[Daniel's week] November 24, 2023

Fri Nov 24 17:08:30 CET 2023

Hi friends,

We have reached the end of another work week. Things happened.

## c-ares

We did another c-ares [12] patch release: 1.22.1. Mainly due to a rather
annoying regression in the /etc/hosts parsing logic.

## mastering libcurl

Monday night I ran part two [1] of my marathon libcurl video presentation, and
it took me 2.5 hours to run through the almost one hundred slides packed with
libcurl source code examples. I hope this video pair will be able to help
users do more and better libcurl applications going forward. These libcurl
videos are of course directed to a more niche audience so I don't expect them
to get even close to as any views as the mastering the curl command line tool
video [2] has - which just surpassed 17,000 views.

I did both parts over both Zoom and Twitch at the same time, which turned out
quite easy once I decided to use two separate physical microphones since for
some inexplicable reason it turns out really difficult to have two
applications use the same mike as input. Once the two apps could use their own
sound input, I could share the presentation window in Zoom and stream on
Twitch using obs studio that would also show the same window and my camera. I
then monitored both the Zoom Q&A window as well as the Twitch chat while
talking and I think it resulted in a decent experience in both worlds.

During part one [3], Twitch logged 243 unique watchers and during the second
part [1] it went up to 390 unique watchers. Not too shabby I think.

## commits

This week the total number of commits done to curl's source code repository
surpassed 1745, which happens to be the amount of commits done during the
entire year of 2014. That year was up until now the second most active year in
curl's history and now, even before December has started, we know that 2023 is
the new second most active year ever commit wise.

The top year remains 2004 which had 2102 commits.

## FOSDEM

FOSDEM announced the devrooms allotments and opened up their "call for papers"
[4] for 2024. I moved ahead and submitted no less than three talks, in three
different rooms. Maybe a little too much, but I don't expect them all to be
accepted. Here is what I have offered to talk about:

- "HTTP/3 - why and where are we" in the Web Performance room. A variation and
updated version of the talk I did [5] recently at the Øredev conference.

- "Broom not included: curling the modern way" in the Network room. A
variation and updated version of the "next level curl" talk [6] I did at
Nordic APIs back in October. Also maybe with some inspiration from my
"mastering curl" video.

- "you too could have made curl" on the main track. Based on my pycon keynote
[7] but updated and further polished.

wolfSSL will have a stand at FOSDEM again. I intend to bring a lot of curl
stickers to hand out there, last year was rather crazy on that front. I also
purchased a set of the curl coasters [8] to bring there that I mean to offer
to people who have authored curl commits. They're a bit too expensive for me
to just hand out to everyone like I do with the stickers.

## pending security advisories

The process of becoming a CNA for curl's own CVEs has stuttered a little
recently but is still moving forward. I decided to acquire CVE Ids for the
next two security advisories using HackerOne for ideally the last time, as
I've been polishing up the documentation and prepare myself to pre-notify the
distros mailing list next week. We are after all now less than two weeks off
from the pending curl 8.5.0 release.

The two pending security advisories are graded severity medium and low, and I
would say are likely to not cause any serious meltdowns.

## OpenSSL 3.2

OpenSSL announced this new version [11] and it brings some interesting news 
for us.

They now ship client side QUIC support, with their own QUIC implementation and
API for using it. curl has no support for it, but OpenSSL has a sample code
using nghttp3 on top of it so it should mostly be a matter of "someone" doing
the necessary work.

Their step into QUIC apparently caused problems for quictls [9] which now
debates how to deal with 3.2, conflicting symbol names and so on. I think
maybe 3.2 is a release that will make the different members of the OpenSSL
fork family to truly seriously start to deviate from their mother project.

OpenSSL 3.2 also introduced support for loading the Windows CA store natively,
which also should be interesting for curl since have our own custom code for
the same purpose that we then can drop when this version is used.

## URL parser

I already mentioned details about it in my weekly email last week. I ended up
writing a blog post about URL parser performance [10] as I feel the marketing
is a little misleading and I prefer to at least state my view about it
publicly. Then leave it and move on.

## Coming up

- pre-notify distros at openwall on Tuesday

## Links

[1] = https://youtu.be/9KqnXsSxqGA
[2] = https://youtu.be/V5vZWHP-RqU
[3] = https://youtu.be/ZQXv5v9xocU
[4] = https://fosdem.org/2024/schedule/tracks/
[5] = https://oredev.org/sessions/http-3-why-and-where-are-we-
[6] = https://www.pycon.se/
[7] = https://youtu.be/8b5jkr35CRQ
[8] = https://daniel.haxx.se/blog/2023/11/03/curl-coasters/
[9] = https://github.com/quictls/openssl/issues/138
[10] = https://daniel.haxx.se/blog/2023/11/21/url-parser-performance/
[11] = https://www.openssl.org/news/cl32.txt
[12] = https://c-ares.org/

-- 

  / daniel.haxx.se