Greed, sometimes. Gotta get those usercounts high to get acquihired / to sell out / to flip on the paid subs for formerly free features.

I can’t remember the word for “prosocial through lowering cost to zero” is but sometimes that too.

Wiktionary:

Benevolent, altruistic, unselfish, beneficent, philanthropic, selfless

Wise customers know this.

Look at how any "FOSS + VC + for-profit" company in the last 5-10 years worked out, and you'll see the playbook.

Now I personally wish lawyers and plumbers also got into the free work thing but here we are

Digital assets or work are a bit different in that making a second copy is trivial. It’d be different if every computer in the world were bespoke and needed its own bespoke software. So that makes OSS a viable option for those who can but we also can’t expect everyone to default OSS. We can default to asking that the service and prices be reasonable though.

Yeah me neither.

I think the only thing that would convince people to move away from curl at this point would be if curl had a heartbleed level vulnerability and failed to fix it quickly.

many engineers actually work that way, right? We are employed for 12 months and give our availability fully to the company and we get salary for it, why isn't it allowed to others?

Since then a diff of the two projects will be a perfect list of security issues and will make designing an attack rather easy...

Of course, "European companies normally ignore their paid customers too from May to August" is factious, but there is a slight hint of truth in there, in that things generally is slower, at least in the South/West countries I'm more familiar with.

That is not ignoring but announcing a delay.

Bigger companies may have only limited number of people checking the mailboxes in july and august, that doesn't excuse not sending a small reply announcing delays but I guess they take it so much for granted they don't realize other continents aren't used to those kinds of delays. However in May and June every company is totally operational ( that doesn't mean nobody take holidays ). If you request something to one named person, that sole person can have scheduled holidays, parental or medical leave any time of the year. If it is a team mailbox, you should get an answer.

I think maybe with the American PoV of "the customer is always right", that might basically feel like a slap and the face and being ignored. Of course, we should understand that every human needs to rest during the year, but if you don't have that opportunity yourself by law, maybe you're less knowing about that being a thing in other more modern countries?

Every once in a while there is an exception. Then that guy says "If your sending me to Australia I'm going to use my vacation to scuba drive the Great Barrier Reef" - and his body is never found. True story, it took months for someone else to figure out everything that guy knew.

So every single business, everywhere in American, has at least two full-time employees or at least one other backup that is available when you want to vacation and the stores/businesses never close? I'm guessing the ones that don't have that (if they exists), just never have vacation, or how does that work? Sounds like a fever-dream, but I guess if that's what your experience tells you.

Stores remain open because they ensure somebody isn't on vacation and thus able to work. They sometimes give extra pay if you work a holiday (this is rare though - generally there is somebody who wants the hours/pay more than this holiday off - they can take time off a different day).

For small business (think a plumber) it is common to arrange a competitor who will take care of your emergency customers needs.

[1] https://github.com/libexpat/libexpat/issues/1277

[2] https://github.com/uriparser/uriparser/issues/323

> Probably not. But we will.

A pleasant dose of humanity in decidedly inhuman times.

> Or you get a support contract and we get to read about it earlier.

If you ever really need anything fixed in the open source world, there is always the option of doing it yourself

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...

In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.

I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.

The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)

Signed: Former workaholic.

In Germany, if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.

Another neat thing is that if you get sick on vacation, you get your vacation days back, because vacation days are for resting and recovering.

Back in the early 2000s when I was Junior Engineer Number 32204, and not particularly valuable to my medium sized company in a competitive industry, I could never have gotten away with "Oh, by the way, boss, I am totally unreachable nights and weekends, and don't bring work with me on vacation." But, now, quite a bit more senior in my career and working in a "comfortable" big tech role, it's possible.

I tried something like this over July 4th weekend last time I was full-time anywhere (startup; 2010) and it very quickly devolved into an i-quit-you-cant-quit-i-fired-you situation and the company withholding my final paycheck. (New York State employment law does not mess around and I was eventually paid after dragging the deadbeat through Small Claims.)

It traumatized me and is in large part why I've been a freelancer / running my own consultancy ever since. My self-employed situation is better in some way and worse in others but I can't even imagine what it's like to not have my back against the wall 24/7/365. :(

But not a general solution. But with a good manager can work more broadly. And I did see a couple managers do something similar for their teams, making it clear that if you need emergency attention contact the oncall, if for some reason that won’t do call the manager. This friction alone deals with most issues.

It's funny because that's kind of the definition of a vacation in my book. I find it weird that some places in the world handle it differently.

Note that it's also much better for the company in the long run: It's a test of resilience and redundany, the famous bus factor. It simulates what happens if someone is not available, and forces the organization around to have a backup plan. Having those is important for cases where employees leave the company or team (switching jobs/teams, accidents, sickness, parental leave, death, burnout, layoffs etc.). It's mind-boggling how many leads at various levels just don't understand that.

The thinking was that if you were cooking the books of doing some dodgy dealing on the side it would come to light without you there to actively 'manage' it.

This slightly blew my American mind but it makes sense. What about getting sick on calendar holidays?

This year I used my vacation time well and I already had 3 weeks off while I still have almost 4 weeks left.

I'd also add that the culture allows and encourages sick days. The average is 15 sick days per year IIRC.

Now I wonder if I could help the immigrants in my area (I'm in Hesse/Hessen), thanks for the inspiration too.

In New Zealand we get a minimum of 10 sick working days per year but some companies offer more and allow unused sick leave to accumulate.

And there's an unlimited number of sick days. As long as you have a doctor's note, you still get paid, up to some ridiculous limit at which you might have to get government support instead.

Many countries have this system and the usual effect is that the duration people are sick for is magically never less than 2 days. It's dumb policy.

For example, the way it works in Australia is that after you have used up your sick days, you have to take any further absences from work out of your annual leave balance, and once that is exhausted, you switch to leave without pay.

I had a downline team member who once needed to extend their time away from work for over 5 months due to illness. They had been with the company for several years at that point, so they had a reasonable sick leave balance, probably 10 weeks. When it became clear that they needed longer, they used their remaining 4 weeks of annual leave, then took a month of leave without pay, then another. They were still employed, I approved their leave requests each time they needed to extend, and we just used the most appropriate tool that was available at the time.

The thing you're getting permission for is not to be sick, it is to be considered still employed while not doing work, rather than being fired/disciplined for being AWOL.

15 is the average. I use it to reassure people that it's okay to take sick days, and not one of those rights that no one dares to use.

Usually, employers ask for a doctors' note after 3 consecutive sick days, but the reason for the sickness remains hidden from the employer. The note just gives a time range, nothing more.

I know a handful of companies with a week of mandatory Christmas vacation as well (but there's typically not too many working days between Christmas and New Years' either way).

I don't know if this work would have been offered to staff who turned it down, or if they preferred to have their staff on holiday at the same time.

Many companies force staff to take vacation days during this time, and there are four (yes four!) public holidays during this period.

If I can answer a question with a 30-second response to a Slack message, I will, and I won't mind it as long as it's not frequent. I won't join a call, and I'm only logged into Slack and Outlook on my phone, so if answering requires checking something on Confluence or Jira, I can't help.

Maybe I feel this way because actually being asked something is exceptionally rare. I'll be gone for a week and MAYBE I'll get one message.

I also think you should normalize for yourself and your workplace that there are times when you are not there. If only you can answer a question then there needs to be better documentation. See it as a trail run for when you get hit by a bus. If they will struggle without you then that is a problem that needs to be fixed. If you are always reachable these problems will never surface.

IMO this is not a universal truth - I’m sure some people need that level of disconnection, but I don't find I'm one of them. I generally like my job, and don't find that forcing myself to disconnect does me any particular mental good. But other people report needing that separation, and that's fine! I don't think there needs to be a one-size-fits-all answer here.

I do agree with your bus factor argument though.

I think we believe ourselves to be more irreplaceable than we are. And if you really think you are irreplaceable then the problem is not going on vacation but being irreplaceable. Because then if something were to happen to you they are screwed.

Fantastic tool for shaking out hidden bus factors.

Specifically, if your job offers (a) to pay for your personal phone line, or (b) a work mobile phone, choose (b).

We have the choice at $WORK, and many teammates chose (a) as it allows them to save some money each month on their phone bill, but now you're basically constantly tethered.

Music to the ears of a workaholic :)

Seriously, that'd be nice if everyone would do this (and I do it now, very strictly) but I also know how easy for one to start blurring the lines between work and personal lives.

I used to have a desktop that I could VPN+RDC into from my personal laptop or desktop to work away from the office¹. I've now got a laptop, that refuses to let me authenticate remotely and they have no interest in fixing that as there are other priorities, so I simply can't work if I don't have that laptop with me and I'm not carting it around when I'm already carting my own around (and if I'm not carrying my own, it is because it isn't a suitable situation to be bringing any laptop).

Not a workaholic, I don't think, but a 24/7 stress monkey when I think that I could be helping. Simply not being able to work away from the office actually helps with that: if there is literally nothing I can do, especially given it is work that has made that impossible, I don't stress the same way.

--------

[1] other than the VPN connector and the MFA doo-hicky on an old² phone, nothing work related, even Teams, even email, ever touches my personal devices

[2] a small old thing, factory reset with a dummy google account and just the MFA apps installed

I er... think you might be a workaholic.

But I'm glad for you that your current setup is helping :)

Work during work time, don't work during not-work time. Good practices mean that everyone is important, but nobody is irreplaceable, the team and the work will move along a little slower, but that's fine.

"If I see you log on, I'll disable your account."

Some people are just workaholics and need interventions to actually take a proper holiday.

https://www.youtube.com/watch?v=5E7kBOH9owI

The only people who should suffer this much are the true busines owners.

Real engineers think about handling things when stuff goes wrong, not "everything will be on the happy path forever".

Yes, there are constraints, but to me this sounds like an unacceptable level of exposure.

My manager doesn't stop overworking. When told on peer performance review that we have people who are consistently overwork because they are swamped, he played it down.

But hey, at least he doesn't encourage overworking either.

https://www.youtube.com/watch?v=5E7kBOH9owI

>> Signed: Former workaholic.

> Seems like a lot of extra work, just to go on vacation :)

That's the point, this person and plenty others, are NOT able to "just" go and disconnect. If you can do that, wonderful for you, but please don't assume others are like you precisely when they are humble enough to clarify that they do have a problem and try to help others to overcome it.

What I was trying to highlight was that HOW depends on whom you are talking to. Here they just mentioned a deep behavior problem. Saying "just" or "simply" or "should" or "ought to" or anything implying it's really not that hard is probably not going to be encouraging to them.

If that person doesn't have the mental strength to do any action on their own, I totally agree that they probably need therapy first.

Truly disconnecting from our work is necessary for our mental health. When I'm on vacation, I want to be on vacation, which means not working.

Again, maybe you don't want to actually fully be on vacation from work. I guess that's fine; you do you. But I don't think that's healthy for most people, and regardless of health, many people do just want to completely disconnect from work for some number of days.

That's going to work in some situations, but it's not broadly applicable for many reasons. In particular it's way more work than the act of backing up 2FA and logging out of everything. So yeah, it makes a lot of sense for people to think that's not good advice.

Much better than 2 hour daily unpaid commute at old job.

* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.

No, that is the point, they are not going to accept your vuln report. They are taking a holiday.

But the message is pretty clear: if you’re not a paid customer, you are not getting patches or support from upstream during this month.

Plan accordingly.

Curl is also something that should be thoroughly sandboxed to begin with, because even if there are no vulnerabilities in curl itself, its a tool for downloading arbitrary data over the internet, and you may well accidentally trigger vulnerabilities in every other part of your environment just by downloading arbitrary data to your shell...

Pipe it to bash? game over

Pipe it to less/more? Better hope your distro keeps those patched

Open the file in a browser or PDF reader? Hey, look at all this shiny new attack surface!

There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.

cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.

In most cases this is extremely impractical.

There is nothing unusual about this, businesses face this all the time, the only difference is that you do have some agency with FOSS.

What's the alternative when it is not FOSS? Eg. build it yourself from scratch (and maintain it too), or move to a competing product.

Then you send the patch upstream, they incorporate and maintain it for you. Congratulations, you just FOSSed.

Firing patches upstream is still adding burden to the (likely already over-burdened) maintainers.

In an ideal world, if you want a patch upstreamed, you would be contributing to upstream maintenance (or at least donating to the upstream maintainers)...

If you're using any complicated FOSS professionally and you have SLA with your customers to say fix issues within day or two you don't have a choice anyway.

Because it's a ton of unnecessary work. And because of the other reasons I said.

> If you're using any complicated FOSS professionally and you have SLA with your customers to say fix issues within day or two you don't have a choice anyway.

This is true. I always try to upstream patches anyway though.

You are already benefiting from getting the tool/library/system for free, so you can still compare writing the thing you need (necessary?) from scratch or adapting the FOSS solution — maintenance comes with both options.

When you invest enough and are lucky, someone else might just fix the thing for you or pick it up and maintain it for you — but do not count on it, and you are good.

I guess the whole point of the article is to show that people should buy a support contract if they need support.

> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.

Is it that they can't or don't want to. I'm sure curl is popular enough that it could attract a co-maintainer if it wanted to. Of course there is a cost to that. Software projects done effectively by a single person are often more focused and designed more coherently. I'm not sure curl would be as good a product if there were multiple maintainers with potentially conflicting visions.

It’s not their problem that you, or anybody else, think you are owed 24/7/365 emergency support.

I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.

Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)

There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.

For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.

OpenAI is certainly not wasting the money they're spending on Openclaw, even if I personally wouldn't want to touch that particular piece of software.

I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.

Surely curl has more use-cases and projects relying on it than OpenClaw.

The demand seems to be generated out of hype rather than sustainability. Openclaw project isn't even an year old and from my time hearing about it, it isn't safe or sustainable in any fashion and it seems that the hype around Openclaw has now started to slow down as I hear less about it (which to me is actually a good thing imo) but it shows what the market reality of these tools currently are (at the moment).

I frequently run into people using it, they seem happy with it. I remain highly skeptical about this being a good idea, but I'm quite convinced that many people genuinely really like it and find it useful.

That can be the case and good for them, at the very least its open source software that they are using and it raises more awareness about them.

But I think that we have strayed a bit afar from my main premise that I think we both agree on that although the value of an project is always subjective and its up to the companies on how they direct the funds to. It's Okay for OpenAI to sponsor Openclaw if they absolutely want to.

But the question is if its entirely reasonable as to a project like Curl getting less funding overall, simply because everyone is using curl underneath but the tech is boring (as I think it should be), but this makes everyone think that curl is well-funded when it isn't.

I think that its a reasonable decision for a company to give a very small chunk if it has massive profits to curl to sponsor the project to be more sustainable, but I am not the one at the decision-making involved in that said company, so I don't know what is the rationale behind blocking or not sponsoring Curl.

Is the rationale that they can get away with not sponsoring curl in the first place and use it with its permissive licenses in its code so why invest/donate the money in first place, but this practise doesn't seem sustainable to me!?

I think the returns fall off really really quickly when you increase investment in a boring, mature project like this.

It might be nice if people sponsored curl more, but the software isn't going to significantly improve because of it.

Also, what's an example of this rent seeking in open source you're talking about?

IMO Writing correct software the first time around - so formal methods.

But the tooling isn't there yet (though lightweight versions, e.g. strong type systems like rust's, are and significantly reduce the security issue load).

If you get sick during vacation, you get those vacation days "refunded" back. If you suddenly are called in to work, somehow, during vacation, that time cannot be vacation time.

You can't (generally) be fired without a notice period, resulting in job security to such a degree that ~6k in an emergency fund is plenty to be VERY secure, as you also get unemployment support otherwise anyway. Does this result in incompetent people not getting fired? No. You still fire them, you just have to deal with them another month after that. It's not a big price to pay.

How is this all possible? Who subsidizes it? We all simply pay some % of our income to support this system. That's it. A couple percent, a couple bucks, and we get to basically never worry about starving or becoming homeless.

You can have this, too, if you vote and protest and use democracy to make life better, not worse, for everyone.

(See https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...)

  Full-time and part-time employees get 4 weeks of annual leave, based on their ordinary hours of work.

2 weeks is the acceptable limit in the UK for example (where also has 20-35 holiday is common) though if you can convince your boss otherwise, you can take longer, but most people can't

This can be an unwelcome feature for some people, for example, if you want to have a vacation in the northern hemisphere summer season instead and/or maybe you don't have substantial family in Australia (or at least, those you actually want to see).

The auscorp reddit has a yearly thread on this issue: https://www.reddit.com/r/auscorp/comments/1mw6pqt/end_of_yea...

Those with school aged children might also want to save some of their annual for the mid-term/mid-year breaks as well. (Our academic years are aligned to calendar years)

I've "retired" into agriculture and a lot of farmers take a month off after harvest time to go fishing or other wise relax (this generally means filling up a couple of deep chest freezers with fish for the rest of the year).

Is this at the executive level?

I can see something like nginx being in that spot but curl is primarily user initiated and pointed at a known target rather than internet facing accepting connections

This is Exceptional. Perfect EuroMaxxing

I thought this was due to AI slop spam before I read the blog entry.

Let me Google that for you.

supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, HTTP/2, HTTP/3, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more!

libcurl is highly portable, it builds and works identically on numerous platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX, IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOs, macOS, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS and more...

Maybe there is place for a minicurl which removes BeOS and Novell NetWare...

https://curl.se/docs/releases.html

If you dig into them you'll see there's lots of features that aren't adding new protocols. But incidentally they added a new protocol in March (mqtt). You'll also see that the list of bug fixes is prolific.

https://curl.se/ch/8.19.0.html

https://github.com/curl/curl/commits?author=bagder

Then there are also HTTP/2 and HTTP/3.

That's just HTTP, curl supports 27 other protocols.

It's not like the standard changed since curl was created

Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)

I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.

The responsible thing would have been to simply wait another month, considering you've been warned about the delay.

And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.

There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.