HI version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
60% Positive
Analyzed from 3822 words in the discussion.
Trending Topics
#vacation#curl#support#don#more#days#http#company#month#slop
Discussion (134 Comments)Read Original on HackerNews
many engineers actually work that way, right? We are employed for 12 months and give our availability fully to the company and we get salary for it, why isn't it allowed to others?
> Probably not. But we will.
A pleasant dose of humanity in decidedly inhuman times.
> Or you get a support contract and we get to read about it earlier.
If you ever really need anything fixed in the open source world, there is always the option of doing it yourself
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...
In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.
I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.
The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)
Signed: Former workaholic.
In Germany, if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.
Another neat thing is that if you get sick on vacation, you get your vacation days back, because vacation days are for resting and recovering.
It's funny because that's kind of the definition of a vacation in my book. I find it weird that some places in the world handle it differently.
Note that it's also much better for the company in the long run: It's a test of resilience and redundany, the famous bus factor. It simulates what happens if someone is not available, and forces the organization around to have a backup plan. Having those is important for cases where employees leave the company or team (switching jobs/teams, accidents, sickness, parental leave, death, burnout, layoffs etc.). It's mind-boggling how many leads at various levels just don't understand that.
This year I used my vacation time well and I already had 3 weeks off while I still have almost 4 weeks left.
I'd also add that the culture allows and encourages sick days. The average is 15 sick days per year IIRC.
I remember years ago needing urgent support for some bespoke European hardware we were developing software for. When we called support, we were greeted with a phone message stating the company was closed for the entire month due to vacation. This was not a one-man operation; the whole office closed for a summer holiday. We thought it was a joke.
Needless to say we started to look for a new vendor shortly thereafter...
Many companies force staff to take vacation days during this time, and there are four (yes four!) public holidays during this period.
I used to have a desktop that I could VPN+RDC into from my personal laptop or desktop to work away from the office¹. I've now got a laptop, that refuses to let me authenticate remotely and they have no interest in fixing that as there are other priorities, so I simply can't work if I don't have that laptop with me and I'm not carting it around when I'm already carting my own around (and if I'm not carrying my own, it is because it isn't a suitable situation to be bringing any laptop).
Not a workaholic, I don't think, but a 24/7 stress monkey when I think that I could be helping. Simply not being able to work away from the office actually helps with that: if there is literally nothing I can do, especially given it is work that has made that impossible, I don't stress the same way.
--------
[1] other than the VPN connector and the MFA doo-hicky on an old² phone, nothing work related, even Teams, even email, ever touches my personal devices
[2] a small old thing, factory reset with a dummy google account and just the MFA apps installed
Work during work time, don't work during not-work time. Good practices mean that everyone is important, but nobody is irreplaceable, the team and the work will move along a little slower, but that's fine.
"If I see you log on, I'll disable your account."
Some people are just workaholics and need interventions to actually take a proper holiday.
Personally I’m sure I’d forget to sign out of something.
https://www.youtube.com/watch?v=5E7kBOH9owI
My manager doesn't stop overworking. When told on peer performance review that we have people who are consistently overwork because they are swamped, he played it down.
But hey, at least he doesn't encourage overworking either.
The only people who should suffer this much are the true busines owners.
Real engineers think about handling things when stuff goes wrong, not "everything will be on the happy path forever".
Yes, there are constraints, but to me this sounds like an unacceptable level of exposure.
https://www.youtube.com/watch?v=5E7kBOH9owI
Seems like a lot of extra work, just to go on vacation :)
I would suggest another approach. Automate your work, that you can work from your phone. I go on multi day hiking trips, or a week long family beach holidays, without taking PTO...
Edit: I do not get negative reactions. Big part of my work is to monitor system, and answer questions. I spend less time on my phone than most social app users! I still do heavy coding in office a few times a month. And I am self employed for nit pickers.
Work does not have to be sufering, you can enjoy it!
>> Signed: Former workaholic.
> Seems like a lot of extra work, just to go on vacation :)
That's the point, this person and plenty others, are NOT able to "just" go and disconnect. If you can do that, wonderful for you, but please don't assume others are like you precisely when they are humble enough to clarify that they do have a problem and try to help others to overcome it.
Truly disconnecting from our work is necessary for our mental health. When I'm on vacation, I want to be on vacation, which means not working.
Again, maybe you don't want to actually fully be on vacation from work. I guess that's fine; you do you. But I don't think that's healthy for most people, and regardless of health, many people do just want to completely disconnect from work for some number of days.
That's going to work in some situations, but it's not broadly applicable for many reasons. In particular it's way more work than the act of backing up 2FA and logging out of everything. So yeah, it makes a lot of sense for people to think that's not good advice.
There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.
cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.
In most cases this is extremely impractical.
Then you send the patch upstream, they incorporate and maintain it for you. Congratulations, you just FOSSed.
I guess the whole point of the article is to show that people should buy a support contract if they need support.
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
Is it that they can't or don't want to. I'm sure curl is popular enough that it could attract a co-maintainer if it wanted to. Of course there is a cost to that. Software projects done effectively by a single person are often more focused and designed more coherently. I'm not sure curl would be as good a product if there were multiple maintainers with potentially conflicting visions.
I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.
Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)
There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.
For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.
OpenAI is certainly not wasting the money they're spending on Openclaw, even if I personally wouldn't want to touch that particular piece of software.
I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.
Surely curl has more use-cases and projects relying on it than OpenClaw.
The demand seems to be generated out of hype rather than sustainability. Openclaw project isn't even an year old and from my time hearing about it, it isn't safe or sustainable in any fashion and it seems that the hype around Openclaw has now started to slow down as I hear less about it (which to me is actually a good thing imo) but it shows what the market reality of these tools currently are (at the moment).
* curl is mature enough that the chance of an impactful bug is basically zero * if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co * if there is such a bug, it's more important that it gets patched in package managers and rolled out. Upstream releases can wait.
No, that is the point, they are not going to accept your vuln report. They are taking a holiday.
They aren't. If you ignore vulnerability report from an entity without a support contract, the vulnerability doesn't disappear just because the entities with support contracts are not aware of it
(See https://www.riksdagen.se/sv/dokument-och-lagar/dokument/sven...)
2 weeks is the acceptable limit in the UK for example (where also has 20-35 holiday is common) though if you can convince your boss otherwise, you can take longer, but most people can't
I thought this was due to AI slop spam before I read the blog entry.
I wonder what is there to work on curl 50 hour weeks for 7 years?
Let me Google that for you.
supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, HTTP/2, HTTP/3, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more!
libcurl is highly portable, it builds and works identically on numerous platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX, IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOs, macOS, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS and more...
Maybe there is place for a minicurl which removes BeOS and Novell NetWare...
https://github.com/curl/curl/commits?author=bagder
Then there are also HTTP/2 and HTTP/3.
That's just HTTP, curl supports 27 other protocols.
It's not like the standard changed since curl was created
Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)
The responsible thing would have been to simply wait another month, considering you've been warned about the delay.
Naturally some people find that this offensive since this puts a price to that “bliss”.
And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.
There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.