issue, but then what? Are you going to maintain your fork in perpetuity? Are you going to patch all the software that depends on the code you fixed to use your version instead of upstream? Are you going to get your users to do that too?

In most cases this is extremely impractical.

Comment by spiffyk 2 days ago

> but then what?

Then you send the patch upstream, they incorporate and maintain it for you. Congratulations, you just FOSSed.

Comment by swiftcoder 2 days ago

> Then you send the patch upstream, they incorporate and maintain it for you

Firing patches upstream is still adding burden to the (likely already over-burdened) maintainers.

In an ideal world, if you want a patch upstreamed, you would be contributing to upstream maintenance (or at least donating to the upstream maintainers)...

Comment by spiffyk 2 days ago

Fair, but it is less of a burden than just submitting a report with no proposed fix. Also, submitting quality patches regularly seems to be a good way to eventually become a maintainer, provided that both sides are interested (cURL generally is – at least that seemed to be the vibe at the last year's cURL Up event I attended).

Comment by 1 day ago

Comment by necovek 1 day ago

I believe both are valid: sometimes upstreams are not set up for donations, and sometimes your org will make it easier to submit a patch or to financially sponsor a maintainer.

Comment by necovek 1 day ago

We are talking about a case when maintainer is unavailable to do the work: what would happen if this was a proprietary dependency and the maintainer is gone (eg. bankrupt, moved on, incapacitated...)?

There is nothing unusual about this, businesses face this all the time, the only difference is that you do have some agency with FOSS.

What's the alternative when it is not FOSS? Eg. build it yourself from scratch (and maintain it too), or move to a competing product.

Comment by megous 1 day ago

Yes, you can maintain your fork for perpetuity if you can't/will not get your changes upstream. Why is that a problem?

If you're using any complicated FOSS professionally and you have SLA with your customers to say fix issues within day or two you don't have a choice anyway.

Comment by IshKebab 1 day ago

> Why is that a problem?

Because it's a ton of unnecessary work. And because of the other reasons I said.

> If you're using any complicated FOSS professionally and you have SLA with your customers to say fix issues within day or two you don't have a choice anyway.

This is true. I always try to upstream patches anyway though.

Comment by necovek 1 day ago

How do you define unnecessary work if this is... necessary for you?

You are already benefiting from getting the tool/library/system for free, so you can still compare writing the thing you need (necessary?) from scratch or adapting the FOSS solution — maintenance comes with both options.

When you invest enough and are lucky, someone else might just fix the thing for you or pick it up and maintain it for you — but do not count on it, and you are good.

Comment by ed_elliott_asc 2 days ago

They do, he said at the end if you have a support contract then they will respond and deal with security issues.

I guess the whole point of the article is to show that people should buy a support contract if they need support.

Comment by Nnnes 2 days ago

They do.

> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.

Comment by 4ndrewl 2 days ago

It does. The article clearly says that if you have a paid support contract they will be on-call as per usual.

Comment by simjnd 2 days ago

And I'm assuming you're not going to pay for them to have that someone on-call, even though you're worried about this scenario

Comment by bawolff 2 days ago

> And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...

Is it that they can't or don't want to. I'm sure curl is popular enough that it could attract a co-maintainer if it wanted to. Of course there is a cost to that. Software projects done effectively by a single person are often more focused and designed more coherently. I'm not sure curl would be as good a product if there were multiple maintainers with potentially conflicting visions.

Comment by 2 days ago

Comment by simooooo 2 days ago

I wonder how far we are from the agents just maintaining the packages

Comment by inigyou 1 day ago

We have some packages like that, starting with rsync which distributions are having to roll back because it turned into a pile of garbage overnight.

Comment by Imustaskforhelp 2 days ago

The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)

I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.

Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)

There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.

Comment by l23k4 2 days ago

>The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)

For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.

OpenAI is certainly not wasting the money they're spending on Openclaw, even if I personally wouldn't want to touch that particular piece of software.

Comment by Imustaskforhelp 2 days ago

> For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.

I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.

Surely curl has more use-cases and projects relying on it than OpenClaw.

The demand seems to be generated out of hype rather than sustainability. Openclaw project isn't even an year old and from my time hearing about it, it isn't safe or sustainable in any fashion and it seems that the hype around Openclaw has now started to slow down as I hear less about it (which to me is actually a good thing imo) but it shows what the market reality of these tools currently are (at the moment).

Comment by l23k4 2 days ago

>I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.

I frequently run into people using it, they seem happy with it. I remain highly skeptical about this being a good idea, but I'm quite convinced that many people genuinely really like it and find it useful.

Comment by Imustaskforhelp 2 days ago

> I frequently run into people using it, they seem happy with it. I remain highly skeptical about this being a good idea, but I'm quite convinced that many people genuinely really like it and find it useful.

That can be the case and good for them, at the very least its open source software that they are using and it raises more awareness about them.

But I think that we have strayed a bit afar from my main premise that I think we both agree on that although the value of an project is always subjective and its up to the companies on how they direct the funds to. It's Okay for OpenAI to sponsor Openclaw if they absolutely want to.

But the question is if its entirely reasonable as to a project like Curl getting less funding overall, simply because everyone is using curl underneath but the tech is boring (as I think it should be), but this makes everyone think that curl is well-funded when it isn't.

I think that its a reasonable decision for a company to give a very small chunk if it has massive profits to curl to sponsor the project to be more sustainable, but I am not the one at the decision-making involved in that said company, so I don't know what is the rationale behind blocking or not sponsoring Curl.

Is the rationale that they can get away with not sponsoring curl in the first place and use it with its permissive licenses in its code so why invest/donate the money in first place, but this practise doesn't seem sustainable to me!?

Comment by l23k4 1 day ago

>But the question is if its entirely reasonable as to a project like Curl getting less funding overall, simply because everyone is using curl underneath but the tech is boring (as I think it should be), but this makes everyone think that curl is well-funded when it isn't.

I think the returns fall off really really quickly when you increase investment in a boring, mature project like this.

It might be nice if people sponsored curl more, but the software isn't going to significantly improve because of it.

Comment by eviks 2 days ago

Consumers, not customers

Comment by andylynch 2 days ago

They do. You just seem to expect that it will somehow be free.

Comment by serial_dev 2 days ago

Reminder: ‘the software is provided “as is”…’.

It’s not their problem that you, or anybody else, think you are owed 24/7/365 emergency support.

Comment by romaniv 1 day ago

What this shows me (again) is that the whole system where vulnerabilities need to be constantly discovered, reported, analyzed, then patched, then the new version distributed to every singe user - again and again - is quite obviously unsustainable. The industry must come up with some alternative system for dealing with bugs and security issues. Currently the industry prefers to play dumb and turn its own failures into a profit (rent seeking) opportunity.

Comment by jjice 1 day ago

What's the better solution?

Also, what's an example of this rent seeking in open source you're talking about?

Comment by gpm 1 day ago

> What's the better solution?

IMO Writing correct software the first time around - so formal methods.

But the tooling isn't there yet (though lightweight versions, e.g. strong type systems like rust's, are and significantly reduce the security issue load).

Comment by lofaszvanitt 20 hours ago

Yeah, pay the foss maintainers. Anyone, who uses these projects must pay a minimum fee. Companies expected to pay a lot more.

Comment by fsflover 1 day ago

I think you're right, and the solution is security through compartmentalization. See: https://qubes-os.org.

Comment by low_tech_love 2 days ago

I read one sentence into this and knew directly that the developer must’ve been Swedish!

Comment by robin_reala 2 days ago

For people who aren’t familiar, Sweden takes summer holidays seriously. 25-30 days + public holidays is a normal amount of annual vacation time, and if an employee requests it and has the time available, it’s basically legally required to allow them to take a four-week contiguous summer break.

(See https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...)

Comment by low_tech_love 2 days ago

Not only that but the vacation is real. If someone is off then you should not expect them to answer at all (because if you do you’ll get very disappointed).

Comment by mrweasel 1 day ago

This might not be true for Sweden, but Denmark have an interesting rule that makes contacting people in their vacation fairly expensive. If I'm asked to change my plans, my employer needs to compensate me financially. If you get a call and need to work for 30 minutes, then you are entitled to a full replacement day, not just the 30 minutes. For some jobs, interrupting people on vacation simply isn't allowed.

Comment by stavros 2 days ago

I work for a UK company and most people take basically all of August off (I end up with two months of vacation days a year so I take August off and sprinkle some leave around the year) and I can confirm that taking a month off is great. You forget what it's like to work, really.

Comment by gib444 2 days ago

Wow literally never heard of people taking 4 weeks off in the UK. Is this a new thing to deal with child care in the summer holidays?

Is this at the executive level?

Comment by jdsnape 2 days ago

That’s great! It’s very much not the norm here in general tho, in my experience two weeks would be the max people would take off contiguously.

Comment by defrost 2 days ago

Ditto Australia: https://www.fairwork.gov.au/leave/annual-leave

  Full-time and part-time employees get 4 weeks of annual leave, based on their ordinary hours of work.

Comment by gib444 2 days ago

Sweden is fairly unique in allowing the employee to take a 4 week break. Is Australia the same?

2 weeks is the acceptable limit in the UK for example (where also has 20-35 holiday is common) though if you can convince your boss otherwise, you can take longer, but most people can't

Comment by mcbridematt 2 days ago

Some employers "force" their employees to use a portion of their annual leave during the Christmas / New Year shutdown period (usually 24 December -> first full week after New Years Day, if not longer). So you might not be able to use the full 4 weeks continuously.

This can be an unwelcome feature for some people, for example, if you want to have a vacation in the northern hemisphere summer season instead and/or maybe you don't have substantial family in Australia (or at least, those you actually want to see).

The auscorp reddit has a yearly thread on this issue: https://www.reddit.com/r/auscorp/comments/1mw6pqt/end_of_yea...

Those with school aged children might also want to save some of their annual for the mid-term/mid-year breaks as well. (Our academic years are aligned to calendar years)

Comment by defrost 2 days ago

Likely varies by industry - a peer Australian (probably in private IT ?) stated it's uncommon to take a break, whereas I'd say in mining, oil, gas, civil service, police and a good number of structured contract employment its more common.

I've "retired" into agriculture and a lot of farmers take a month off after harvest time to go fishing or other wise relax (this generally means filling up a couple of deep chest freezers with fish for the rest of the year).

Comment by 9dev 1 day ago

In Germany your employer has to grant you two consecutive weeks of vacation by law, and vacation is very rarely denied, even for 3–4 weeks breaks.

Comment by RustyRussell 2 days ago

Yeah, but there's little culture of actually taking that time.

Comment by defrost 2 days ago

I guess our experiences vary - our family had month long adventure vacations most years since the 1970s, and growing up we did a half year tour about the whole country when dad got cumulative long service year.

Comment by inigyou 1 day ago

This is normal in most countries apart from the contiguous break requirement.

Comment by askonomm 2 days ago

I thought it's basically the same in all of EU?

Comment by pdnagilum 2 days ago

Yup, same thought in Norwegian. Norway basically shuts down during July.

Comment by nsbk 2 days ago

Hahaha yeah same here! My $dayjob has offices in Sweden and their summer breaks are legendary. We also have offices in the US, and the culture shock with the Americans never gets old

Comment by on_the_train 2 days ago

I knew instantly that it's him. No one is even remotely as hungry for attention as him.

Comment by lionkor 2 days ago

Here's your reminder that 20-30 days paid vacation plus unlimited sick days (3+ days needs a doctor's note) is normal in Europe (e.g. Germany).

If you get sick during vacation, you get those vacation days "refunded" back. If you suddenly are called in to work, somehow, during vacation, that time cannot be vacation time.

You can't (generally) be fired without a notice period, resulting in job security to such a degree that ~6k in an emergency fund is plenty to be VERY secure, as you also get unemployment support otherwise anyway. Does this result in incompetent people not getting fired? No. You still fire them, you just have to deal with them another month after that. It's not a big price to pay.

How is this all possible? Who subsidizes it? We all simply pay some % of our income to support this system. That's it. A couple percent, a couple bucks, and we get to basically never worry about starving or becoming homeless.

You can have this, too, if you vote and protest and use democracy to make life better, not worse, for everyone.

Comment by insumanth 2 days ago

>> The bad guys won’t rest > Probably not. But we will.

This is Exceptional. Perfect EuroMaxxing

Comment by okeuro49 2 days ago

> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.

Comment by 1 day ago

Comment by ubanholzer 2 days ago

This is great. Good decision.

Comment by rurcliped 1 day ago

With more advance notice, someone could have found resources to fork curl with different vulnerability management expectations, e.g., "will not accept or otherwise handle any vulnerability reports during the month beginning 21 December 2026. We call it The Winter of Our Discontent."

Comment by NietTim 2 days ago

Properly euromaxxing, this is the way.

Comment by Havoc 1 day ago

Why is curl catching so many security issues?

I can see something like nginx being in that spot but curl is primarily user initiated and pointed at a known target rather than internet facing accepting connections

Comment by tredre3 1 day ago

curl isn't more prone to security issues, it's just being talked about more. Daniel has an active blog, is active on social media, and interacts with the community. I don't think the nginx team has that presence, hence if they take a vacation or run mythos on their codebase or have an opinion about AI nobody really knows.

Comment by chopin 1 day ago

It presumably runs in a gazillion scripts.

Comment by vortegne 2 days ago

Wish them nothing but good rest!

Comment by napolux 2 days ago

Funny, I have the same https://www.lafuma-mobilier.fr/ sunbed from the last pic. Also same color. :D

Comment by a13n 2 days ago

what a fantastic advertisement

Comment by eviks 2 days ago

> Contracts excluded

They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it

Comment by rzmmm 2 days ago

Curl has a ton of features, I can imagine this means fixing small fraction of the vulns affecting only the supporters.

Comment by eviks 2 days ago

Why would you imagine they have any clue about the area of effect if they ignore the report?

Comment by davidgerard 2 days ago

I heartily endorse the Fuck You Pay Me support process.

Comment by fnoef 2 days ago

Based! Amazing approach, enjoy the vacation!

Comment by jimmyblanco 2 days ago

Great to see this stance

Comment by panchtatvam 2 days ago

An evil way to extort money via support contracts.

Comment by siskiyou 1 day ago

If you expect to get paid for doing a job, are you extorting your employer?

Comment by geraldcombs 1 day ago

...so open source developers should know their place and just dedicate themselves to endless, unpaid toil forever and ever, amen?

Comment by UltraSane 1 day ago

If employees are never truly unavailable then companies WILL become overly dependent on them.

Comment by intronic 2 days ago

down-under says: enjoy your summer :)

Comment by stogot 1 day ago

Good for them & haxx!

Comment by shevy-java 2 days ago

So it is holiday season.

I thought this was due to AI slop spam before I read the blog entry.

Comment by HardAnchor 1 day ago

[flagged]

Comment by maxbond 2 days ago

Atlas shrugged, but only for a month. I kid, it's well deserved. I do worry about their contract work loophole - if people disclose vulnerabilities publicly, their clients may pressure them to ship a fix anyway.

Comment by Cider9986 2 days ago

Why was this dead?

Comment by fc417fc802 2 days ago

I've been noticing an unusual number of spuriously dead comments from accounts in good standing for a while now. My suspicion is false positives due to holding back the AI wave yet some of the casualties really don't seem to make any sense.

Comment by maxbond 2 days ago

To be honest I don't think my account is in 100% good standing, but I can't say for certain. There's definitely some dead comments on my account that are deserved and I think there are some small limitations that are or have been placed on it (probably fairly). Mostly around flagging and vouching.

Comment by inigyou 1 day ago

I think that if you get a certain number of comments flagged or downvoted within a certain time window, your account gets flagged as a spammer and has a permanent rate limit applied. Above another threshold, it gets shadowbanned. I think the length of the account's history is also relevant. But https://en.wikipedia.org/wiki/Apophenia

Comment by cubefox 2 days ago

Yeah, I have seen several people who are completely shadowbanned (all comments dead) without any visible reason. There seems to be no way to report this.

Comment by Cider9986 2 days ago

Just email hn@ycombinator.com and Dang will look into it. He responds quick and will always address any concerns.

Comment by cubefox 18 hours ago

It worked, Dang now unbanned this user.

Comment by cubefox 1 day ago

Yeah, I will try, I just came about another one: https://news.ycombinator.com/submitted?id=asxndu

Comment by maxbond 2 days ago

Hmm. Interesting. If it was [dead], probably a false positive from a naughty comment filter; if it was [flagged][dead], difficult to say, potentially even an accident, or maybe people didn't like the joke. Given the non-negative karma, I would guess the first. Regardless, I appreciate the vouch.

Comment by Cider9986 2 days ago

It was just [dead] before I vouched for it. Luckily we have vouching–HN is my favorite moderation system I've seen.

Comment by dist-epoch 2 days ago

[flagged]

Comment by ozim 2 days ago

https://curl.se/libcurl/

Let me Google that for you.

supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, HTTP/2, HTTP/3, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more!

libcurl is highly portable, it builds and works identically on numerous platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX, IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOs, macOS, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS and more...

Comment by kitd 2 days ago

TIL it supports mqtt. Happy 10000 day to me :)

Comment by 0x1ceb00da 2 days ago

I'm 90% sure that even the monkey's paw curls.

Comment by hurtigioll 2 days ago

Linux started removing support for obsolete protocols and hardware

Maybe there is place for a minicurl which removes BeOS and Novell NetWare...

Comment by nubinetwork 2 days ago

I think the argument was that curl is fairly feature complete (as shown by your list), is there really that many bugs in curl that require immediate attention?

Comment by maxbond 1 day ago

"Featureful" doesn't imply "feature complete". They appear to release minor versions all the time.

https://curl.se/docs/releases.html

If you dig into them you'll see there's lots of features that aren't adding new protocols. But incidentally they added a new protocol in March (mqtt). You'll also see that the list of bug fixes is prolific.

https://curl.se/ch/8.19.0.html

Comment by sph 2 days ago

Increasingly so, yes.

Comment by maxbond 2 days ago

It's massive and complex codebase. From the looks of it, pretty much what you'd expect, lots of chores, work on the test suite, keeping docs up to date, bug fixes. I didn't see any new features on my light skim but I'm sure they land occasionally.

https://github.com/curl/curl/commits?author=bagder

Comment by geysersam 2 days ago

This is the HTTP/1.1 standard: https://datatracker.ietf.org/doc/html/rfc2616

Then there are also HTTP/2 and HTTP/3.

That's just HTTP, curl supports 27 other protocols.

Comment by dist-epoch 2 days ago

HTTP/1.1 - June 1999

It's not like the standard changed since curl was created

Comment by Jaxan 2 days ago

It (the http rfc) refers to other standards such as for URLs, and those did actually change (to include ipv6 and more internationalisation).

Comment by maxbond 2 days ago

That's a tree, but the rest of that comment is the forest.

Comment by 0x1ceb00da 2 days ago

The entire http, http2, http3, tls, sftp spec for every operating system.

Comment by bawolff 2 days ago

When we are talking about one of the most used pieces of software in the world, there is always things to do.

Comment by advisedwang 1 day ago

What do you work on? My guess is you have an inexhaustible list of work to be done, right? We all do, curl included.

Comment by 2 days ago

Comment by rustyhancock 2 days ago

A curious approach, but I like it!

Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)

Comment by MatthewWilkes 2 days ago

I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.

Comment by rustyhancock 2 days ago

I think I'd personally develop a minimal patch and then publically disclose.

I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.

Comment by zamadatix 1 day ago

Disclosing an actively used exploit is is usually not treated the same as a typical vulnerability report.

Comment by akerl_ 1 day ago

Reminder that what you're describing is "coordinated disclosure", and that there are in fact plenty of people who consider "full disclosure" to be preferable in some or all cases.

Comment by SweetSoftPillow 2 days ago

It would certainly be irresponsible.

The responsible thing would have been to simply wait another month, considering you've been warned about the delay.

Comment by john_strinlai 1 day ago

the vulnerability is there whether disclosed or not. if you find it, someone else has too. sitting on it is the irresponsible thing.

Comment by CamouflagedKiwi 2 days ago

Given that most of those users will not be capable of patching it directly, no, that seems like it would be irresponsible.

Comment by prmoustache 2 days ago

Why not? Only a tiny fraction of curl user get it from the upstream website/repo. Most users get curl/libcurl from their OS/application vendor or package manager, all of them having their own maintainers. There is no reason a temporary patch couldn't be produced by them in the meantime.

Comment by cmxch 2 days ago

Just publish early due to a documented lack of cooperation. They don’t have to answer, but you dont have to wait.

Naturally some people find that this offensive since this puts a price to that “bliss”.

Comment by Dylan16807 2 days ago

Taking 1/3 of the standard time budget to get back to you isn't ideal, but it's not "a documented lack of cooperation".

And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.

Comment by maxbond 2 days ago

Why are you interpreting clear communication of a window of downtime with 2 weeks notice as a "lack of cooperation"? That's what cooperation looks like. It's not explicit but my read was that they're not even taking a vacation - they're just doing the rest of their job, a lot of which is probably going to be shipping fixes for vulnerabilities that are already triaged.

Comment by chias 2 days ago

There are no "rules" for responsible disclosure. We have guidelines that we have broadly accepted, but at the end of the day whether or not you discussed responsibly is in the opinion of your peers.

There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.

Comment by DonHopkins 2 days ago

Wrong, but thanks for documenting how uncooperative you are.

Comment by dxxvi 2 days ago

Today is Jun 15. So, I wonder if somebody + AI can rewrite curl in Rust in 1.5 months. I think it's possible if that person knows all curl features. However, does that person even exist?

Comment by colinsane 1 day ago

curl used to have rust in it, dropped it 1.5 yrs ago. AI doesn't help with the hard parts here i don't think. https://daniel.haxx.se/blog/2024/12/21/dropping-hyper/

Comment by steveklabnik 1 day ago

They dropped the hyper backend, but that wasn’t the only Rust code in tree.

Comment by GoblinSlayer 1 day ago

https://curl.se/docs/security.html - C bugs are marked.

Comment by SoftTalker 1 day ago

If that were possible it would already have been done.

Comment by dxxvi 2 days ago

There are projects like this: urlx, curlio.

Comment by cat_plus_plus 2 days ago

SGTM, if I am worried about a curl exploit, I will type details into Zoo Code prompt and it will disappear in about 30 seconds and then I can upload a PR for others concerned. Enjoy your vacation and I will enjoy security for a lot cheaper than an enterprise contract!