The pressure / 压力

I’m doing Open Source primarily because I love it. The social aspects, the for-the-good angle and for the challenge of engineering this to work for everyone. I also do it because it is my full-time job and getting food on the table and provide for my family is not unimportant. It may come as a shock, but I am not in this game for the money or the extravagant life style. 我投身开源事业，主要是因为我热爱它。无论是社交层面、公益初衷，还是为了让技术造福每个人的工程挑战，都让我乐在其中。同时，这也是我的全职工作，能以此养家糊口同样至关重要。或许这会让你感到惊讶，但我并非为了金钱或奢华的生活方式才参与其中。

I have been working full-time on curl since 2019. For me, this typically means doing 50 hour work weeks, as I spend all days on it and then I top them off with a few more hours every late night – all days of the week, I spend all this time on curl because it is a work of love and it is both my job and my spare time hobby and no one counts my hours anyway. (And no, I do not recommend anyone else to do the same. I’m not suggesting this for others.) 自2019年起，我便全职投入到 curl 的开发中。对我而言，这意味着每周通常要工作50个小时——我白天全天扑在上面，深夜还要再加几个小时，一周七天无休。我投入这么多时间是因为这是我的热爱所在，它既是我的工作，也是我的业余爱好，反正也没人会去计算我的工时。（当然，我不建议其他人效仿，我并不是在鼓励这种做法。）

I consider my primary work-related mission in life to be to make curl the best transfer library and tool possible and make it qualify as a top project in Open Source, quality, performance and not the least, security. I believe we generally meet these lofty goals. I founded the curl project, I am still a lead developer in the project almost thirty years later. While I always clearly state that curl is not a one-man shop and that curl would absolutely not be what it is without my awesome curl team mates, a large part of the world still thinks of curl as my project and sometimes more or less equals curl with my person. 我将自己人生中与工作相关的主要使命，视为将 curl 打造成最优秀的传输库和工具，并使其成为开源界在质量、性能以及安全性方面首屈一指的项目。我相信我们基本实现了这些宏伟目标。我创立了 curl 项目，近三十年后的今天，我依然是该项目的首席开发者。虽然我总是明确表示 curl 并非我一个人的项目，没有我出色的队友们，curl 绝不会有今天的成就，但世界上仍有很大一部分人认为 curl 是“我的”项目，有时甚至将 curl 与我个人画上等号。

I cannot help to take curl issues personally. When someone critiques curl, it is by extension a complaint on decisions and choices I stand by and behind – and many cases I made the calls. curl is personal to me. curl has formed my life forever. I have two kids. They were both born many years after I started working on curl and they are both adults and independent individuals now. I love them dearly. Life passes by but curl remains. We’ve had slow times and busy times. The decades pass. Later this year the curl project celebrates thirty years. We typically repeat that the number of curl installations in the world is perhaps thirty billion. 我无法不把 curl 的问题看作是个人的事。当有人批评 curl 时，这在某种程度上也是在抱怨我所支持和坚持的决策与选择——在许多情况下，这些决定都是我拍板的。curl 对我而言是私人的，它永远地塑造了我的生活。我有两个孩子，他们都是在我开始 curl 工作多年后出生的，如今他们已是独立的成年人。我深爱着他们。时光流逝，但 curl 依然存在。我们经历过平淡，也经历过忙碌。几十年过去了，今年晚些时候，curl 项目将迎来三十周年纪念。我们通常会提到，全球 curl 的安装量可能已达三百亿次。

Things changed. Over the last years I have done numerous blog posts on the state of security reports submitted to curl. They have gradually switched over from complaints on stupid LLMs, to stupid AI slop reports, closing the bug bounty over to the current high quality chaos which for us started maybe at some point in March 2026. We have seen many spectacular security failures through the years, in Internet products, in software infrastructure and in Open Source. Every time we read about those events, we get reminded about how curl is everywhere and how we really really really do not want anything such to happen to us or our users. And we take another lap around the project, tighten every bolt a little more, add a few more checks, tests and guidelines to ideally make the curl ship ever so slightly less likely to ever leak or sink. 情况发生了变化。过去几年里，我写过许多关于提交给 curl 的安全报告状况的博文。报告的内容逐渐从对愚蠢 LLM 的抱怨，转变为愚蠢的 AI 垃圾报告，再到关闭漏洞赏金计划，直至如今这种高质量的“混乱”状态——对我们来说，这种状态大约始于 2026 年 3 月。多年来，我们目睹了互联网产品、软件基础设施和开源领域中许多惊人的安全事故。每当我们读到这些事件，都会提醒我们 curl 无处不在，我们真的、真的、真的不希望类似的事情发生在 curl 或我们的用户身上。于是，我们再次审视整个项目，把每一个螺丝拧得更紧一些，增加更多的检查、测试和准则，以期让 curl 这艘大船尽可能降低泄漏或沉没的风险。

Scrutinized. Recently, after I pointed out that Mythos only found a single low severity problem in curl in its first scan, countless people have repeated the claim that curl is one of the most scrutinized, most reviewed, most fuzzed and most verified source codes you can imagine. Perhaps that’s true, but I just want to mention this: that’s not by mistake. That’s not an accident or a happy circumstance. That’s the result of relentless work and attention to details through decades. Software engineering done right. Iterative improvements over time that simply never ends is an effective method. 严苛审查。最近，在我指出 Mythos 在首次扫描中仅在 curl 中发现了一个低严重性问题后，无数人重复着一种说法：curl 是你能想象到的受到最严苛审查、最多评审、最多模糊测试和最多验证的源代码之一。也许这是真的，但我只想提一点：这并非偶然，也不是什么幸运的巧合。这是几十年来不懈努力和关注细节的结果。这是正确的软件工程实践。随着时间的推移进行永无止境的迭代改进，是一种行之有效的方法。

This does not however mean that we don’t have bugs or that we don’t have security problems left, because we do. We have hundreds of thousands of lines of source code that is doing highly parallel networking for many protocols on all imaginable operating systems and CPU architectures – in C. So we fix the problems, patch them up and ship new releases. Over and over. Thirty billion installations world-wide means that everyone reading this blog post has curl installed multiple times in stuff they own. In phones, tablets, cars, TVs, printers, game consoles, kitchen equipment and more. Not to mention all the online digital services we use and those devices communicate with. I cannot stress the importance of curl security and I would guess that most of you agree with me. 然而，这并不意味着我们没有 Bug 或不再有安全问题，因为我们确实还有。我们有数十万行源代码，用 C 语言编写，在所有能想象到的操作系统和 CPU 架构上处理多种协议的高度并行网络任务。所以，我们修复问题、打补丁、发布新版本，周而复始。全球三百亿次的安装量意味着，每一个阅读这篇博文的人，在自己拥有的设备中都多次安装了 curl。手机、平板电脑、汽车、电视、打印机、游戏机、厨房设备等等，更不用说我们使用的所有在线数字服务以及这些设备所连接的服务。我怎么强调 curl 安全性的重要性都不为过，我想你们大多数人都会同意我的观点。

I am jealous of those projects that shipped a horrible bug at some point in the past that made the world burn for a while. They got attention and some of them then got funding and financial muscles to get them staff and hire multiple full time engineers. I sometimes think we would be better off if we also had one of those. 我有时会嫉妒那些在过去某个时刻发布了严重 Bug、导致世界一度陷入混乱的项目。它们因此获得了关注，其中一些项目随后获得了资金和财务支持，得以招募员工并聘请多名全职工程师。我有时会想，如果我们也有过那样的经历，情况会不会更好一些。

Never-before experienced. A thirty years old project could make you think you’ve seen most things already, but we have not been in this situation before. The rate of incoming security reports is 4-5 times higher than it was in 2024 and double the speed of 2025 – meaning that on average we now get more than one report per day. The quality is way higher than ever before. The reports are typically very detailed and long. In order to manage this incoming flood of submissions, we need to make sure to handle them as soon as possible as we know there are more coming. If we don’t take care of them roughly at the same speed they arrive, the backlog just grows and having that list of potential security problems in a list that you don’t have control over takes a mental toll. 前所未有的境况。一个三十年的项目可能会让你觉得已经见识过所有风浪，但我们从未处于过现在的这种境地。安全报告的涌入速度是 2024 年的 4-5 倍，是 2025 年的两倍——这意味着我们现在平均每天收到超过一份报告。报告的质量也比以往任何时候都要高，通常非常详尽且冗长。为了应对这股提交洪流，我们必须确保尽快处理它们，因为我们知道后面还有更多。如果我们不能以大致相同的速度处理它们，积压的工作就会不断增加，而面对一份自己无法掌控的潜在安全问题清单，会造成巨大的心理负担。

I spend almost all my days right now working through the list of reported security issues that we have on Hackerone. Verify the claim, assess the importance, write a patch, figure out when the bug was introduced, understand the vulnerability, write a detailed advisory explaining the problem to the world and communicate all this with the security researcher and the rest of the curl security team. 我现在几乎每天都在处理 Hackerone 上报告的安全问题清单。验证声明、评估重要性、编写补丁、找出 Bug 是何时引入的、理解漏洞原理、撰写详细的公告向世界解释问题，并与安全研究人员及 curl 安全团队的其他成员沟通这一切。

A health concern. For the first time in my life, my wife voiced concerns about my work hours and my imbalanced work/life situation. I work more than I’ve done before, but the flood keeps coming. 健康隐忧。我人生中第一次，我的妻子对我工作时长以及失衡的工作/生活状态表达了担忧。我比以往任何时候都更加努力地工作，但那股洪流却源源不断。