[Daniel's week] March 15, 2024

Fri Mar 15 23:17:26 CET 2024

Hello!

It's already Friday again. Lots of things happened again...

## the Apple incident

It is infuriating to first have a slow-going conversation with an anonymous
group email alias at a behemoth company over several months, which means
mostly waiting for a very brief response to show up, only to end up getting
told they don't think it is a security issue and then that's it [1].

## vulnerabilities

There has been a whole series of new vulnerabilities reported [2] to curl
recently. For every report it takes time and effort to understand the issue,
validate that it is real, assess the importance and then if it really is an
actual problem write a patch and a detailed security advisory. Generally, the
quality of submissions is high and really the better the submission, the more
work it is for us. Most submissions end up determined not to be security
problems, but every now and then a clever person has figured out a way to do
something unexpected, revealing a vulnerability.

Right now we have no less than four vulnerabilities/CVEs queued up for
publication with the pending next release on March 27. Two of them are
severity Medium and two are severity Low. None of them are considered a "C
mistake". You will of course learn all the details once they go public.

## GitHub actions

This week suddenly a few of our CI jobs on GitHub actions started to fail in
peculiar ways, running on Ubuntu. The clang memory and sanitizer builds caught
our attention. The compiler had serious problems, which included hard to
explain crashes. Was there something bad in the latest clang 14 package for
Ubuntu? It was a detour. It turned out to be a runner image upgrade where the
Linux kernel version was bumped and due to changes in the ASLR, old clang and
gcc packages no longer worked correctly [3].

After a few hours of chasing this, I could eventually merge a work-around that
issues a sysctl command that makes the compilers run fine again. Order was
restored.

## core team

In the curl project we have never officially had a "core team", although in
reality the curl security has doubled as a sort of board of advisors when we
have curl matters to discuss that can't be dealt with in the open. This week,
we formalized this by documenting the existence of this role and this group
[4].

## sponsors

We have come to accept that some sponsors of the curl project are more
interested in paying for their logo and link to appear than to actually help
the project. While money is money no matter the motivation, we have decided on
a few guidelines on how to deal with this going forward and that the curl
project is going to start to reject showing some logos on the curl website if
the sponsors are involved in what we consider unethical business. There is no
exact definition for this, but it includes gambling, drugs and social media
manipulations (buying followers/likes etc). We just don't want curl to be
associated with such activities, and the other fine sponsors we have should
not have get their logos displayed next to such brands.

Going forward, we have a higher bar to get mentioned on the curl website [5].

## getting started with libcurl

It is again time for me to run a webinar using this topic. A beginner's guide
to doing internet transfers with the libcurl API. It will happen on March 28.
I will put up blog post about it next week with links etc. A great opportunity
for beginners to also ask questions.

## everything curl infra

Ever since I started writing everything curl [6], it has been hosted by
gitbook.com. It was a convenient and practical way to get an online book
created and offered online, and it has served us well over the years. However,
recently the system have started to crumble. Several times now, have I pushed
updates to git that simply will not be mirrored to show up on the book site as
they are meant to. Previously I could trigger a manual resync to fix things
but my latest updates seem to simply refuse to appear in the book.

This might be the signs I needed that maybe we have come to that point where I
must realize that gitbook has done its job and I better move on to something
else. Preferably then something I control more and better myself. We have a
few alternatives [7] figured out and nothing has been decided yet, but I hope
to start fiddling with this next week. Maybe I will also move the book content
over to be hosted directly on curl.se to take advantage of our CDN setup and
otherwise pretty well performing web infra setup.

## curl up

The search for a venue continues. I am now pretty sure we will end up in
Stockholm Sweden May 4-5, I just need to find a suitable place for us. For an
entire weekend devoted to serious curl nerdery [8]. I have some contenders to
decide among the coming week.

## Coming up

  - pre-notify distros at openwall about coming vulnerability announcements
  - Wednesday, curl turns 26
  - Thursday, curl distro meeting

## Links

[1] = https://daniel.haxx.se/blog/2024/03/08/the-apple-curl-security-incident-12604/
[2] = https://hackerone.com/curl
[3] = https://github.com/actions/runner-images/issues/9491
[4] = https://github.com/curl/curl/blob/master/docs/GOVERNANCE.md
[5] = https://github.com/curl/curl/blob/master/docs/SPONSORS.md
[6] = https://everything.curl.dev/
[7] = https://github.com/bagder/everything-curl/issues/438
[8] = https://github.com/curl/curl-up/wiki/2024

-- 

  / daniel.haxx.se