[Daniel's week] January 6, 2024

Sat Jan 6 11:46:03 CET 2024

Happy new year!

Just a partial work week but I managed to get things done!

## AI for security

I blogged about our recent adventures in security reports when people use AIs
to find issues or to generate text to submit [4]. It attracted some attention
and it was subsequently also mentioned on LWN [5], Hacker news [6], The
Register [7], Slashdot [8] and The Stack [9].

## cmdline parser refactor

This week I accidentally fell over the code in curl that parses command line
options and I realized there are a lot of loops in there. It was a long time
since I was in that corner to clean up so I suppose it was time [3].

I switched the parser to use binary search instead of iterating through all
250+ options, which needlessly to say speeded it up significantly. As a
side-effect of this, I removed the support for matching partial long option
names. This was always a bit weird since it was never documented and would
break when we add new options that would make a previous unique partial string
not be unique anymore. I also made sure the option parser is case sensitive,
exactly as documented. It was already case sensitive for the short options.

I then continued and made the short-option parser only iterate over the
options once for the first use and then do a table lookup for all subsequent
ones in the same invocation.

I changed the entire option switch() logic from being a nested multiple steps
thing into becoming a single big switch(), which possibly made it a tiny bit
faster but more importantly improves the readability and reduces complexity.

When in cleanup mode, I then also moved out some code from the big switch into
smaller sub functions and I switched some code to use more dynbufs instead of
old style direct mallocs.

This change is still work in progress.

## h3 code audit

The curl HTTP/3 code audit has been mostly completed by Trail of Bits. Nothing
alarming and no security issues were found. There will however probably be
some improvements and cleanups done as a direct result of them poking around
and learning things. I will post a proper blog post and their report later on
when everything goes public.

## c-ares

We shipped c-ares 1.25.0 [2] on January 3rd. Mostly more bugfixes.

## funding curl work

We made a decision to fund curl development in Q1 2024 using sponsor money
- starting now. I am going to write up a separate blog post with details,
probably next week. The money comes from the fund where all the curl sponsors'
money end up. We have a pledgee to spend the money on curl-improving
activities and I believe this qualifies quite well! The sponsored work is
going to be done by Stefan Eissing and Dan Fandrich. Details pending!

## everything curl

I added a few more sections. There are still sections to write [10].

I made an stand alone single-HTML version of the book available [1] next to
the PDF and ePUB versions. It is still rather crude, but I wanted to start
with putting it up there and see if there is any demand or use for it, and
then possibly work on improving it later on.

## coming up

- curl feature freeze starts today
- wolfSSL team meeting next week

## links

[1] = https://daniel.haxx.se/everything-curl/
[2] = https://c-ares.org/
[3] = https://github.com/curl/curl/pull/12631
[4] = https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/
[5] = https://lwn.net/SubscriberLink/954544/76d130a0bb690f36/
[6] = https://news.ycombinator.com/item?id=38845878
[7] = https://www.theregister.com/2024/01/04/aiassisted_bug_reports_make_developers/
[8] = https://it.slashdot.org/story/24/01/04/2230246/ai-assisted-bug-reports-are-seriously-annoying-for-developers
[9] = https://www.thestack.technology/ai-generated-vulnerabilities-bug-bounty-llm-disclosures/
[10] = https://github.com/bagder/everything-curl/issues

-- 

  / daniel.haxx.se