daniel:// stenberg://It has officially begun. The CRA info request counter is no longer at zero.
"We kindly request your response by Friday, July 25, 2025"
...
otto@openbsd@bagder "vendor" ... I suppose they have a contract? :)
M Schommer
Dr. Christopher Kunz
Tom@serpentroots @christopherkunz @bagder @musevg it just so extremely annoying that as an open source publisher, "they" expect you to provide free support using the software, support any weird OS and use-case, add features just because they ask and new also help them fulfilling their legal obligations. Or else!
@otto @serpentroots @musevg I think @bagder has absolutely the right approach here. If companies need OSS "vendors" to jump through flaming hoops or do checkbox compliance, it's only fair to bill them for the time and work. Commercial providers do the same - I was once told I'd have to pay a four figure amount just to see a data center's ISAE3402 audit report. Because EY, Deloitte or whoever wrote that thing charges per *read-only license*, let that sink in...
Not🐧A🐧Convicted🐧Felon@christopherkunz @otto @serpentroots @musevg @bagder Do what Red Adair does and charge a million dollar call-out fee.
Forbearance@otto @serpentroots @christopherkunz @bagder @musevg It doesn't sound like they're sending an "or else" here; they have a lot of "kindlies" in there. On the off chance someone is willing to do work for them (and anyone else who might ask similar questions) for free, maybe they get an answer. And open-source maintainers aren't known for *not* making free stuff for people.
Nobody *has* to do free support. But if these questions are frequently asked, they could go in the project FAQs.
Shalien
Lars Wirzenius@bagder Your contract with them has a clause for setting the price for urgent requests, yes?
Ben Tasker@bagder I find that, for tight deadlines, a short email is often the quickest to both write and read.
"no" is the shortest that has meaning 😀
Paul Martin@ben@mastodon.bentasker.co.uk @bagder@mastodon.social The response from Arkell vs Presdram comes to mind.
四
Christian Lauf@bagder Reply with: "As we can't seem to find any active, ongoing monetary support from your company for this free & open source software, we are unable to answer these questions. Please refer to your own technical department. We are sure they are more than capable to answer all questions. If you wish to pursue the path of externalizing the costs of operating unto nonprofit open source projects please submit a sufficient donation first. Thank you."
@bagder I mean... If you do not answer what will they do? Replace curl and stop paying for their license? ... Oh. Wait! 😂🥳
Gregory
zerok
Brad Rubenstein “
”"Thank you for your support inquiry. Please contact our business office at ___ . I am confident we will be able to negotiate a mutually agreeable contract for priority service. Please note that priority service contracts start at $1M."
Pontificator.OMF@bagder I'm most interested in what the table actually is, as are many other people for that matter, because it could inform people of what to expect + prepare boilerplate responses.
Also, for a laugh, it'd allow me to see how quickly an LLM could be prepared to reply...
Fubaroque@bagder Deadlines… I guess they will stop using curl if you don’t answer by that date. 🤣 🥳
@fubaroque in this case I actually hope that they feel pressured to get "official" answers before that date as it might increase my chances of getting them to pay for my answers.
@bagder They don’t seem to have that option (to stop using curl) is what I mean. After all curl is everywhere…
Which makes their negotiating position rather weak. And any “deadlines” their problem. Have fun!
Max@fubaroque @bagder or they find a commercially licensed software that they pay for and that software is using curl. Then they could try to get the answers related to
Curl from that 3rd party like “hey, please provide answers to the below for every software lib that you are using in your product.” 🤷♂️
Curl from that 3rd party like “hey, please provide answers to the below for every software lib that you are using in your product.” 🤷♂️
Dan
Anton Piatek@bagder Here's my hourly rate?
chfkch 
'Pa 
@bagder HA!
HAHAHA!
🤣🤣🤣😭🤣
(Excuse me while I collect myself.)
I used to issue these letters on behalf of a gvt I won't name. The subtext was, "if you don't comply we'll have to switch to another third party who'll comply."
Thing is, that model works when you're a company that stands to lose contracts; doesn't translate well to open-source and volunteer work.
This is, as you said in a post months ago, what happens when governments (or government contractors) meet that guy who used to just code for fun and one day wakes up to see the whole planet uses the thing...
Responding to these questions, and especially doing the work they entail, is a full-time job, possibly to a full team.
If you're into that, there's good money to be made, especially that they're far from being the last company to reach you for this... There must be a regulatory deadline coming up in a year or two and those guys must want to be ahead of the curve. Try to find out.
HAHAHA!
🤣🤣🤣😭🤣
(Excuse me while I collect myself.)
I used to issue these letters on behalf of a gvt I won't name. The subtext was, "if you don't comply we'll have to switch to another third party who'll comply."
Thing is, that model works when you're a company that stands to lose contracts; doesn't translate well to open-source and volunteer work.
This is, as you said in a post months ago, what happens when governments (or government contractors) meet that guy who used to just code for fun and one day wakes up to see the whole planet uses the thing...
Responding to these questions, and especially doing the work they entail, is a full-time job, possibly to a full team.
If you're into that, there's good money to be made, especially that they're far from being the last company to reach you for this... There must be a regulatory deadline coming up in a year or two and those guys must want to be ahead of the curve. Try to find out.
I could add that this is a Fortune-500 company with 17 billion USD revenue and they don't have any contract with me nor have I ever communicated with them before.
@bagder Ah, so you're not actually a vendor. That simplifies things.
Jonathan ‘theJPster’ Pallant@bagder do you send them a quote? Or do you ignore them?
Paul@thejpster @bagder last time I received this kind of thing (from a German company asking me to confirm my compliance with the ILO Declaration on Fundamental Principles and Rights at Work wrt a Ruby gem) I quoted a price to look into it and never heard back again!
lachlan slowly taming rust@bagder Do you do the consulting fee thing for those? Or just shrug and move on?
Chris 
Mattias Karlsson (he/him)@bagder then you should give them a full refund... oh 😎
Low Key@bagder you’re absolutely right to make them pay if they want bespoke work done, including getting their compliance forms answered. They’re already benefiting hugely from your labour! And if they don’t want to pay for your services, tell them they can “just rewrite curl in rust”, I’m sure it’ll be easy…
Gaëtan Perrault@bagder wow, they outright refer to you as a "vendor"?
There are so many good ways to answer this. From a simple "no" to a starting a contract wild Goose chase.
I hope you have fun with whatever option you choose.
Tim Ward ⭐🇪🇺🔶 #FBPE@bagder They're on a loser there, by the time every file in Maven Central has been listed as a dependency of some or other part of their system.
Poul-Henning KampI got one quite similar last week.
I sent them a formal Time&Material quote from my company.
No response so far.
XCondE
Mike Morris@bagder I take my hat off to you for your restraint and politeness in responding. I doubt I'd have managed that level of civility. If they do come back to you (doubtful!) make it a BIG number!
soc
Thomas Svensson 🖖Reading through your posts about CRA, I think there is a chance for a CRUde awakening for these companies.
A reality check even, about how open source actually works. Including having to read the licenses and realizing they use it, for free, on their own risk.
Leaving the eat the risk, get a support contract or stop using.
So after the initial drama, this could be a good thing for open source in the long run.
KevinOfComputer@bagder What questions do they ask with these things?
@KevinOfComputer Is Secure Software Development Lifecycle followed? Do you provide regular security updates? Do you have Long Term support? Is appropriate cybersecurity testing followed? etc
@bagder Oh fun. And I'm sure they offer to pay you for your time too :)
DamonHDWhat happens if you send them an email clearly stating you do none of those things and that curl is just the hobby of some guy that has no business providing a service to a billion people? Will the company have to stop using curl?
Giangiacomo Zaffini@guenther @bagder @KevinOfComputer As far as I understand EU CRA, please bear with me, if FLOSS says no support for timely cyber-security vulnerability fix update, no indication of long-term support version, library user must make do himself with both timely cyber-security fix update and long-term support version indication. (update - sorry I wrote before reading the whole thread)
fedops 💙💛
crazyeddie@zaffojj @guenther @bagder @KevinOfComputer So it's SOUP. "Software of unknown providence."
This is standard shit for a regulated company. All they have to do is take on the responsibilities they're pushing onto the OP. With an OS project it's pretty easy. You go through the tickets and decide what does and doesn't effect your product. Then you accept the responsibility of taking on bug reports from YOUR customers and dealing with them.
You fork and watch. That's it. It becomes "yours".
Albrecht Köhnlein@bagder Will you ignore such mails or do you have prepared an answer? 🤔
Agnieszka R. Turczyńska@bagder I'm curious what is your answer, if any. I can imagine two, which are valid 😊
mms 
mbpaz@bagder "very dear sirs: I am not selling this software, so I am not a vendor. Have a good day."
Vendor: person or company offering something for sale. From lat. vendere (to sell).
advokatt