[Daniel's week] October 27, 2023

Fri Oct 27 16:16:06 CEST 2023

Hi friends.

We made it another week.

## chart

Somewhere in my social feeds I spotted an image that was a chart describing
something like "this happens when you enter a URL in a browser". Inspired by
that, I decided I wanted to try to do something similar for illustrating what
curl does. I threw my first version out [2] to my Mastodon friends, and after
feedback and several iterations I landed in a version I put up on my blog [1]
to keep.

I think I'll find use for it in a future curl presentation or something.
Hopefully it can also serve in helping users and the world in general get a
small insight into what a small and simple curl command line might end up
doing.

## ECH

The work on Encrypted Client Hello (ECH) for curl [4] continues. The plan is
now to merge the PR with experimental status for the *next* release (ie not
for the closest pending one, 8.5.0), probably to be called 8.6.0 with a
planned release date at end of January 2024. This gives some more time for
IETF to maybe publish the RFC in the mean time and for some more stuff to
settle a little better.

Unfortunately, and in a worryingly familiar pattern, OpenSSL is behind on this
so there is no way currently to actually use ECH with it without applying
patches. As both wolfSSL and BoringSSL already ship the necessary functions
this seems to be yet another TLS "thing" that will become complicated for
users to understand and make it difficult to select what TLS library to use
when building and using curl.

As you may remember: the browsers are already doing ECH. At least Chrome and
Firefox do. A little downside with current ECH is that they, as well as curl,
require DoH to enable it. Because it does not make sense to do the DNS
resolves in the clear if the purpose of it is to not make the SNI be
"snoopable" by network observers.

Most of the work on ECH for curl is being done by Stephen Farrell.

## IPFS

Hugo Valtier brought the discussion and desire to implement IPFS in libcurl
[5]. A version of IPFS that verifies the content but still speaks it over HTTP
and still not "natively".

I am not convinced that something "just" using HTTP needs to be implemented
*in* libcurl rather than being done *using* libcurl. Implementing IPFS in a
way that verifies the content rather than blindly trusting the HTTP gateway
seems like a good step forward though.

I believe Hugo now intends to continue and implement this in the curl tool
side, enhancing the existing code there. When the content gets verified, it
will be easier for users to use remote HTTPS gateways and still be able to
trust that what is downloaded is legit.

Hugo has expressed his wishes in doing this, but we have not seen code yet so
there is not yet any telling in how long time this will take or when we might
actually see this shipped in a curl release.

## Hyper

Jacob Hoffman-Andrews has been digging into and researched some of the
problems we have seen with hyper [8] in curl [7]. His current proposal [6] is
to temporarily disable HTTP/2 support with hyper because of how we are not
using the hyper API correctly for multiple transfers and multiple connections.
This is not an actual proper fix for the issue, but might at least prevent the
immediate bugs users have reported until the real solution has been worked
out.

One of the challenges here is that hyper is a rust library and the
documentation for its C API is very sparse (or maybe even non-existing) so it
is hard to figure out exactly how the function calls work and how they are
supposed to be used for HTTP/2. Clearly I did not get it right previously.

## Commits

In curl we have now merged more commits into the git repository during 2023
than we did during any single year after 2014 [16]. If we just keep up the
pace, 2023 might end up becoming the most-commits year in curl since 2004
before we are done with it. In 2014 we did 1745 commits. In 2004 we did 2102
(the all-time curl record for number of commits during a single year).

## Assassin's Creed Mirage

I received a screenshot from the recently announced game Assassin's Creed
Mirage showing that they use curl ("copyright 2020") and that image has now
been added to my ever-growing collection of screenshotted curl credits [3].

## CVE

It keeps coming fallout from my earlier "CVE adventures" and this week this
article by Cynthia Brumfield [9] could be worth highlighting since I did an
interview with her a week or so ago to help feeding facts into the story.

While that previous severity high CVE-2023-38545 is slowly getting behind us,
we keep getting emailed by users on Windows since Microsoft has not upgraded
curl in Windows 10/11 and security scanners now pick that up and generate
warnings. Unfortunately, I still have not received any word on when we can
expect to see it updated.

When it comes to current development we have received and confirmed one
security problem in curl to become a CVE to announce with the next release,
and currently we have two more being discussed and assessed. We have not
really made up our minds exactly how to treat them yet. It can certainly take
a significant effort and time to make a firm and intelligent decision when the
report is accurate and the details are... complicated. We want to do it
right. Not report a security problem if there isn't one but also not ignore
something that is a genuine and actual problem.

## libcurl video

This week I ramped up my efforts and started writing many new slides for my
upcoming "mastering libcurl" video tutorial class. Right now it is at 128
slides, out of which almost half only still have a title without content so
there is a lot more work left. I suspect working on them might also end up me
adding a few more. The estimated time needed for teaching this set is going to
be around three hours, maybe a little more. The tentative date for this is
November 16, starting 17:00 UTC (18:00 CET, 09:00 PST) and it will happen on
Twitch but probably also simultaneously over Zoom. Hopefully I will get all
the materials done in time for that.

I'm also working on the agenda and I mean to put up a blog post early next
week showing off that, to make everyone aware of the planned content for this
video.

My "mastering the curl command line" video [10] has been viewed 12,000 times
in less than two months.

## pycon.se

I'm invited to and I will keynote the Pycon Sweden conference [11] on November
9 here in Stockholm. I plan on doing a different kind of talk there than I
normally do that I call "a maintainer story". Basically talking about Open
Source maintenance and why or how to succeed with a project etc. Quite
subjectively of course, based on my experience, my life, my projects and my
three decades in Open Source. I have a 60 minute slot there to fill up. This
is also going to be a talk I never did before, but I have gotten the
foundations of it down and I think I got it headed in a generally good
direction. I don't have a lot of Python experience, but I think I might be
able to share something the audience can appreciate.

## Øredev

Directly after Pycon I will take the train down south in Sweden to Malmö and
talk about HTTP/3 on November 10 at the Øredev conference [12]. I have not
quite started on that presentation yet, but I have talked about HTTP/3 so many
times I have a lot of existing material and past slides so putting something
together and refreshing it should not be too much of a chore.

Oh, and since I'm staying over the night in Malmö on November 9, do reach out
to me if you are up for a beer or otherwise saying hello there. At the
conference or outside of it.

## FOSDEM

Several peopled asked me this week and yes, I am most certainly coming to
FOSDEM 2024 [13]. That happens the first weekend of February 2024 and is one
the few conferences I attend every year and I go there even if I don't speak
or anything. It's a highlight of the year. Maybe I can manage to give away
even more curl stickers in 2024. At this year's FOSDEM I handed out around
2,000!

If you have ideas of something I should talk about at FOSDEM, let me know. Or
if you run a devroom or something in which you think me blabbing could be a
good addition.

## c-ares

This morning I packaged, signed and uploaded c-ares 1.21.0 [14]. Yet another
release of the asynchronous name resolver library, this time primarily because
of a regression, but then as a bonus a lot of other things came with it. Lots
of internals were rewritten using a new more reliable and safe DNS parser. As
usual, all the heavy lifting there was done by Brad House.

## trurl

I have totally neglected trurl [15] recently, but it is now time to make sure
that all the pending pull requests are dealt with so that a new release can be
put together. Ideally during this coming week.

## Coming up

  - a tiny-curl release based on 8.4
  - getting the libcurl video presentation in shape
  - blog post about the coming libcurl video
  - get my presentations for November 9 and 10 in shape

## Links

[1] = https://daniel.haxx.se/blog/2023/10/24/curl-from-start-to-end/
[2] = https://mastodon.social/@bagder/111284750329049948
[3] = https://daniel.haxx.se/blog/2016/10/03/screenshotted-curl-credits/
[4] = https://github.com/curl/curl/pull/11922
[5] = https://curl.se/mail/lib-2023-10/0073.html
[6] = https://github.com/curl/curl/pull/12191
[7] = https://github.com/curl/curl/issues/11203
[8] = https://hyper.rs/
[9] = https://readme.synack.com/the-problems-with-vulnerability-reporting
[10] = https://youtu.be/V5vZWHP-RqU
[11] = https://www.pycon.se/
[12] = https://oredev.org/
[13] = https://fosdem.org/2024/
[14] = https://c-ares.org/
[15] = https://curl.se/trurl/
[16] = https://curl.se/dashboard1.html#commits-per-year

-- 

  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html