RSS

Open-source developers are working themselves sick on AI bugs

smartmic1 pts0 comments

Comment: Open-source developers are working themselves sick on AI bugs | heise online

heise+ entdecken

SuchenAbo

Suchen

Alle Magazine im Browser lesen<br>Newsletter<br>heise-Bot<br>Push-Nachrichten

${lead}

${lead}

${content}

${content}

${content}

${content}

Advertisement

Advertisement

Some opinionated personalities have always served as a barometer for the mood in open-source projects. These include Linus Torvalds and Daniel Stenberg, founder and still lead developer at curl. They regularly voice their opinions on zeitgeist topics. In the wake of the “Vulnocalypse” of AI-powered security vulnerabilities, he now states: Contributing to open-source projects is becoming a health risk. This cannot continue, as the lack of participation endangers the open-source ethos.

Continue after ad

Stenberg's views on AI-assisted debugging are nuanced and precisely map the evolution of LLMs: After complaints about “AI Slop” and the brief discontinuation of the curl bug bounty program, the project is currently in a phase of “high-quality chaos.” Incoming bug reports are not obviously nonsense but detailed and very thorough. The developer spends his days reviewing AI-generated security reports. He has to read, understand, and, if necessary, initiate further steps for each – on average one per day and thus five times as many as in 2024 –.

This leaves little time for the project's other further development and takes a toll on Stenberg's health. His wife, as the Swede blogs, has expressed her concerns about his long working hours and the imbalance between work and leisure for the first time. Other members of the curl team are experiencing similar issues, and, says Stenberg, “I am concerned for my team mates.” The pressure is higher than ever: “An avalanche of high priority work that trumps everything else” is rushing down on the developers.

Stenberg, who, like Linus Torvalds, describes himself as a “Benevolent Dictator for Life,” sketched out his principles for working on curl back in 2024: “Ship rock-solid products for the universe to depend upon,” it says there. And: “maintain a security first focus.” Stenberg wants to be measured by these and eight other principles – and they are now literally making him and his team sick. Because their conscience and pride in their work on curl forces them to process the reports instead of simply ignoring them.

Videos by heise

mehr Videos

c't 3003

heise & ct

Peertube

Where are the billions from the billions of beneficiaries?

Stenberg, on the other hand, feels largely ignored by the companies that use curl or libcurl in their products. The number of these is almost incomprehensible: the team estimates curl's install base at thirty billion active installations. From firewalls to robot vacuum cleaners to video game consoles, the transfer library works away in most households worldwide.

This is record-breaking – and how many sponsors does this record project have? Twenty-three. Are tech giants worth trillions like Google, Meta, Apple, Microsoft among them? No luck. Instead, Elastic, a company worth five billion, is a gold sponsor and transfers between $500 and $1,000 per month to the project. AirBNB (market value $78 billion) transfers between $100 and $500 per month, the same amount paid by a British cleaning company.

Continue after ad

Also, no sign of AI companies like OpenAI and Anthropic, and even their generous offer to unleash the security model Mythos on curl was apparently only indirectly put into practice by the company. Meanwhile, “Vibe Coding” is removing the material basis from many open-source projects, as scientists have found out.

On OpenCollective, the curl project has a good 950 backers with one-time or monthly donations, and another 250 on GitHub. The GitHub donors are predominantly private individuals, and anyone who frequents the open-source bubble in the Fediverse will recognize many avatars. So here, many volunteers are donating to other volunteers – large companies continue to shine by their absence.

However, the sponsor page is not a complete picture of reality, as Daniel Stenberg explained to me: „I work full time on curl employed by wolfSSL and I do that because we have customers that pay for curl support and other curl related activities, and I think it could be fair to say that those customers are then by extension actually also sponsoring the curl project.“ So, corporations like Microsoft could also use this indirect sponsoring opportunity – wolfSSL's customer list is not public.

Still, that's not enough, Stenberg notes on his blog: “I wish more companies [..] would chime in their part to fund us.” However, he does not believe in a change of mind, even though the situation has continued to escalate. The team could only “swim” through the “tsunami,” as Stenberg calls the flood of bug reports, with no lifeboats in sight.

He is almost envious of projects that have “made the world burn for a while” due to serious (security) errors, because these...

curl stenberg open source project heise

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.