as much as I feel for the maintainers here, this sort of (again) puts the spotlight on our collective dependence on a handful of individuals basically working for free _with no backup_.
Most normal organizations stagger vacations to avoid these things. Most normal organizations _have_ to do this, because their customers require it. Here, we're all customers of curl, but not really. It's a weird, IMO unhealthy, twilight zone that isn't good for anybody.
And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
You'd be surprised to learn this about free and open source software, but if a maintainer is unavailable, you have both full rights and full source code to... wait for it... fix it yourself (or pay someone to)!
There is something unhealthy in this relationship only if you project "no warranty" into unrealistic expectations.
This is true for the majority of open-source projects, but the most serious ones, on which a lot of software/businesses/infrastructure depends, are controlled by foundations or some kind of other management entity.
cURL also offers paid support and also paid access to the rock-solid (LTS) version, with guaranteed response times, and the blog post states that there's still people to respond to these.
You don't really though. Sure you can fork it and fix your issue, but then what? Are you going to maintain your fork in perpetuity? Are you going to patch all the software that depends on the code you fixed to use your version instead of upstream? Are you going to get your users to do that too?
> Then you send the patch upstream, they incorporate and maintain it for you
Firing patches upstream is still adding burden to the (likely already over-burdened) maintainers.
In an ideal world, if you want a patch upstreamed, you would be contributing to upstream maintenance (or at least donating to the upstream maintainers)...
Fair, but it is less of a burden than just submitting a report with no proposed fix. Also, submitting quality patches regularly seems to be a good way to eventually become a maintainer, provided that both sides are interested (cURL generally is – at least that seemed to be the vibe at the last year's cURL Up event I attended).
I believe both are valid: sometimes upstreams are not set up for donations, and sometimes your org will make it easier to submit a patch or to financially sponsor a maintainer.
We are talking about a case when maintainer is unavailable to do the work: what would happen if this was a proprietary dependency and the maintainer is gone (eg. bankrupt, moved on, incapacitated...)?
There is nothing unusual about this, businesses face this all the time, the only difference is that you do have some agency with FOSS.
What's the alternative when it is not FOSS? Eg. build it yourself from scratch (and maintain it too), or move to a competing product.
Yes, you can maintain your fork for perpetuity if you can't/will not get your changes upstream. Why is that a problem?
If you're using any complicated FOSS professionally and you have SLA with your customers to say fix issues within day or two you don't have a choice anyway.
Because it's a ton of unnecessary work. And because of the other reasons I said.
> If you're using any complicated FOSS professionally and you have SLA with your customers to say fix issues within day or two you don't have a choice anyway.
This is true. I always try to upstream patches anyway though.
How do you define unnecessary work if this is... necessary for you?
You are already benefiting from getting the tool/library/system for free, so you can still compare writing the thing you need (necessary?) from scratch or adapting the FOSS solution — maintenance comes with both options.
When you invest enough and are lucky, someone else might just fix the thing for you or pick it up and maintain it for you — but do not count on it, and you are good.
> And it surprises - and saddens - me that not even friggin curl has the financial muscles to have somebody on-call for one month...
Is it that they can't or don't want to. I'm sure curl is popular enough that it could attract a co-maintainer if it wanted to. Of course there is a cost to that. Software projects done effectively by a single person are often more focused and designed more coherently. I'm not sure curl would be as good a product if there were multiple maintainers with potentially conflicting visions.
The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)
I have seen there to be an more influx of open source software as people are starting to create more software with vibe-coding and other things and just open-sourcing it, which while good in OSS'ing it but its mostly less valuable as compared to the curl codebase which was created by hand and over the years improved itself.
Yet the funding is going towards making more and more (OSS/non-OSS) AI slop by people, companies and dare I say countries yet we are unable to take the same wealth and money into, say, the curl project (and the likes)
There is also an visibility issue. We all know curl and this is the state of curl. Imagine all the projects which we all don't know that much about or aware about going through same issues.
>The thing which bugs me is that OpenAI (which is an unprofitable company) is spending around what 100k$ per month for an completely AI generated slop called Openclaw. (All because of Hype)
For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.
OpenAI is certainly not wasting the money they're spending on Openclaw, even if I personally wouldn't want to touch that particular piece of software.
> For whatever reason, real people seem to desperately want Openclaw regardless of it being AI generated slop.
I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.
Surely curl has more use-cases and projects relying on it than OpenClaw.
The demand seems to be generated out of hype rather than sustainability. Openclaw project isn't even an year old and from my time hearing about it, it isn't safe or sustainable in any fashion and it seems that the hype around Openclaw has now started to slow down as I hear less about it (which to me is actually a good thing imo) but it shows what the market reality of these tools currently are (at the moment).
>I can agree with it but I am unsure how much the desperation is out of FOMO or out of real use-cases.
I frequently run into people using it, they seem happy with it. I remain highly skeptical about this being a good idea, but I'm quite convinced that many people genuinely really like it and find it useful.
> I frequently run into people using it, they seem happy with it. I remain highly skeptical about this being a good idea, but I'm quite convinced that many people genuinely really like it and find it useful.
That can be the case and good for them, at the very least its open source software that they are using and it raises more awareness about them.
But I think that we have strayed a bit afar from my main premise that I think we both agree on that although the value of an project is always subjective and its up to the companies on how they direct the funds to. It's Okay for OpenAI to sponsor Openclaw if they absolutely want to.
But the question is if its entirely reasonable as to a project like Curl getting less funding overall, simply because everyone is using curl underneath but the tech is boring (as I think it should be), but this makes everyone think that curl is well-funded when it isn't.
I think that its a reasonable decision for a company to give a very small chunk if it has massive profits to curl to sponsor the project to be more sustainable, but I am not the one at the decision-making involved in that said company, so I don't know what is the rationale behind blocking or not sponsoring Curl.
Is the rationale that they can get away with not sponsoring curl in the first place and use it with its permissive licenses in its code so why invest/donate the money in first place, but this practise doesn't seem sustainable to me!?
>But the question is if its entirely reasonable as to a project like Curl getting less funding overall, simply because everyone is using curl underneath but the tech is boring (as I think it should be), but this makes everyone think that curl is well-funded when it isn't.
I think the returns fall off really really quickly when you increase investment in a boring, mature project like this.
It might be nice if people sponsored curl more, but the software isn't going to significantly improve because of it.
I don't understand what's wrong with someone suggesting a book to an author? Do you think all authors have read all other books?
If you had pointed out the original commenter's patronizing comment, as if they with 100% certainty know better than the author who has just written a book about said topic (at least the commenter thinks so), then I'd have agreed with you.
Gotta love HN. A commenter does literally nothing other than recommend a book and the top reply is "don't recommend books to him - he's written books, don't you know that?"
I upvoted it - because I loved those two suggestions and have already have them open in another tab. I believe a bunch of others would have done the same.
this resonates with me, but fortunately one difference between LLMs and rockstar developers, is that LLMs will at least _try_ to explain what they are doing, and why something has to be certain why. I've gotten quite a lot of mileage from being a five-year-old with Claude and just asking "why" until I'm satisfied
Turkish isn't pronounced "Turkey-ish". It's just "turk-ish" as in, "of or relating to the ethnic group the 'Turks'". "Turkiyesh" (Turkish is perfectly phonetic, they don't play games with vowels combining to make all sorts of sounds like English) would be a different thing, being of or related to the country Turkiye.
I think the missing piece here is nuance. Of course there are certain tasks that software engineers do that will be replaced. But will AI replace _everything_ a software engineer does?
The most difficult bit about software engineering is to keep a mental model of _everything_ a product does with varying levels of granularity. The way I see LLMs fail at my company the most is that they are very good at the big picture, and very good at the very small picture, but have difficulty moving between those two levels. And especially when changes have occurred or accumulated over time. Most of all production systems have an extremely long tail of gotchas which are only managed by people who have been around for long enough to have some kind of deep storage access in their heads to those little tidbits of information.
And I think current LLMs might be fundamentally incapable of replacing that.
" Bullough gives the example of a Mexican drug dealer who smuggles product across the border to the US. The drug in question would once have been marijuana, then cocaine, and is now likely to be fentanyl, which is cheap to manufacture and easy to conceal. The drugs are sold in the US for cash, which is used to buy, say, agricultural equipment. "
Wouldn't the person buying the tractor in the US for $$$ have to show where that money came from? Can you show up to John Deere with over a million dollars _in cash_?
The short answer is yes. You can buy cars, trucks and tractors for cash. The more expensive the car, the easier it often is. Luxury cars in particular are routinely bought and sold for cash.
Not in the US without the dealer doing all the same work a bank accepting $100k of cash in a duffel bag would be doing. Plus filling out a suspicious activity report on top of it all. They might have a real hard time explaining to the feds that they truly did "know their customer" from a simple form and a photocopy of your ID.
Some dealers might be willing to do this for you, but most will not. They will direct you to your local bank to deposit the money and get a cashiers check instead. They do not want the liability of it all. Perhaps better chances at the Ferrari dealer you've bought 14 cars from over the past 30 years I suppose?
I asked my (luxury) dealer if I could pay cash the last time I bought a car and they basically said “hell no, we haven’t done that in over a decade”. The risk of being caught up in some drug money investigation or whatnot is too great.
Coincidentally showing up to your bank with a duffel bag worth of cash to deposit is a great way to both get your accounts closed, as well as be added to a blacklist so it will be very difficult to open an account anywhere else.
I used to work for GM as a field rep (in the 80s). There had been enough instances where finance managers skimmed/embezzled some of the cash (even before the feds required filing SARs) that dealers stopped taking cash as a policy decision.
Citation needed? Where did you hear that this is a routine occurrence? That seems risky for everybody involved, and it requires a report to the government from the seller.
Because the legal system in most Western countries is set up that the seller bears liability for laundering money if they accept duffel bags of cash for a car without the same documentation a bank would require.
This is absolutely not true in the US. Are you trying to tee up one of those "the US is not a developed country" type quips that are popular around here?
A dealership may take issue with it but a private party accepts no liability by taking cash.
Firstly, I said "Western" not "developed", you need to calibrate your quip detector lest you become what you dislike.
Secondly, while it's possible to construct a private party transaction in the US where this is fine, if the person spending the duffel bag acquired the money illegally, you the seller are liable if you should have known. "Willful blindness" when accepting illegal proceeds makes you liable too. See 18 U.S.C. § 1957
Maybe I misspoke by saying you would be liable for laundering specifically, but certainly accepting that money is a crime if you have any reason to think it was ill-gotten. And that's a huge risk that no one wants to take on.
I don't know about the US. The EU limit on cash transactions differs by country, with a legal maximum of 10k€. Belgium and the Netherlands for example are at 3k€.
reply