The challenge of maintaining curl
15 comments
·September 12, 2025angst
> There is an increasing crowd of people who ask a large language model to "find a problem in curl, make it sound terrible", then send the result, which is never correct, to the project, thinking that they are somehow helping.
Our worst nightmares are becoming true indeed..
umpalumpaaa
The Sovereign Tech Agency (German federal government) donated about 200k€ to the project. Not a brand though. https://en.m.wikipedia.org/wiki/Sovereign_Tech_Agency
nurettin
Just have a policy of firing these "security researchers" whenever they submit AI generated BS to curl.
dcsommer
It would be cool to build a "library clout" measure for all open source software. First collect for all deployed software systems measures of usage per platform and along other interesting dimensions like how that system relates to others (is it a common dependency or platform for other deployed software). Use this to generate "clout" at a deployed software unit level. Then detect all open source libraries compiled in it by binary signature matching or through the software's own build system if it is open. Then a library's "clout" is built from the clout of the projects that use it.
This clout score might be used to guide investments in a non-profit for funding critical OSS. Data collection would be challenging though, as would callibrating need.
Basically make a rigorous score to track some of the intuition from https://xkcd.com/2347/
phi-go
There is one, though, focused on security: https://openssf.org/projects/criticality-score/
kamaal
>>Companies tend to assume that somebody else is paying for the development of open-source software, so they do not have to contribute.
I think if you are a billion dollar company using these tools, sponsoring maintenance isn't a lot to ask.
Curiously enough this came up even during the days of Perl.
I don't think Perl got its due, especially given the fact that even until most recently almost everything of importance was done with Perl. Heck internet was made possible because of Perl.
JoshTriplett
> I think if you are a billion dollar company using these tools, sponsoring maintenance isn't a lot to ask.
It isn't a lot to ask, but it's challenging to 1) find who to ask, and 2) get them to care about the long-term view in a way that doesn't fit into short-term thinking and budgeting.
bluGill
I've often asked how my company could support them. Most I ask don't understand the question. Those that do only point out that I can contribute code changes - which I have but rarely as we pick good projects that meet our needs: there rarely are bugs or features we would care about enough to not do our regular work.
what would be nice is a non profit that would take money and distribute it to the projects we use - likely with some legal checking that they are legal (whatever that means). FSF is the only one I know of that does generic development and they have ideas that companies generally oppose and so are out
simonw
A lot of open source maintainers are bad at asking for money, and most companies find it very hard to give money away without some kind of formal arrangement in place.
Here's a way you can work around that, if you are someone who works for a company with money:
Contact the maintainers of software you use and invite them to speak to your engineering team via Zoom in exchange for a speaking fee.
Your company knows how to pay consultants. It likely also has an existing training budget you can tap into.
You're not asking the maintainer to give a talk - those take time to prepare and require experience with public speaking.
Instead, set it up as a Q&A or a fireside chat. Select someone from your own team who is good at facilitating / asking questions.
Aim for an hour of time. Pay four figures.
Then do the same thing once a month or so for other projects you depend on.
I really like the idea of normalizing companies reaching out to maintainers and offering them a relatively easy hour long remote consultation in exchange for a generous payment. I think this may be a discreet way to help funnel money into the pockets of people who's work a company depends on.
bruce511
This is very creative, and I suspect would work.
It does have the side effect of wasting the time of 1+n engineers for that hour. I might be able to rustle up a few in month 1, but I'm not going to ba able to do it monthly.
Frankly, as long as the builder has a "support contract" option, that should be sufficient.
I will add that understanding how business works is a huge help to them to get you paid. I advocated for supporting a project (they have a "sponsored by" marketing on their web page, so we could take it out the marketing budget.) But they could only be paid via PayPal (which unfortunately we can't do) do the deal fell through.
It didn't help that the home page in question contained lot of sarcasm, and was antagonistic in tone, likely (I suspect) because of the nonsense the maintainer had to wade through. Ultimately no money got sent.
I'm happy to support OSS, but I can only spend so much social capital on doing so. My advice to maintainers, if you want sponsorship, put some effort into making that channel professional. It really helps.
JoshTriplett
Many projects have foundations or fiscal sponsors you can work with.
If you care about Python, you could support the Python Foundation, and/or hire or sponsor some Python developers. If you care about Rust, support the Rust Foundation, and/or hire or sponsor some Rust developers. If you care about Reproducible Builds, or QEMU, or Git, or Inkscape, or the future of FOSS licensing, or various other projects (https://sfconservancy.org/projects/current/), support Software Freedom Conservancy.
If you care about a smaller project, and they don't have a means of sponsorship, you could encourage them to accept sponsorship via some means, or join some fiscal sponsor umbrella like Conservancy.
positron26
Every day, if I read HN, I find reasons to just go back to working on PrizeForge
The talk that was referred to in the the article can be found here, just 13 minutes:
Keynote: Giants, Standing on the Shoulders Of - Daniel Stenberg, Founder of the Curl Project
https://www.youtube.com/watch?v=YEBBPj7pIKo
While the article does a great job, the video's graphs and photos really bring a lot more depth.