External Publication
Visit Post

Curl summer of bliss (curl will not process security vulnerabilities in July)

Privacy Guides Community [Unofficial] June 22, 2026
Source

So explain your position instead of throwing bot emojis and acting as if I had insulted you?


Editing to explain my position further.

What you are proposing is indeed security through obscurity.

The concept of security through obscurityopens in a new tab (STO) relies on the idea that a system can remain secure if the vulnerabilities are secret or hidden.

okta.com

Security Through Obscurity (STO): History, Criticism & Risks | Okta

Security through obscurity relies on secrecy to enhance cyber defense. Learn why many security admins find security by obscurity to be ineffective with Okta.

You’re attempting to hide that there’s a vulnerability. But curl announced they have stopped processing the vulnerability reports. If that’s a public GitHub ticket, then there is no hiding it.

Also, obscurity is at most, something that complements the best practice, which is transparency. I’m not opposed to marking a fixed vulnerability in commit history with “fix comma” or whatever. That gives time for the patch to be applied across userbase. You’ve already fixed the vulnerability and kept the code open source and so adhered to best practices.

When it’s time to sunset a project the best practice is to announce you’re no longer supporting it or patching vulnerabilities. You don’t hide that to maximize the time users can get use out of it. Why would temporary break in support be treated differently? Who knows if something happens and you can’t return for another month, or year.

Your claim that the curl devs are announcing they’re not home for a month is not analogous as it’s not their house whose at risk. It’s everyone else. So the very least you need to address that in your analogy.

Also finally, as @overdrawn98901 already said, paying customers are getting support. There is no issue here.

Discussion in the ATmosphere

Loading comments...