Curl will not accept vulnerability reports during July 2026 (daniel.haxx.se)
690 points by secret-noun 12 hours ago
vessenes 10 hours ago
The headline buried the lede -- this is a way to get some summer vacation (niiice) AND encourage enterprise support contracts, which will still have availability. I don't think I've heard of this particular open source / support / summer vacation business model before but I like it!
throwaw12 9 hours ago
I liked the idea as well, maybe OSS should adopt 6 months availability and 6 months for enterprise support schedule. This way both could benefit, OSS gets more funding, enterprise gets support (cheaper than hiring full-time employee for specific OSS)
bijowo1676 an hour ago
nice idea to time vacation in the summar, right around major security conferences (blackhat, defcon, etc), when large bulk of CVEs get published, to put some fire under the enterprise butts
charcircuit 8 hours ago
Until someone races to the bottom to do 12 months of availability.
t-writescode 8 hours ago
nkrisc 6 hours ago
ralferoo 2 hours ago
throwaw12 8 hours ago
latexr 7 hours ago
thunderbong 7 hours ago
nchmy 6 hours ago
theandrewbailey 6 hours ago
Here I was thinking that cURL's (non-existent) enterprise support contracts were a polite way to tell brain-dead paper pushers to GTFO: https://daniel.haxx.se/blog/2022/01/24/logj4-security-inquir...
plantain 9 hours ago
It's an extremely un-European approach. European companies normally ignore their paid customers too from May to August.
abc123abc123 8 hours ago
Incorrect. In europe, either july or august, is the informally agreed upon "vacation month" which means that both customers and vendors scale down and go on vacation, and work slows down to very low levels. That means you need a lot less employees than usual in order to provide for the customers that do not go on vacation.
embedding-shape 6 hours ago
isodev 4 hours ago
patmorgan23 2 hours ago
pinkgolem 7 hours ago
I mean, looking at most us company's.. What support?
prmoustache 9 hours ago
ignore is not the right word.
limaoscarjuliet 8 hours ago
zarzavat 11 hours ago
> > The bad guys won’t rest
> Probably not. But we will.
A pleasant dose of humanity in decidedly inhuman times.
Timshel 11 hours ago
Especially since it appears there is a solution if you truly need a fix.
> Or you get a support contract and we get to read about it earlier.
bawolff 10 hours ago
> Especially since it appears there is a solution if you truly need a fix.
If you ever really need anything fixed in the open source world, there is always the option of doing it yourself
matthewdgreen 4 hours ago
alibarber 9 hours ago
cat_plus_plus 10 hours ago
In 2026 there is a considerably cheaper/quicker solution, but that in no way invalidates OSS maintainers' right to enjoy a summer vacation without interruption.
donw 11 hours ago
That was just a beautiful, period.
Natsu 11 hours ago
I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.
Cider9986 10 hours ago
Mythos found only one. Would have to be pretty serious bad guys.
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...
bluGill 2 hours ago
prmoustache 9 hours ago
The bad guys wouldn't have submitted a vuln report anyway.
PunchyHamster 7 hours ago
victorbjorklund 9 hours ago
Pretty sure if you find a zero day in a software like that you don’t wait until a certain month.
bvcp 10 hours ago
if a company has a problem with this pay for support if its not worth the money …
Cthulhu_ 8 hours ago
Cool, then it's down to everyone using this library to figure out how they can minimize the impact of a zeroday in curl - security should never be down to a single part of a system.
shevy-java 9 hours ago
Is this likely though? If you are an AI slop model that spams out finding bugs and vulnerabilities, would you want to become more active when you see that a project is not actively fixing bugs? Because in my opinion, it really would not matter for any AI model how active a project is, when it comes to FINDING existing loopholes.
In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.
I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.
The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)
spyc an hour ago
Both libexpat ("Expat") and uriparser are following the curl security vacation and will not accept new vulnerability reports before 2026-08-01, starting today.
patates 11 hours ago
For the people here who want to do the same when they are vacation (be completely detached from work): Make it impossible for you to work! Leave your work devices behind! Log out of all accounts, remove 2FA keys after backing them up on paper and tell your partner to not give them back to you for the duration of your vacation, etc. I actually went to a country from which I wasn't allowed to work remotely. Crazy but it was that bad for me.
Signed: Former workaholic.
nicbou 10 hours ago
One of the reasons I left North America for Europe is that such things are normalised. The cultural difference is staggering.
In Germany, if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.
Another neat thing is that if you get sick on vacation, you get your vacation days back, because vacation days are for resting and recovering.
gacgacgac 4 hours ago
I'm a senior at a big tech company. You can do this in America too. Just communicate with your manager and set the boundary. "By the way, when I'm on vacation I'm away from devices, so let's coordinate beforehand if there's anything critical path."
coldpie 3 hours ago
blauditore 8 hours ago
> if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.
It's funny because that's kind of the definition of a vacation in my book. I find it weird that some places in the world handle it differently.
Note that it's also much better for the company in the long run: It's a test of resilience and redundany, the famous bus factor. It simulates what happens if someone is not available, and forces the organization around to have a backup plan. Having those is important for cases where employees leave the company or team (switching jobs/teams, accidents, sickness, parental leave, death, burnout, layoffs etc.). It's mind-boggling how many leads at various levels just don't understand that.
alibarber 6 hours ago
SoftTalker 3 hours ago
I've lived and worked in America my entire life, and in my approximately 40 years of working I've never had a job where I was expected or had to arrange to be available during a vacation. For the odd unplanned personal day maybe I'd try to check email and have my phone with me. But vacation, never.
jayd16 2 hours ago
jayd16 2 hours ago
> if you get sick on vacation, you get your vacation days back,
This slightly blew my American mind but it makes sense. What about getting sick on calendar holidays?
BadBadJellyBean 8 hours ago
Not to forget that you get a minimum of four weeks of vacation per year with 30 days being offered most of the time.
This year I used my vacation time well and I already had 3 weeks off while I still have almost 4 weeks left.
Cthulhu_ 8 hours ago
This is how it should be though - nobody should be irreplaceable. Look up bus factor etc.
fender256 10 hours ago
Thanks for the reminder that this shouldn't be taken for granted. I am a German and sometimes this privilege feels so normal that it's unthinkable that it could be different elsewhere in the world.
nicbou 9 hours ago
naturalmovement 9 hours ago
It can honestly be annoying, if you're not privvy to it.
I remember years ago needing urgent support for some bespoke European hardware we were developing software for. When we called support, we were greeted with a phone message stating the company was closed for the entire month due to vacation. This was not a one-man operation; the whole office closed for a summer holiday. We thought it was a joke.
Needless to say we started to look for a new vendor shortly thereafter...
my-next-account 9 hours ago
teruakohatu 9 hours ago
breakingcups 9 hours ago
542458 6 hours ago
I think my POV on this is a bit different than what others are expressing… I don’t mind answering the occasional email while on vacation, but I view it as a fair trade - as long as the company doesn’t mind me handling the occasional personal obligation during work hours I don’t mind handling the occasional work obligation during personal hours. If the company wants to be strict about clock in/out hours or taking PTO for every 30 minute errand or the work trends in a way that routinely exceeds 40 hours per week total then I’ll stop doing work “off the clock”, but so long as they’re willing to be reasonable I’m willing to be reasonable.
Sohcahtoa82 an hour ago
I'm the same.
If I can answer a question with a 30-second response to a Slack message, I will, and I won't mind it as long as it's not frequent. I won't join a call, and I'm only logged into Slack and Outlook on my phone, so if answering requires checking something on Confluence or Jira, I can't help.
Maybe I feel this way because actually being asked something is exceptionally rare. I'll be gone for a week and MAYBE I'll get one message.
BadBadJellyBean 5 hours ago
The idea with vacation is that you don't think about work. When I start vacation I disable all the channels that people usually use so that no one asks me even by accident. There needs to be a time when you are completely undisturbed and disconnected. If you are disturbed by work you will think about work while you answer and maybe even after that. That's not good.
I also think you should normalize for yourself and your workplace that there are times when you are not there. If only you can answer a question then there needs to be better documentation. See it as a trail run for when you get hit by a bus. If they will struggle without you then that is a problem that needs to be fixed. If you are always reachable these problems will never surface.
542458 4 hours ago
jon-wood 5 hours ago
oasisbob 2 hours ago
Lock-out vacations were one of my favorite things about being at a bank. Auditors cared about the ability for employees to keep a thumb on the scale, so it was a policy requirement that all workers with a certain amount of access needed to take an uninterrupted vacation of N days, with login ability disabled.
Fantastic tool for shaking out hidden bus factors.
throw0101a 6 hours ago
> Leave your work devices behind!
Specifically, if your job offers (a) to pay for your personal phone line, or (b) a work mobile phone, choose (b).
We have the choice at $WORK, and many teammates chose (a) as it allows them to save some money each month on their phone bill, but now you're basically constantly tethered.
dminik 8 hours ago
This seems like a lot of extra work. If at all possible, just keep your work stuff on your work laptop/computer. And then keep that at home/at work. No need to sign in and out of 20 different accounts.
patates 7 hours ago
> This seems like a lot of extra work
Music to the ears of a workaholic :)
Seriously, that'd be nice if everyone would do this (and I do it now, very strictly) but I also know how easy for one to start blurring the lines between work and personal lives.
dspillett 9 hours ago
My company have accidentally forced this on me, and it is great.
I used to have a desktop that I could VPN+RDC into from my personal laptop or desktop to work away from the office¹. I've now got a laptop, that refuses to let me authenticate remotely and they have no interest in fixing that as there are other priorities, so I simply can't work if I don't have that laptop with me and I'm not carting it around when I'm already carting my own around (and if I'm not carrying my own, it is because it isn't a suitable situation to be bringing any laptop).
Not a workaholic, I don't think, but a 24/7 stress monkey when I think that I could be helping. Simply not being able to work away from the office actually helps with that: if there is literally nothing I can do, especially given it is work that has made that impossible, I don't stress the same way.
--------
[1] other than the VPN connector and the MFA doo-hicky on an old² phone, nothing work related, even Teams, even email, ever touches my personal devices
[2] a small old thing, factory reset with a dummy google account and just the MFA apps installed
dust-jacket 6 hours ago
> Not a workaholic, I don't think, but a 24/7 stress monkey when I think that I could be helping
I er... think you might be a workaholic.
But I'm glad for you that your current setup is helping :)
thih9 8 hours ago
I now want to seek an on site role and request a desktop computer.
coldpie 3 hours ago
This is one of the reasons I work in an office every single day. I leave my work laptop there. I don't have any work software on any of my personal devices, including my phone. If I had the ability to check in on work things while out of the office, I probably would, so I make it impossible.
nunez 3 hours ago
This is exactly the move. Work and life should be separate. No work stuff on your personal devices; no personal stuff on your work devices. This way, you can be your best self in both worlds.
pjmlp 9 hours ago
Easy, that has always been my whole European life, want to reach me on vacations, pay for it.
donw 11 hours ago
As a manager, I will quite literally ding people for working when they are supposed to be off.
Work during work time, don't work during not-work time. Good practices mean that everyone is important, but nobody is irreplaceable, the team and the work will move along a little slower, but that's fine.
gertrunde 11 hours ago
Quote from my partner's manager before a vacation:
"If I see you log on, I'll disable your account."
sensanaty 8 hours ago
nottorp 10 hours ago
xeonmc 10 hours ago
extremely relevant recent Kai Lentit skit:
sevenzero 10 hours ago
Being the only dev in a startup since 2 years without a single day off where I wasn't messaged by my employer I want this. At least I'll have a 3 week out of country trip where I do not bring my laptop later this year...
vkazanov 9 hours ago
GoblinSlayer 9 hours ago
donw 10 hours ago
orphea 9 hours ago
You're a good person.
My manager doesn't stop overworking. When told on peer performance review that we have people who are consistently overwork because they are swamped, he played it down.
But hey, at least he doesn't encourage overworking either.
davidgerard 8 hours ago
Kai Lentit just dropped a video on precisely this
cmxch 3 hours ago
Or maybe don’t have devices doing double duty such that 2FA and work devices can be partitioned out from any incidental personal use. That way, even if you have one half of it, you still don’t have enough to attempt work.
throw93033 11 hours ago
> Log out of all accounts, remove 2FA keys after backing them up on paper
Seems like a lot of extra work, just to go on vacation :)
I would suggest another approach. Automate your work, that you can work from your phone. I go on multi day hiking trips, or a week long family beach holidays, without taking PTO...
Edit: I do not get negative reactions. Big part of my work is to monitor system, and answer questions. I spend less time on my phone than most social app users! I still do heavy coding in office a few times a month. And I am self employed for nit pickers.
Work does not have to be sufering, you can enjoy it!
utopiah 10 hours ago
>> Log out of all accounts, remove 2FA keys after backing them up on paper [...]
>> Signed: Former workaholic.
> Seems like a lot of extra work, just to go on vacation :)
That's the point, this person and plenty others, are NOT able to "just" go and disconnect. If you can do that, wonderful for you, but please don't assume others are like you precisely when they are humble enough to clarify that they do have a problem and try to help others to overcome it.
prmoustache 9 hours ago
kelnos 10 hours ago
Regarding your edit, you might be ok with going on a multi-day hiking trip or family holiday while still doing some amount of work from your phone, but many of us think that's a bad idea.
Truly disconnecting from our work is necessary for our mental health. When I'm on vacation, I want to be on vacation, which means not working.
Again, maybe you don't want to actually fully be on vacation from work. I guess that's fine; you do you. But I don't think that's healthy for most people, and regardless of health, many people do just want to completely disconnect from work for some number of days.
Dylan16807 10 hours ago
You're basically saying to get a different job.
That's going to work in some situations, but it's not broadly applicable for many reasons. In particular it's way more work than the act of backing up 2FA and logging out of everything. So yeah, it makes a lot of sense for people to think that's not good advice.
ro_sharp 11 hours ago
This is the ideal, but in practice you need to own the business to live this way..
sayamqazi 10 hours ago
flaburgan 11 hours ago
I can only applause this decision. Maintainers of FOSS project are constantly overwhelmed with close to 0 reward and with LLMs now the management of merge requests exploded even further. The fact that they actually keep providing support to paying users is enough.
tempay 11 hours ago
For anyone who thinks this might matter for security:
* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.
veltas 10 hours ago
> if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co
No, that is the point, they are not going to accept your vuln report. They are taking a holiday.
Sharlin 10 hours ago
Except if you pay them for a support contract. So there is a way, and it's actually a pretty obvious way.
chaz6 7 hours ago
squigz 9 hours ago
There's a pretty big difference between a random report submitted via email, and, say, a close friend of the maintainers letting them know a serious vuln was found and they should login.
akerl_ 6 hours ago
BadBadJellyBean 8 hours ago
swiftcoder 7 hours ago
> curl is mature enough that the chance of an impactful bug is basically zero
Curl is also something that should be thoroughly sandboxed to begin with, because even if there are no vulnerabilities in curl itself, its a tool for downloading arbitrary data over the internet, and you may well accidentally trigger vulnerabilities in every other part of your environment just by downloading arbitrary data to your shell...
inigyou 5 hours ago
curl is the sandbox. It exchanges packets with the internet and then outputs a safely sanitized byte stream.
swiftcoder 4 hours ago
laszlojamf 11 hours ago
as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_. Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody. And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
necovek 11 hours ago
You'd be surprised to learn this about free and open source software, but if a maintainer is unavailable, you have both full rights and full source code to... wait for it... fix it yourself (or pay someone to)!
There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.
ValdikSS 11 hours ago
This is true for the majority of open-source projects, but the most serious ones, on which a lot of software/businesses/infrastructure depends, are controlled by foundations or some kind of other management entity.
cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.
IshKebab 10 hours ago
You don't really though. Sure you can fork it and fix your issue, but then what? Are you going to maintain your fork in perpetuity? Are you going to patch all the software that depends on the code you fixed to use your version instead of upstream? Are you going to get your users to do that too?
In most cases this is extremely impractical.
necovek 2 hours ago
spiffyk 9 hours ago
megous 4 hours ago
ed_elliott_asc 11 hours ago
They do, he said at the end if you have a support contract then they will respond and deal with security issues.
I guess the whole point of the article is to show that people should buy a support contract if they need support.
Nnnes 11 hours ago
They do.
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
4ndrewl 11 hours ago
It does. The article clearly says that if you have a paid support contract they will be on-call as per usual.
simjnd 9 hours ago
And I'm assuming you're not going to pay for them to have that someone on-call, even though you're worried about this scenario
bawolff 10 hours ago
> And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
Is it that they can't or don't want to. I'm sure curl is popular enough that it could attract a co-maintainer if it wanted to. Of course there is a cost to that. Software projects done effectively by a single person are often more focused and designed more coherently. I'm not sure curl would be as good a product if there were multiple maintainers with potentially conflicting visions.
simooooo 10 hours ago
I wonder how far we are from the agents just maintaining the packages
inigyou 5 hours ago
We have some packages like that, starting with rsync which distributions are having to roll back because it turned into a pile of garbage overnight.
eviks 9 hours ago
Consumers, not customers
andylynch 9 hours ago
They do. You just seem to expect that it will somehow be free.
serial_dev 6 hours ago
Reminder: ‘the software is provided “as is”…’.
It’s not their problem that you, or anybody else, think you are owed 24/7/365 emergency support.
Imustaskforhelp 11 hours ago
The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)
I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.
Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)
There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.
l23k4 10 hours ago
>The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)
For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.
OpenAI is certainly not wasting the money they're spending on Openclaw, even if I personally wouldn't want to touch that particular piece of software.
Imustaskforhelp 9 hours ago
romaniv 4 hours ago
What this shows me (again) is that the whole system where vulnerabilities need to be constantly discovered, reported, analyzed, then patched, then the new version distributed to every singe user - again and again - is quite obviously unsustainable. The industry must come up with some alternative system for dealing with bugs and security issues. Currently the industry prefers to play dumb and turn its own failures into a profit (rent seeking) opportunity.
jjice 2 hours ago
What's the better solution?
Also, what's an example of this rent seeking in open source you're talking about?
gpm 2 hours ago
> What's the better solution?
IMO Writing correct software the first time around - so formal methods.
But the tooling isn't there yet (though lightweight versions, e.g. strong type systems like rust's, are and significantly reduce the security issue load).
fsflover 2 hours ago
I think you're right, and the solution is security through compartmentalization. See: https://qubes-os.org.
lionkor 8 hours ago
Here's your reminder that 20-30 days paid vacation plus unlimited sick days (3+ days needs a doctor's note) is normal in Europe (e.g. Germany).
If you get sick during vacation, you get those vacation days "refunded" back. If you suddenly are called in to work, somehow, during vacation, that time cannot be vacation time.
You can't (generally) be fired without a notice period, resulting in job security to such a degree that ~6k in an emergency fund is plenty to be VERY secure, as you also get unemployment support otherwise anyway. Does this result in incompetent people not getting fired? No. You still fire them, you just have to deal with them another month after that. It's not a big price to pay.
How is this all possible? Who subsidizes it? We all simply pay some % of our income to support this system. That's it. A couple percent, a couple bucks, and we get to basically never worry about starving or becoming homeless.
You can have this, too, if you vote and protest and use democracy to make life better, not worse, for everyone.
low_tech_love 11 hours ago
I read one sentence into this and knew directly that the developer must’ve been Swedish!
robin_reala 11 hours ago
For people who aren’t familiar, Sweden takes summer holidays seriously. 25-30 days + public holidays is a normal amount of annual vacation time, and if an employee requests it and has the time available, it’s basically legally required to allow them to take a four-week contiguous summer break.
(See https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...)
low_tech_love 11 hours ago
Not only that but the vacation is real. If someone is off then you should not expect them to answer at all (because if you do you’ll get very disappointed).
mrweasel 5 hours ago
defrost 10 hours ago
Ditto Australia: https://www.fairwork.gov.au/leave/annual-leave
Full-time and part-time employees get 4 weeks of annual leave, based on their ordinary hours of work.RustyRussell 10 hours ago
gib444 9 hours ago
inigyou 5 hours ago
This is normal in most countries apart from the contiguous break requirement.
stavros 11 hours ago
I work for a UK company and most people take basically all of August off (I end up with two months of vacation days a year so I take August off and sprinkle some leave around the year) and I can confirm that taking a month off is great. You forget what it's like to work, really.
jdsnape 11 hours ago
gib444 9 hours ago
askonomm 9 hours ago
I thought it's basically the same in all of EU?
pdnagilum 9 hours ago
Yup, same thought in Norwegian. Norway basically shuts down during July.
nsbk 10 hours ago
Hahaha yeah same here! My $dayjob has offices in Sweden and their summer breaks are legendary. We also have offices in the US, and the culture shock with the Americans never gets old
on_the_train 6 hours ago
I knew instantly that it's him. No one is even remotely as hungry for attention as him.
Havoc 2 hours ago
Why is curl catching so many security issues?
I can see something like nginx being in that spot but curl is primarily user initiated and pointed at a known target rather than internet facing accepting connections
tredre3 24 minutes ago
curl isn't more prone to security issues, it's just being talked about more. Daniel has an active blog, is active on social media, and interacts with the community. I don't think the nginx team has that presence, hence if they take a vacation or run mythos on their codebase or have an opinion about AI nobody really knows.
chopin an hour ago
It presumably runs in a gazillion scripts.
rurcliped 3 hours ago
With more advance notice, someone could have found resources to fork curl with different vulnerability management expectations, e.g., "will not accept or otherwise handle any vulnerability reports during the month beginning 21 December 2026. We call it The Winter of Our Discontent."
insumanth 7 hours ago
>> The bad guys won’t rest > Probably not. But we will.
This is Exceptional. Perfect EuroMaxxing
UltraSane 25 minutes ago
If employees are never truly unavailable then companies WILL become overly dependent on them.
okeuro49 10 hours ago
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
ubanholzer 11 hours ago
This is great. Good decision.
napolux 10 hours ago
Funny, I have the same https://www.lafuma-mobilier.fr/ sunbed from the last pic. Also same color. :D
a13n 11 hours ago
what a fantastic advertisement
dxxvi 7 hours ago
Today is Jun 15. So, I wonder if somebody + AI can rewrite curl in Rust in 1.5 months. I think it's possible if that person knows all curl features. However, does that person even exist?
GoblinSlayer 4 hours ago
https://curl.se/docs/security.html - C bugs are marked.
colinsane 2 hours ago
curl used to have rust in it, dropped it 1.5 yrs ago. AI doesn't help with the hard parts here i don't think. https://daniel.haxx.se/blog/2024/12/21/dropping-hyper/
steveklabnik 2 hours ago
They dropped the hyper backend, but that wasn’t the only Rust code in tree.
SoftTalker 3 hours ago
If that were possible it would already have been done.
dxxvi 7 hours ago
There are projects like this: urlx, curlio.
eviks 9 hours ago
> Contracts excluded
They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it
rzmmm 9 hours ago
Curl has a ton of features, I can imagine this means fixing small fraction of the vulns affecting only the supporters.
eviks 8 hours ago
Why would you imagine they have any clue about the area of effect if they ignore the report?
NietTim 11 hours ago
Properly euromaxxing, this is the way.
vortegne 11 hours ago
Wish them nothing but good rest!
fnoef 10 hours ago
Based! Amazing approach, enjoy the vacation!
jimmyblanco 7 hours ago
Great to see this stance
stogot 4 hours ago
Good for them & haxx!
intronic 11 hours ago
down-under says: enjoy your summer :)
davidgerard 8 hours ago
I heartily endorse the Fuck You Pay Me support process.
panchtatvam 7 hours ago
An evil way to extort money via support contracts.
geraldcombs 20 minutes ago
...so open source developers should know their place and just dedicate themselves to endless, unpaid toil forever and ever, amen?
shevy-java 9 hours ago
So it is holiday season.
I thought this was due to AI slop spam before I read the blog entry.
maxbond 11 hours ago
Atlas shrugged, but only for a month. I kid, it's well deserved. I do worry about their contract work loophole - if people disclose vulnerabilities publicly, their clients may pressure them to ship a fix anyway.
Cider9986 10 hours ago
Why was this dead?
fc417fc802 9 hours ago
I've been noticing an unusual number of spuriously dead comments from accounts in good standing for a while now. My suspicion is false positives due to holding back the AI wave yet some of the casualties really don't seem to make any sense.
maxbond 9 hours ago
cubefox 9 hours ago
maxbond 9 hours ago
Hmm. Interesting. If it was [dead], probably a false positive from a naughty comment filter; if it was [flagged][dead], difficult to say, potentially even an accident, or maybe people didn't like the joke. Given the non-negative karma, I would guess the first. Regardless, I appreciate the vouch.
Cider9986 8 hours ago
cat_plus_plus 10 hours ago
SGTM, if I am worried about a curl exploit, I will type details into Zoo Code prompt and it will disappear in about 30 seconds and then I can upload a PR for others concerned. Enjoy your vacation and I will enjoy security for a lot cheaper than an enterprise contract!
dist-epoch 11 hours ago
> I have been working full-time on curl since 2019. For me, this typically means doing 50 hour work weeks, as I spend all days on it and then I top them off with a few more hours every late night – all days of the week
I wonder what is there to work on curl 50 hour weeks for 7 years?
ozim 11 hours ago
Let me Google that for you.
supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, HTTP/2, HTTP/3, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more!
libcurl is highly portable, it builds and works identically on numerous platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX, IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOs, macOS, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS and more...
kitd 10 hours ago
TIL it supports mqtt. Happy 10000 day to me :)
0x1ceb00da 9 hours ago
I'm 90% sure that even the monkey's paw curls.
hurtigioll 10 hours ago
Linux started removing support for obsolete protocols and hardware
Maybe there is place for a minicurl which removes BeOS and Novell NetWare...
nubinetwork 10 hours ago
I think the argument was that curl is fairly feature complete (as shown by your list), is there really that many bugs in curl that require immediate attention?
maxbond 5 hours ago
sph 10 hours ago
maxbond 11 hours ago
It's massive and complex codebase. From the looks of it, pretty much what you'd expect, lots of chores, work on the test suite, keeping docs up to date, bug fixes. I didn't see any new features on my light skim but I'm sure they land occasionally.
advisedwang an hour ago
What do you work on? My guess is you have an inexhaustible list of work to be done, right? We all do, curl included.
geysersam 11 hours ago
This is the HTTP/1.1 standard: https://datatracker.ietf.org/doc/html/rfc2616
Then there are also HTTP/2 and HTTP/3.
That's just HTTP, curl supports 27 other protocols.
dist-epoch 10 hours ago
HTTP/1.1 - June 1999
It's not like the standard changed since curl was created
Jaxan 7 hours ago
maxbond 8 hours ago
0x1ceb00da 11 hours ago
The entire http, http2, http3, tls, sftp spec for every operating system.
bawolff 10 hours ago
When we are talking about one of the most used pieces of software in the world, there is always things to do.
rustyhancock 11 hours ago
A curious approach, but I like it!
Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)
MatthewWilkes 11 hours ago
I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.
rustyhancock 7 hours ago
I think I'd personally develop a minimal patch and then publically disclose.
I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.
akerl_ 2 hours ago
Reminder that what you're describing is "coordinated disclosure", and that there are in fact plenty of people who consider "full disclosure" to be preferable in some or all cases.
SweetSoftPillow 10 hours ago
It would certainly be irresponsible.
The responsible thing would have been to simply wait another month, considering you've been warned about the delay.
john_strinlai 4 hours ago
the vulnerability is there whether disclosed or not. if you find it, someone else has too. sitting on it is the irresponsible thing.
CamouflagedKiwi 10 hours ago
Given that most of those users will not be capable of patching it directly, no, that seems like it would be irresponsible.
prmoustache 8 hours ago
Why not? Only a tiny fraction of curl user get it from the upstream website/repo. Most users get curl/libcurl from their OS/application vendor or package manager, all of them having their own maintainers. There is no reason a temporary patch couldn't be produced by them in the meantime.
cmxch 11 hours ago
Just publish early due to a documented lack of cooperation. They don’t have to answer, but you dont have to wait.
Naturally some people find that this offensive since this puts a price to that “bliss”.
Dylan16807 10 hours ago
Taking 1/3 of the standard time budget to get back to you isn't ideal, but it's not "a documented lack of cooperation".
And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.
maxbond 9 hours ago
Why are you interpreting clear communication of a window of downtime with 2 weeks notice as a "lack of cooperation"? That's what cooperation looks like. It's not explicit but my read was that they're not even taking a vacation - they're just doing the rest of their job, a lot of which is probably going to be shipping fixes for vulnerabilities that are already triaged.
chias 10 hours ago
There are no "rules" for responsible disclosure. We have guidelines that we have broadly accepted, but at the end of the day whether or not you discussed responsibly is in the opinion of your peers.
There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.
DonHopkins 9 hours ago
Wrong, but thanks for documenting how uncooperative you are.