A pleasant dose of humanity in decidedly inhuman times.
Timshel 29 minutes ago [-]
Especially since it appears there is a solution if you truly need a fix.
> Or you get a support contract and we get to read about it earlier.
Natsu 15 minutes ago [-]
I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.
donw 33 minutes ago [-]
That was just a beautiful, period.
tempay 3 minutes ago [-]
For anyone who thinks this might matter for security:
* curl is mature enough that the chance of an impactful bug is basically zero
* if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co
* if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.
patates 34 minutes ago [-]
For the people here who want to do the same when they are vacation (be completely detached from work): Make it impossible for you to work! Leave your work devices behind! Log out of all accounts, remove 2FA keys after backing them up on paper and tell your partner to not give them back to you for the duration of your vacation, etc. I actually went to a country from which I wasn't allowed to work remotely. Crazy but it was that bad for me.
Signed: Former workaholic.
donw 32 minutes ago [-]
As a manager, I will quite literally ding people for working when they are supposed to be off.
Work during work time, don't work during not-work time. Good practices mean that everyone is important, but nobody is irreplaceable, the team and the work will move along a little slower, but that's fine.
Quote from my partner's manager before a vacation:
"If I see you log on, I'll disable your account."
throw93033 17 minutes ago [-]
> Log out of all accounts, remove 2FA keys after backing them up on paper
Seems like a lot of extra work, just to go on vacation :)
I would suggest another approach. Automate your work, that you can work from your phone. I go on multi day hiking trips, or a week long family beach holidays, without taking PTO...
Edit: I do not get negative reactions. Big part of my work is to monitor system, and answer questions. I spend less time on my phone than most social app users! I still do heavy coding in office a few times a month. And I am self employed for nit pickers.
Work does not have to be sufering, you can enjoy it!
ro_sharp 7 minutes ago [-]
This is the ideal, but in practice you need to own the business to live this way..
laszlojamf 33 minutes ago [-]
as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_.
Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody.
And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
necovek 25 minutes ago [-]
You'd be surprised to learn this about free and open source software, but if a maintainer is unavailable, you have both full rights and full source code to... wait for it... fix it yourself (or pay someone to)!
There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.
ValdikSS 3 minutes ago [-]
This is true for the majority of open-source projects, but the most serious ones, on which a lot of software/businesses/infrastructure depends, are controlled by foundations or some kind of other management entity.
cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.
Nnnes 28 minutes ago [-]
They do.
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
8 minutes ago [-]
4ndrewl 23 minutes ago [-]
It does. The article clearly says that if you have a paid support contract they will be on-call as per usual.
ed_elliott_asc 27 minutes ago [-]
They do, he said at the end if you have a support contract then they will respond and deal with security issues.
I guess the whole point of the article is to show that people should buy a support contract if they need support.
Imustaskforhelp 13 minutes ago [-]
The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)
I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.
Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)
There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.
flaburgan 40 minutes ago [-]
I can only applause this decision. Maintainers of FOSS project are constantly overwhelmed with close to 0 reward and with LLMs now the management of merge requests exploded even further.
The fact that they actually keep providing support to paying users is enough.
low_tech_love 30 minutes ago [-]
I read one sentence into this and knew directly that the developer must’ve been Swedish!
robin_reala 23 minutes ago [-]
For people who aren’t familiar, Sweden takes summer holidays seriously. 25-30 days + public holidays is a normal amount of annual vacation time, and if an employee requests it and has the time available, it’s basically legally required to allow them to take a four-week contiguous summer break.
Not only that but the vacation is real. If someone is off then you should not expect them to answer at all (because if you do you’ll get very disappointed).
stavros 13 minutes ago [-]
I work for a UK company and most people take basically all of August off (I end up with two months of vacation days a year so I take August off and sprinkle some leave around the year) and I can confirm that taking a month off is great. You forget what it's like to work, really.
jdsnape 6 minutes ago [-]
That’s great! It’s very much not the norm here in general tho, in my experience two weeks would be the max people would take off contiguously.
NietTim 2 minutes ago [-]
Properly euromaxxing, this is the way.
a13n 49 minutes ago [-]
what a fantastic advertisement
ubanholzer 43 minutes ago [-]
This is great. Good decision.
vortegne 43 minutes ago [-]
Wish them nothing but good rest!
intronic 41 minutes ago [-]
down-under says: enjoy your summer :)
maxbond 41 minutes ago [-]
[dead]
dist-epoch 40 minutes ago [-]
> I have been working full-time on curl since 2019. For me, this typically means doing 50 hour work weeks, as I spend all days on it and then I top them off with a few more hours every late night – all days of the week
I wonder what is there to work on curl 50 hour weeks for 7 years?
0x1ceb00da 16 minutes ago [-]
The entire http, http2, http3, tls, sftp spec for every operating system.
libcurl is highly portable, it builds and works identically on numerous platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX, IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOs, macOS, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS and more...
maxbond 32 minutes ago [-]
It's massive and complex codebase. From the looks of it, pretty much what you'd expect, lots of chores, work on the test suite, keeping docs up to date, bug fixes. I didn't see any new features on my light skim but I'm sure they land occasionally.
That's just HTTP, curl supports 27 other protocols.
34 minutes ago [-]
rustyhancock 32 minutes ago [-]
A curious approach, but I like it!
Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)
MatthewWilkes 23 minutes ago [-]
I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.
cmxch 18 minutes ago [-]
Just publish early due to a documented lack of cooperation. They don’t have to answer, but you dont have to wait.
Naturally some people find that this offensive since this puts a price to that “bliss”.
Rendered at 07:13:47 GMT+0000 (Coordinated Universal Time) with Vercel.
> Probably not. But we will.
A pleasant dose of humanity in decidedly inhuman times.
> Or you get a support contract and we get to read about it earlier.
* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.
Signed: Former workaholic.
Work during work time, don't work during not-work time. Good practices mean that everyone is important, but nobody is irreplaceable, the team and the work will move along a little slower, but that's fine.
https://www.youtube.com/watch?v=5E7kBOH9owI
"If I see you log on, I'll disable your account."
Seems like a lot of extra work, just to go on vacation :)
I would suggest another approach. Automate your work, that you can work from your phone. I go on multi day hiking trips, or a week long family beach holidays, without taking PTO...
Edit: I do not get negative reactions. Big part of my work is to monitor system, and answer questions. I spend less time on my phone than most social app users! I still do heavy coding in office a few times a month. And I am self employed for nit pickers.
Work does not have to be sufering, you can enjoy it!
There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.
cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
I guess the whole point of the article is to show that people should buy a support contract if they need support.
I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.
Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)
There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.
(See https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...)
I wonder what is there to work on curl 50 hour weeks for 7 years?
Let me Google that for you.
supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, HTTP/2, HTTP/3, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more!
libcurl is highly portable, it builds and works identically on numerous platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX, IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOs, macOS, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS and more...
https://github.com/curl/curl/commits?author=bagder
Then there are also HTTP/2 and HTTP/3.
That's just HTTP, curl supports 27 other protocols.
Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)
Naturally some people find that this offensive since this puts a price to that “bliss”.