curl summer of bliss
255 points by andrewnez
255 points by andrewnez
The bad guys won’t rest
Probably not. But we will.
Also the bad guys won't be sending you a vulnerability report. So it's not like being available will change anything regarding this threat.
Personally, I think that 4 weeks of vacation is a little too short, but maybe I'm too French.
Daniel is implicitly referencing the Swedish concept of "industrisemester" - this was the time, usually in July, when Swedish production plants let most of their employees have vacation so that the plant could be inspected, maintained and repaired. Even today most of the population aims for the annual vacation in the month after midsummer (which legally is the Saturday that falls between 20 and 26 June).
Also it's not a full-fledged vacation, because they will still work on support contract issues if those arise. So in reality it's even shorter :-D
The bad guys won’t rest
Probably not. But we will.
Enjoy your vacation lads, you've definitely earned it! I would also encourage other people who are feeling under pressure to also consider taking a vacation.
hot curl summer
Enjoy the vacation, thank you for all you do! :)
I hope they eat a lot of ice cream. Maybe even gelato. What the hell, sorbet too, on a really hot day.
Hope he gets to enjoy his vacation :) But maybe he didn't realize that he had stung the hornet's nest by subtly bragging how Mythos found just one single bug?
Eh, I don't think the metaphor sticks. He's been swarmed by the hornets for years on end at this point. Everybody was already trying to aura farm by getting a prestigious curl CVE.
Ha en trevlig och avslappnande sommar Daniel 👌
I like this a lot. I hope other projects emulate this.
Contracts excluded: Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
This could a great idea ever to finance underfunded open source projects. For a month (or more) every year stop providing service unless you have a contract which says otherwise. Since curl is sort of MIT licensed there is no obligation to share the code. Everyone who uses curl privately can probably live with it.
Even if the source code was GPL licensed they could only be compelled to distribute the source code to those whom they have distributed binaries, right?
Many distributors like Red Hat will compile their dependencies from source anyway. They don't rely on precompiled binaries. For them probably the patch is enough.
I might add that I think Red Hat is mostly a good guy here providing funding for a lot of projects.
And even then it doesn't necessarily need to provided instantly. It is customary to have it online, but it could be a tar file that someone manually will email you in order to stay compliant, with the human processing time it requires.
Email? I remember sending somebody a letter with a check so they would mail me back a 9-track tape! (Of what, though…hm, was it Emacs?)
“But you try telling the young people of today... and they won't believe you!"
Great to see! I hope this encourages other open source maintainers to prioritize their own well-being as well.
I’m curious, does anyone work in an org that buys enterprise support from projects like curl? What’s the scenario or business case where people are saying “yes we want this”? An important complex dependency, corporate altruism, or a bit of both? My naive assumption is that if you’re using curl heavily you have enough engineering firepower to get yourself out of any emergencies - maybe not?