[Daniel's week] February 9, 2024

Fri Feb 9 16:51:36 CET 2024

Hello!

## Weeks

When you get this email it has been two weeks since my previous weekly email
and there will be another two weeks until I send the next.

Last week, I traveled to Brussels and FOSDEM[8] over the Friday, and once
there I hooked up with friends, socialized, had beers, gave away stickers,
talked and just had an over all great time for the better part of the entire
weekend. I simply did not carve out enough time to myself to produce my weekly
update. I decided I will instead do this one to cover two weeks.

Also, I am going on vacation next week where I will be mostly offline, so I
will not write a weekly email next week either! I trust you all will be nice
and take care of the Internet and things for me while I'm away? Thanks.

## release

We shipped curl 8.6.0 on January 31st [9]. This was again a release with quite
a number of refactors and inherent risks that we would have changed something
and caused breakage that simply was not detected by the curl test suite. We
were prepared to have to do a follow-up patch release. I rewrote the pingpong
protocol parser (for FTP, IMAP, POP3 and SMTP) to use dynbuf instead of the
download buffer, I rewrote our printf() implementation and Stefan changed the
flow of the inner transfer loop etc. There certainly were candidates.

We eventually also did get a number of regressions reported and we have fixed
a few things already that we broke in this release, but we have so far
determined that these problems have been small enough so that we don't have to
do another release because of them.

## CVEs

In association with the 8.6.0 release, we published CVE-2024-0853 [15]. The
first CVE to be publiuhed by curl as a CNA [16].

The day before the release, another bogus curl CVE surfaced [17]. It was filed
before we became CNA and apparently it could then still get snuck through.
This looks like another case of someone finding a commit message that sounds
nefarious, while in reality the fix quite harmlessly just adjusted an
assert().

## download buffer

This week we merged code that finally removed the download buffer from the
easy handles and it is now instead kept in the multi handle. This means that
all parallel transfers transfers can share a single one instead of them all
having one each.

## h2 performance

On related news, Stefan wrote a blog post on the development of HTTP/2
performance in curl [1]. Recently we increased peformance at the expense of
using more memory but now we have that under control as well.

## Dan tests

I wrote up a blog post [10] about the two projects Dan Fandrich is working on,
improving curl test infrastructure.

## wolfSSL five years

I celebrated my five year anniversary working on curl full time [2].

## FOSDEM

I landed in Brussels on Friday afternoon. I have an international group of
friends who go to FOSDEM every year and we tend to unite, stay at the some
hotel and hang out a lot during this weekend. This year as well. Beers,
waffles, french fries and a lot of geeky conversation topics non-stop
basically.

FOSDEM was crowded. They usually say "8,000" hackers attending but the truth
is that they don't know. I spent several hours in the wolfSSL booth on both
days and it was super busy, loud and crowded. Many rooms become full
immediately.

I talked about some of the latest things we've added to the curl tool on
Saturday in a room seating 192 people, but with many more standing along the
walls along both sides of the room. Long lines outside with people wanting to
get in. It was a short (~15 minute) talk and some technical problems with the
video occurred which is why it still has not been made available.

My second talk for this year (my twelfth FOSDEM talk all together) was called
"you too could have made curl" [4] and is me talking about what I think it
takes to do open source with a few anecdotes, experiences and stories from the
curl project. The room seated 805 people but there were maybe two hundred
seats or something unoccupied. The fact that I did my talk 10am on the Sunday
morning made a few people miss out.

On the Sunday evening I attended the Github social event at a pub in the city
where I got to hang out with a bunch of other fellow open source maintainers.
A whole bunch of them from the Homebrew project [11], which apparently has
their annual meetup the day(s) immediately following FOSDEM. It gave me an
excellent opportunity to ask them to join the upcoming curl distro meeting
[5].

This year I brought maybe three times as many curl stickers as last year [12].
Several thousands of them. I had not a single one left when I went home! There
sure are plenty of sticker-happy people at this event!

## Contingency

I had been working on this blog post [3] for a while, about what will happen
that day in the future when I step down from the curl project, and at FOSDEM I
got this question again several times so I decided it was time to fire it
away.

## graphs

I wrote up a generic script that can produce a delta between two other
existing date based plots, and using this I create a whole series of new
graphs for the curl dashboard [6]. For example "lines of code per docs line",
"lines of ocode per test case", "lines of code per known vulnerability" and
"known vulnerabilities per KLOC". All of that data was already available and
used in other graphs, but I think these help viewers interpret the information
differently.

I also finally fixed by bug that had prevented by "contrib-trails" graph [7]
from showing up. It shows the distribution for how many committers do how many
commits. Needles to say maybe, but the top committers do many, while there is
a loooong tail of committers who ever did very few...

Right now we are at 64 different graphs in the dashboard! I have a few more
ideas to make into new graphs the coming weeks.

## OpenSSL QUIC

There has been an ongoing discussion with the OpenSSL team [13] about what we
deem are necessary fixes to their QUIC API in order to make it good and
effective, in particular when handling with a larger amount of concurrent
transfers. We have gotten quite good responses to at least the initial remarks
and complaints, but it is not quite clear yet if we can get all the
adjustments and improvements we need to do high speed tranfers done in time
for OpenSSL 3.3, due in April. With their 6 month release cycle, missing a
cycle causes a pretty significant delay.

## Lagging TLS

Starting now, curl's configure and cmake will output a warning if the user
selects to build curl with a TLS library that does not support TLS 1.3 [14].
The spec for this TLS version shipped in 2018.

In plain terms, this affects BearSSL, mbedTLS and Secure Transport. Apple has
deprecated Secure Transport a long while ago so this is not expected to ever
get 1.3 support. mbedTLS claims they have partial support, so it might just be
a matter of somehow stepping up to make sure curl can enable that. BearSSL
does not have it implemented.

We do this to gently push everyone forward and to make users aware when they
pick a solution that might not be keeping up properly.

## Coming up

- The curl feature window opens tomorrow
- I'm away and mostly offline next week

## Links

[1] = https://github.com/icing/blog/blob/main/curl-h2-perf-evolution.md
[2] = https://daniel.haxx.se/blog/2024/02/02/five-year-full-time-curl-anniversary/
[3] = https://daniel.haxx.se/blog/2024/02/07/contingency-planning-for-me-and-curl/
[4] = https://daniel.haxx.se/blog/2024/02/06/fosdem-2024-you-too-could-have-made-curl/
[5] = https://daniel.haxx.se/blog/2024/01/25/coming-a-curl-distros-meeting/
[6] = https://curl.se/dashboard.html
[7] = https://curl.se/dashboard1.html#contrib-tail
[8] = https://fosdem.org/2024/
[9] = https://daniel.haxx.se/blog/2024/01/31/curl-8-6-0/
[10] = https://daniel.haxx.se/blog/2024/02/06/funding-dan-to-improve-curl-tests/
[11] = https://brew.sh/
[12] = https://mastodon.social/@bagder/111856319311320630
[13] = https://github.com/openssl/openssl/discussions/23339
[14] = https://github.com/curl/curl/pull/12900
[15] = https://curl.se/docs/CVE-2024-0853.html
[16] = https://daniel.haxx.se/blog/2024/01/16/curl-is-a-cna/
[17] = https://curl.se/docs/CVE-2023-52071.html

-- 

  / daniel.haxx.se