Until someone races to the bottom to do 12 months of availability.

Incorrect. In europe, either july or august, is the informally agreed upon "vacation month" which means that both customers and vendors scale down and go on vacation, and work slows down to very low levels. That means you need a lot less employees than usual in order to provide for the customers that do not go on vacation.

I mean, looking at most us company's.. What support?

ignore is not the right word.

> Especially since it appears there is a solution if you truly need a fix.

If you ever really need anything fixed in the open source world, there is always the option of doing it yourself

In 2026 there is a considerably cheaper/quicker solution, but that in no way invalidates OSS maintainers' right to enjoy a summer vacation without interruption.

Mythos found only one. Would have to be pretty serious bad guys.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...

The bad guys wouldn't have submitted a vuln report anyway.

Pretty sure if you find a zero day in a software like that you don’t wait until a certain month.

if a company has a problem with this pay for support if its not worth the money …

Cool, then it's down to everyone using this library to figure out how they can minimize the impact of a zeroday in curl - security should never be down to a single part of a system.

Is this likely though? If you are an AI slop model that spams out finding bugs and vulnerabilities, would you want to become more active when you see that a project is not actively fixing bugs? Because in my opinion, it really would not matter for any AI model how active a project is, when it comes to FINDING existing loopholes.

In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.

I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.

The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)

I'm a senior at a big tech company. You can do this in America too. Just communicate with your manager and set the boundary. "By the way, when I'm on vacation I'm away from devices, so let's coordinate beforehand if there's anything critical path."

> if you are on vacation, you are simply not available. You are dead to the world until you return. Emails do not get read, and devices get left at the office.

It's funny because that's kind of the definition of a vacation in my book. I find it weird that some places in the world handle it differently.

Note that it's also much better for the company in the long run: It's a test of resilience and redundany, the famous bus factor. It simulates what happens if someone is not available, and forces the organization around to have a backup plan. Having those is important for cases where employees leave the company or team (switching jobs/teams, accidents, sickness, parental leave, death, burnout, layoffs etc.). It's mind-boggling how many leads at various levels just don't understand that.

I've lived and worked in America my entire life, and in my approximately 40 years of working I've never had a job where I was expected or had to arrange to be available during a vacation. For the odd unplanned personal day maybe I'd try to check email and have my phone with me. But vacation, never.

> if you get sick on vacation, you get your vacation days back,

This slightly blew my American mind but it makes sense. What about getting sick on calendar holidays?

Not to forget that you get a minimum of four weeks of vacation per year with 30 days being offered most of the time.

This year I used my vacation time well and I already had 3 weeks off while I still have almost 4 weeks left.

This is how it should be though - nobody should be irreplaceable. Look up bus factor etc.

Thanks for the reminder that this shouldn't be taken for granted. I am a German and sometimes this privilege feels so normal that it's unthinkable that it could be different elsewhere in the world.

It can honestly be annoying, if you're not privvy to it.

I remember years ago needing urgent support for some bespoke European hardware we were developing software for. When we called support, we were greeted with a phone message stating the company was closed for the entire month due to vacation. This was not a one-man operation; the whole office closed for a summer holiday. We thought it was a joke.

Needless to say we started to look for a new vendor shortly thereafter...

The idea with vacation is that you don't think about work. When I start vacation I disable all the channels that people usually use so that no one asks me even by accident. There needs to be a time when you are completely undisturbed and disconnected. If you are disturbed by work you will think about work while you answer and maybe even after that. That's not good.

I also think you should normalize for yourself and your workplace that there are times when you are not there. If only you can answer a question then there needs to be better documentation. See it as a trail run for when you get hit by a bus. If they will struggle without you then that is a problem that needs to be fixed. If you are always reachable these problems will never surface.

> This seems like a lot of extra work

Music to the ears of a workaholic :)

Seriously, that'd be nice if everyone would do this (and I do it now, very strictly) but I also know how easy for one to start blurring the lines between work and personal lives.

> Not a workaholic, I don't think, but a 24/7 stress monkey when I think that I could be helping

I er... think you might be a workaholic.

But I'm glad for you that your current setup is helping :)

I now want to seek an on site role and request a desktop computer.

This is exactly the move. Work and life should be separate. No work stuff on your personal devices; no personal stuff on your work devices. This way, you can be your best self in both worlds.

Quote from my partner's manager before a vacation:

"If I see you log on, I'll disable your account."

extremely relevant recent Kai Lentit skit:

https://www.youtube.com/watch?v=5E7kBOH9owI

Being the only dev in a startup since 2 years without a single day off where I wasn't messaged by my employer I want this. At least I'll have a 3 week out of country trip where I do not bring my laptop later this year...

You're a good person.

My manager doesn't stop overworking. When told on peer performance review that we have people who are consistently overwork because they are swamped, he played it down.

But hey, at least he doesn't encourage overworking either.

>> Log out of all accounts, remove 2FA keys after backing them up on paper [...]

>> Signed: Former workaholic.

> Seems like a lot of extra work, just to go on vacation :)

That's the point, this person and plenty others, are NOT able to "just" go and disconnect. If you can do that, wonderful for you, but please don't assume others are like you precisely when they are humble enough to clarify that they do have a problem and try to help others to overcome it.

Regarding your edit, you might be ok with going on a multi-day hiking trip or family holiday while still doing some amount of work from your phone, but many of us think that's a bad idea.

Truly disconnecting from our work is necessary for our mental health. When I'm on vacation, I want to be on vacation, which means not working.

Again, maybe you don't want to actually fully be on vacation from work. I guess that's fine; you do you. But I don't think that's healthy for most people, and regardless of health, many people do just want to completely disconnect from work for some number of days.

You're basically saying to get a different job.

That's going to work in some situations, but it's not broadly applicable for many reasons. In particular it's way more work than the act of backing up 2FA and logging out of everything. So yeah, it makes a lot of sense for people to think that's not good advice.

This is the ideal, but in practice you need to own the business to live this way..

Except if you pay them for a support contract. So there is a way, and it's actually a pretty obvious way.

There's a pretty big difference between a random report submitted via email, and, say, a close friend of the maintainers letting them know a serious vuln was found and they should login.

curl is the sandbox. It exchanges packets with the internet and then outputs a safely sanitized byte stream.

This is true for the majority of open-source projects, but the most serious ones, on which a lot of software/businesses/infrastructure depends, are controlled by foundations or some kind of other management entity.

cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.

You don't really though. Sure you can fork it and fix your issue, but then what? Are you going to maintain your fork in perpetuity? Are you going to patch all the software that depends on the code you fixed to use your version instead of upstream? Are you going to get your users to do that too?

In most cases this is extremely impractical.

We have some packages like that, starting with rsync which distributions are having to roll back because it turned into a pile of garbage overnight.

>The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)

For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.

OpenAI is certainly not wasting the money they're spending on Openclaw, even if I personally wouldn't want to touch that particular piece of software.

> What's the better solution?

IMO Writing correct software the first time around - so formal methods.

But the tooling isn't there yet (though lightweight versions, e.g. strong type systems like rust's, are and significantly reduce the security issue load).

Not only that but the vacation is real. If someone is off then you should not expect them to answer at all (because if you do you’ll get very disappointed).

Ditto Australia: https://www.fairwork.gov.au/leave/annual-leave

  Full-time and part-time employees get 4 weeks of annual leave, based on their ordinary hours of work.

This is normal in most countries apart from the contiguous break requirement.

I thought it's basically the same in all of EU?

I work for a UK company and most people take basically all of August off (I end up with two months of vacation days a year so I take August off and sprinkle some leave around the year) and I can confirm that taking a month off is great. You forget what it's like to work, really.

They dropped the hyper backend, but that wasn’t the only Rust code in tree.

Why would you imagine they have any clue about the area of effect if they ignore the report?

I've been noticing an unusual number of spuriously dead comments from accounts in good standing for a while now. My suspicion is false positives due to holding back the AI wave yet some of the casualties really don't seem to make any sense.

Hmm. Interesting. If it was [dead], probably a false positive from a naughty comment filter; if it was [flagged][dead], difficult to say, potentially even an accident, or maybe people didn't like the joke. Given the non-negative karma, I would guess the first. Regardless, I appreciate the vouch.

TIL it supports mqtt. Happy 10000 day to me :)

I'm 90% sure that even the monkey's paw curls.

Linux started removing support for obsolete protocols and hardware

Maybe there is place for a minicurl which removes BeOS and Novell NetWare...

I think the argument was that curl is fairly feature complete (as shown by your list), is there really that many bugs in curl that require immediate attention?

HTTP/1.1 - June 1999

It's not like the standard changed since curl was created

I think I'd personally develop a minimal patch and then publically disclose.

I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.

Reminder that what you're describing is "coordinated disclosure", and that there are in fact plenty of people who consider "full disclosure" to be preferable in some or all cases.

the vulnerability is there whether disclosed or not. if you find it, someone else has too. sitting on it is the irresponsible thing.

Why not? Only a tiny fraction of curl user get it from the upstream website/repo. Most users get curl/libcurl from their OS/application vendor or package manager, all of them having their own maintainers. There is no reason a temporary patch couldn't be produced by them in the meantime.

Taking 1/3 of the standard time budget to get back to you isn't ideal, but it's not "a documented lack of cooperation".

And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.

Why are you interpreting clear communication of a window of downtime with 2 weeks notice as a "lack of cooperation"? That's what cooperation looks like. It's not explicit but my read was that they're not even taking a vacation - they're just doing the rest of their job, a lot of which is probably going to be shipping fixes for vulnerabilities that are already triaged.

There are no "rules" for responsible disclosure. We have guidelines that we have broadly accepted, but at the end of the day whether or not you discussed responsibly is in the opinion of your peers.

There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.

Wrong, but thanks for documenting how uncooperative you are.