[Daniel's week] April 6, 2024

Daniel Stenberg daniel at haxx.se
Sat Apr 6 00:20:44 CEST 2024 

Hello,

So it managed to pass midnight so it's now April 6. Oh well. It was another 
packed week!

## xz

Lots of talk about the xz attack [3] this week, no surprise there.

As a direct outcome of that discussion, work started in curl to improve the
reproducibility of the release tarballs [4] to make it easy, if not even
trivial, for people to verify that curl releases are generated purely with
contents found in git. Turns out we still had a few minor things that made it
hard for people to make an identical replica.

I might even switch over to building release tarballs using a docker setup we
maintain in git, as this should make it even easier for others to repeat it.

There is a pending blog post in the works about this.

## c-ares 1.28.1

There was a silly regression in 1.28.0 so we shipped a quick update [2].
Enjoy!

## GHA macos

On March 29th GitHub deployed an updated macOS image in GitHub Actions. It
took several days until this new image was used by almost all their
front-ends. In the mean time, we saw CI jobs for pull-requests get flaky and
mysterious build failures that were hard to figure out [5].

Eventually, after some hours of poking and debugging, we figured out that
GitHub had shipped a default curl config file in $HOME/.curlrc in the new
image that would effect curl when the test suite ran and cause all sorts of
havoc! Once that was clear, we could just make the CI jobs remove the file and
we were good again!

GitHub is going to remove the file again in a pending update.

## regressions

We worked on several annoying regressions in the latest release. One of them
[6] (mostly) affects git (due to them having an unusual sequence of transfer
options). Luckily, there are some clever engineers over in that project which
did all the necessary debugging and we mostly just had to confirm their
findings and then poke at the code to make curl stop doing those bad things
going forward.

## crypto funding

I was offered 2000 USD funding to the curl project, via a crypto currency and
an elaborate setup. I told them we happily accept funding but only as "real
money". They then declined to fund us.

## email index

Remember my archive of funny emails I have received? I made an index [1] of
them all to make it easier to find your way back to your favorites!

## tracing config files

I'm working on an idea to allow users to "trace" config file use with the curl
command line tool [7]. A little related to the GitHub thing above. We will see
where this lands...

## Coming up

- the curl feature window opens tomorrow

## Links

[1] = https://bagder.github.io/emails/list.html
[2] = https://c-ares.org/
[3] = https://en.wikipedia.org/wiki/XZ_Utils_backdoor
[4] = https://github.com/curl/curl/pull/13250
[5] = https://github.com/curl/curl/issues/13284
[6] = https://github.com/curl/curl/pull/13257
[7] = https://github.com/curl/curl/pull/13295

-- 

  / daniel.haxx.se

More information about the daniel mailing list