The challenge of maintaining curl

By Jonathan Corbet
August 29, 2025

Keynote sessions at Open Source Summit events tend not to allow much time for detailed talks, and the 2025 Open Source Summit Europe did not diverge from that pattern. Even so, Daniel Stenberg, the maintainer of the curl project, managed to cram a lot into the 15 minutes given to him. Like the maintainers of many other projects, Stenberg is feeling some stress, and the problems appear to be getting worse over time.

Curl, he began, is "a small project with a big impact". It began in 1996 with all of 100 lines of code; it has since grown to 180,000 lines that have been contributed by 1,400 authors. In any given month, there are 20-25 developers who are actively contributing to curl. The project has exactly one full-time employee — that being Stenberg himself.

The program is widely used, having been deployed in at least one-billion devices. Just about anything that occasionally connects to the net, he said, uses curl to do it. But using curl is different from supporting its development. As an example, he put up a slide listing the 47 car brands that use curl in their products; he followed it with a slide listing the brands that contribute to curl. The second slide, needless to say, was empty. (A version of both slides can be seen on this page).

Companies tend to assume that somebody else is paying for the development of open-source software, so they do not have to contribute. He emphasized that he has released curl under a free license, so there is no legal problem with what these companies are doing. But, he suggested, these companies might want to think a bit more about the future of the software they depend on.

Open-source software is the best choice, he said, but maintaining it is a tough job. Most projects out there have a single maintainer, and that person is often doing the work in their spare time, without funding. Maintenance involves a lot of tasks, including taking care of security, reviewing patches, writing documentation, keeping the web site going, administering the mailing list, and a long list of other tasks. Occasionally, if a little time is left over, it might also be possible to do a bit of feature development. That is a lot for one person to keep up with.

Companies have a certain tendency to make things worse. He put up an excerpt of a message from Apple support, referring a customer to the curl project for help with their (Apple) device. He has received demands from companies for information on the project's development and security practices, often with tight deadlines for a response. He typically replies by sending back a support contract; that usually results in never hearing from the company again, he said. More recently, he has been getting demands from European companies seeking information on the curl project's Cyber Resilience Act compliance practices.

Some communications are rather less humorous than that; one email came with a subject reading "I will slaughter you". He gets emails from people who found his address in the license notices shipped with their automobiles asking for support. But he also gets nice thank-you emails at times.

Problematic email takes other forms as well. There is an increasing crowd of people who ask a large language model to "find a problem in curl, make it sound terrible", then send the result, which is never correct, to the project, thinking that they are somehow helping. Dealing with these useless problem reports takes an increasing amount of time.

Recently, the curl project, like many operators of web sites, has been contending with distributed denial-of-service attacks by scrapers run by AI companies. He put up a link to LWN's article on this problem for those who are unfamiliar with it. The curl site consumes a massive amount of bandwidth every month, but only 0.01% of that is source downloads. Most of the rest is bot traffic. That, too, adds to the difficulty of maintaining the project.

He concluded the brief talk with one last email; it was from an 11-year-old child who had found curl useful in some project they were working on. It included an expression of gratitude that, Stenberg said, was truly heartwarming.

[Thanks to the Linux Foundation, LWN's travel sponsor, for supporting our travel to this event.]

Index entries for this article
Conference	Open Source Summit Europe/2025

Thank you, Daniel Sternberg

Posted Aug 29, 2025 21:20 UTC (Fri) by kunitz (subscriber, #3965) [Link]

I'm a user of curl too. Sometimes it teaches me even things, like that a JSON body with a GET request is not the right approach. But even then there is a way to do it with curl.

Probably I use it more often than I'm aware of. So far I have reached only letter B in the software license page of my car entertainment system, which required some serious amount of scrolling. This way he is at least safe to be asked by me about the right pressure for my tires.

I'm always amazed that these monster-mega companies all live from unpaid volunteers around the globe and I ask myself whether more enlightened times than ours, will find a way to compensate all those volunteers for their work.

Another thank you email

Posted Aug 30, 2025 18:07 UTC (Sat) by csamuel (✭ supporter ✭, #2624) [Link]

Daniel posts redacted versions of occasional interesting emails he gets (good and bad), and this recent thank you email he got with the subject "thank you for your existence" was really nice: https://daniel.haxx.se/email/2025-05-20.html

Logistics of contributing

Posted Aug 31, 2025 13:24 UTC (Sun) by SLi (subscriber, #53131) [Link] (5 responses)

> As an example, he put up a slide listing the 47 car brands that use curl in their products; he followed it with a slide listing the brands that contribute to curl. The second slide, needless to say, was empty.

The empty slide is striking, but I wonder if the allocation problem is trickier than it looks.

If a company uses 100,000 open-source projects, it's not realistic to support all of them directly. Even with goodwill, sending $10 to each is a logistical nightmare compared to funding a few projects meaningfully.

Some dimensions that matter: how *central* the dependency is to the application, how *unique* it is in its role, and how *broadly* used it is overall. Those don’t always point in the same direction.

Take a toy example: Quantum Cryptoware builds a quantum-currency solver. They depend on

– libquantum (50k LOC, ~20k users): large, central, but niche.
– quantum-justify (<100 LOC, ~50k users): trivial, replaceable.
– curl (180k LOC, billions of users): huge, but in their case only used once a day to fetch a quantum weather forecast.

Which deserves their funding? The project that's vital but small-userbase, the helper that's tiny but shared, or the global infrastructure they only touch lightly?

In the commercial world, prices tilt toward scarcity and exclusivity—a Windows license costs less than a specialized CAD program even though Windows dwarfs it in complexity. Open source flips that logic: maintenance costs are borne regardless of scale.

There's no obvious formula, but recognizing that support is a multi-dimensional allocation problem might be the first step toward sustainable models.

Logistics of contributing

Posted Sep 1, 2025 9:14 UTC (Mon) by DemiMarie (subscriber, #164188) [Link] (3 responses)

I wonder if the logistics *are* the problem. Ideally, it would be very easy to donate small amounts of money to lots of open source projects. Could this be made possible via an intermediary?

Logistics of contributing

Posted Sep 1, 2025 14:40 UTC (Mon) by k3ninho (subscriber, #50375) [Link] (1 responses)

Micropayments have never really found footing, but I'm not sure which mix of "existing payments providers would be disrupted" and/or "we must attribute sources to deter money-laundering and generate tax revenue" and/or "network effect" describes why.

K3n.

Logistics of contributing

Posted Sep 5, 2025 23:07 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Micropayments have never really found footing

You meant: "micropayers have never really found footing".

Logistics of contributing

Posted Sep 2, 2025 9:28 UTC (Tue) by pabs (subscriber, #43278) [Link]

There are lots of services in this space; OpenCollective, thanks.dev and other stuff.

https://github.com/fossjobs/fossjobs/wiki/resources#patro...

Logistics of contributing

Posted Sep 1, 2025 11:00 UTC (Mon) by benzea (subscriber, #96937) [Link]

> > As an example, he put up a slide listing the 47 car brands that use curl in their products; he followed it with a slide listing the brands that contribute to curl. The second slide, needless to say, was empty.
>
>The empty slide is striking, but I wonder if the allocation problem is trickier than it looks.

Does it mean anything at all?

I would not be that surprised if car companies are sourcing the base system and support for it from a third party. In that case, you would not expect to see any direct contributions at all. It could still be that there are no indirect contributions either, but it does become much harder to measure.

Another factor here may be that they only use a small fraction of curl's feature set.

AI slop

Posted Sep 1, 2025 17:57 UTC (Mon) by frukto (subscriber, #114340) [Link]

> There is an increasing crowd of people who ask a large language model to "find a problem in curl, make it sound terrible", then send the result, which is never correct

Daniel recently gave a entire talk on this topic on FrOSCon'25

https://media.ccc.de/v/froscon2025-3407-ai_slop_attacks_o...

Sign of the future?

Posted Sep 3, 2025 11:23 UTC (Wed) by tedd (subscriber, #74183) [Link]

In my subjective assesment, there seems to be a marked increase over the last few years from Stenberg talking about the bullshit he has to endure maintaining such a foundational open source project. From corporations and their "compliance" programs, to beg bounties, to low quality LLM big reports.

I hope he's not getting burnt out.

Context

Posted Sep 4, 2025 10:46 UTC (Thu) by Phantom_Hoover (subscriber, #167627) [Link] (1 responses)

> Some communications are rather less humorous than that; one email came with a subject reading "I will slaughter you".

It should be noted that it turned out the person who sent that was literally delusional and schizophrenic (https://daniel.haxx.se/blog/2021/08/09/nocais-apology/). Very disturbing stuff, clearly, but I’m not sure what could be done about it short of putting lithium in the water supply.

Context

Posted Sep 5, 2025 23:13 UTC (Fri) by marcH (subscriber, #57642) [Link]

The Internet is only a couple generations new and the industrial revolution is not that much older. Humankind has not evolved past the "tribal" stage yet. Eventually, future generations will learn how not to let a 0.000001% of random, schizophrenic strangers have a disproportionate impact and not get in their head. We're very far from that yet. For now, humankind is still at the "doomscrolling" and "Pizzagate" stage.

tip of the iceberg?

Posted Sep 12, 2025 15:29 UTC (Fri) by joey (guest, #328) [Link]

I recently received an AI generated patch adding a Makefile uninstall target. It was buggy of course, and the submitter eventually revealed he was sending out hundreds of such patches to projects. Some have been accepted. Be careful out there.

Video of his talk

Posted Sep 13, 2025 5:26 UTC (Sat) by wdr1 (guest, #179313) [Link]

If anyone else wanted to watch a recording of his talk, you can find it here:

https://www.youtube.com/watch?v=YEBBPj7pIKo