Curl summer of bliss (curl will not process security vulnerabilities in July)

The curl project will not accept or otherwise handle any vulnerability reports during the month of July 2026. We call it the curl summer of bliss.

Vulnerability rate

As previously mentioned, we have been under a huge pressure for the last four months or so. Now we need some rest. We do not expect this deluge to be over

Call me crazy, but this seem like a terrible idea. Especially announcing it two week early, you give every malicious attacker a head-up : “curl will not be patched in July”, start finding 0-days now.

Also, it’s not like they would have stopped releasing new code one month before and therefore all new vulns could (theoretically) been found, they are going to release a new version 8 days before their vacation. curl - Release Table

Everyone needs vacations, but this feels like abandoning your post. There should always be one person in standby. Rotate your teams so everyone gets vacation but the project is never left without surveillance.

calling you crazy is crazy

so let me get this straight

you would enslave foss developers so that they can keep everything secure?

good to know

1 Like

Long term health of the project is more important, and the devs definitely deserve a vacation. If you can’t take the risk, stop using curl until August release patches the holes. Or the very least, offer them a lucrative support contract that makes it worth their while to pause that vacation.

5 Likes

tbh I do understand the other side also that announcing that you’re pausing security vulnerabilities may get hackers (especially black hat) to go all out on finding vulnerabilities and exploiting devices using curl all round so.

Maybe im at least hoping that severe or critical vulnerabilities get taken seriously

1 Like

response to @maqp and @EsperZero . No one is forcing anyone to work on Curl, so I don’t get the ‘enslavement’ narrative. As I said, there are probably multiple maintainers so they can just put one of them in standby while other take vacation and rotate that way.

Also, I will reiterate that I don’t get why they have to take vacation all at the same time. The reason you create a project with an institution is precisely so it doesn’t rest on the shoulder of one maintainer. That also means you should get the benefit of both being humane (allowing off-time) and being reliable (having off-time for devs without abandoning the project).

And again, even if you were to do such a thing, don’t announce it in advance… And don’t release a new version a week prior.

2 Likes

If curl is really important to you, you can sign service contract (pay), and you’ll get support, probably vulnerability fix if it happens during this time.

I think this is good way to tell billion dollar companies they should spend some money on software they’ve been using for free or asign their own stuff to fix things

3 Likes

I’m getting the sense people opposing Curl’s actions don’t know how much they focus on security already.

Mythos found a single Curl vulnerability, and now fable is disabled for everyone and has intense safeguards.

As you said, nobody is working for curl. This isn’t a product by a company. The best you can say is “if it so happens that someone isn’t taking a vacation in July, they might see if they have energy to fix it”. But it’s the developers’ business when they take vacation, and if it happens that it’s all during July, then it’s fair they let people know about it beforehand.

even if you were to do such a thing, don’t announce it in advance…

That’s security through obscurity. Exploits are being looked for anyway, eight days a week. The reason you let people know about the downtime, is those who rely on it for security can abstain from using it. They absolutely don’t want to learn about the downtime and why they were pwned in posterior if it could’ve been avoided.

But, unless you’re stepping up to help them start a sustainable non-profit around the project that can offer continuous vulnerability patching, this critique unfortunately falls into the choosing beggars category.

3 Likes

Though I think they could do a better job, for instance keep someone on shift and rotate people, this reminds me of burnout in open-source software.

1 Like

So it’s open source but you only get security if you pay? That doesn’t a serious argument sorry. Billions of device use it daily.

Then they should just assign an AI that only alerts them if a various security is found, which wouldn’t be the case if they are so confident.

Open source does not mean gratis.

Even Free Software evangelists like RMS are clear on this.

You get security, just not 24/7/365 without making that financially possible. They do not owe you anything.

5 Likes

You either provide something for free and do it right, or provide something for paid and do it right.

Anyway, I am not going to argue further since all constructive argument I made were not adressed.

2 Likes

Yes, they were addressed constructively by maqp. I was going to write a response but maqp’s said it better than I could.

You can read the Hacker News thread to see if you can find more insight. There will definitely be opposing sides and it’s from a developer community.

1 Like

Most projects that are actively maintained are going to be much less secure than Curl against determined attackers even if they’re actively fixing vulnerabilities. Because curl is built with good practices and is immensely audited.

Read every single FOSS license. This is on curls, but most contain this.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

No one has forced anyone to use curl. You do not have to use curl. Stop using curl if you don’t like it.

FOSS is a gift economy generally. Outside of copyleft constrictions for some licenses, it’s given to you without expectation of return. Demanding your gifts must be a certain way is rude. Accept it, or do not.

2 Likes

This is such a strange argument. No one is saying the curl devs are legally obligated to provide patches. I don’t think anyone even cares about the act itself of them taking a vacation. The issue is it’s a bad look to be so flippant and dismissive of vulnerabilities and the very real risks of ignoring reports for a month in such a critical software, and just as the devs have a right to do so if they choose everyone else has a right to comment on it negatively.

Your rights do not impose an obligation on others to feel any particular way about the attitude you put on display while exercising them.

1 Like

That’s not what that means, at least not in any meaningful way. Obviously you shouldn’t disclose some things that might make an attacker’s job easier. Do you think e.g. announcing to the world you’re going to be away from home and your valuables therein for two weeks is fine and keeping that information private would just be “security through obscurity”?

2 Likes

It doesn’t make attacker’s job easier. It makes it impossible when your target isn’t even using the application you’re trying to compromise them with. You know they won’t use it until the attack you found has been patched.

Bad analogy. Does announcing that people using your burglar alarm that’s got a scheduled four week downtime, should empty their apartments of all valuables for the duration, give some edge to the burglars? Sounds like responsible behavior to me. (And this is just an example, the entire mitigation is sudo apt install wget -y, assuming your OS doesn’t bundle it already.)

2 Likes