Comment by laszlojamf
14 hours ago
as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_. Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody. And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
You'd be surprised to learn this about free and open source software, but if a maintainer is unavailable, you have both full rights and full source code to... wait for it... fix it yourself (or pay someone to)!
There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.
This is true for the majority of open-source projects, but the most serious ones, on which a lot of software/businesses/infrastructure depends, are controlled by foundations or some kind of other management entity.
cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.
You don't really though. Sure you can fork it and fix your issue, but then what? Are you going to maintain your fork in perpetuity? Are you going to patch all the software that depends on the code you fixed to use your version instead of upstream? Are you going to get your users to do that too?
In most cases this is extremely impractical.
> but then what?
Then you send the patch upstream, they incorporate and maintain it for you. Congratulations, you just FOSSed.
4 replies →
We are talking about a case when maintainer is unavailable to do the work: what would happen if this was a proprietary dependency and the maintainer is gone (eg. bankrupt, moved on, incapacitated...)?
There is nothing unusual about this, businesses face this all the time, the only difference is that you do have some agency with FOSS.
What's the alternative when it is not FOSS? Eg. build it yourself from scratch (and maintain it too), or move to a competing product.
Yes, you can maintain your fork for perpetuity if you can't/will not get your changes upstream. Why is that a problem?
If you're using any complicated FOSS professionally and you have SLA with your customers to say fix issues within day or two you don't have a choice anyway.
2 replies →
They do, he said at the end if you have a support contract then they will respond and deal with security issues.
I guess the whole point of the article is to show that people should buy a support contract if they need support.
They do.
> Everyone with a paid support contracts will of course still get full and appropriate service even during this period.
It does. The article clearly says that if you have a paid support contract they will be on-call as per usual.
And I'm assuming you're not going to pay for them to have that someone on-call, even though you're worried about this scenario
> And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
Is it that they can't or don't want to. I'm sure curl is popular enough that it could attract a co-maintainer if it wanted to. Of course there is a cost to that. Software projects done effectively by a single person are often more focused and designed more coherently. I'm not sure curl would be as good a product if there were multiple maintainers with potentially conflicting visions.
I wonder how far we are from the agents just maintaining the packages
We have some packages like that, starting with rsync which distributions are having to roll back because it turned into a pile of garbage overnight.
Consumers, not customers
They do. You just seem to expect that it will somehow be free.
Reminder: ‘the software is provided “as is”…’.
It’s not their problem that you, or anybody else, think you are owed 24/7/365 emergency support.
The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)
I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.
Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)
There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.
>The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)
For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.
OpenAI is certainly not wasting the money they're spending on Openclaw, even if I personally wouldn't want to touch that particular piece of software.
> For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.
I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.
Surely curl has more use-cases and projects relying on it than OpenClaw.
The demand seems to be generated out of hype rather than sustainability. Openclaw project isn't even an year old and from my time hearing about it, it isn't safe or sustainable in any fashion and it seems that the hype around Openclaw has now started to slow down as I hear less about it (which to me is actually a good thing imo) but it shows what the market reality of these tools currently are (at the moment).
3 replies →