[Daniel's week] July 22, 2023
daniel at haxx.se
Sat Jul 22 00:23:21 CEST 2023
Another week ended.
I suppose the biggest that happened this week was me releasing curl 8.2.0 
on Wednesday and we announced the 146th curl CVE  in association with that.
A few days later, we had received reports about at least two serious enough
regressions that we decided to ship a patch follow-up release next week. Stay
tuned for 8.2.1 with nothing merged but a series of bugfixes.
I could add that according to our somewhat recently modified release approach
we are more willing to do patch releases these days than we were in the past,
to generally try to reduce the amount of time that we have regressions present
in the most recently released curl version available.
During the Thursday July 20 we received numerous reports  about curl
suddenly no longer being able to verify certificates on a large number of
well-known sites. It turned out that Ubuntu had botched a backport of a
previous security bugfix so when people updated to that version, things
stopped working. To their credit, they fixed the problem and shipped a
corrected version within hours of it first getting noticed.
Still curious how they managed to push such a serious bug into production. It
could be noticed that that backport was not done by the curl project so no
code we ever shipped actually contained this issue.
## mastering curl
I announced  that I am putting together a monster "video class" I named
"master curl command lines", which is going to be a 2.5 hour something long
video explaining exactly how to use curl. Or how I/we have intended it to be
used - going into depth in a fair amount of areas and command line option
use. It will be live-streamed and of course recorded for watching after the
The tentative agenda in  is available for browsing and feedback. I will
post a blog post about this session separately as well to drive some more
attention to it to get it as polished as possible. Writing up the material for
a 2.5 hour session like this is also going to give me something to work on the
coming weeks! Ideally, a lot of the explaining will be show-and-tell with a
live terminal in display.
I'm also starting on a separate presentation to explain the new coming concept
of "command line variables"  in the curl tool. The concept is quite
powerful and awesome, but I think it might need a little explaining for
everyone to fully grasp what fun you can do with it and how useful it could be
for your use cases as well.
I shipped roffit 0.15  since I fixed a few bug recently so I could just as
well make them more visible. I'm really not sure if there are (m)any roffit
users out there but I can just as well pretend there is and act accordingly.
I brought the topic of the pending removals of support for these two TLS
libraries to the mailing list . They already exist as two separate PRs, for
NSS  and gskit .
The NSS removal decision got no response at all, but there are many more
concerns voiced about gskit's possible demise. Primarily I suspect because
this is the only TLS library of choice for a lot of users so removing support
for this will effectively render curl rather useless for users of OS400 (IBM
i) etc. The final word has not been said, but I also don't see many other ways
forward. As long as allow this backend to remain an underhanded treatment it
will remain the laggard in the bunch. I believe cutting it out might be the
only real way to signal everyone involved that I am serious when I say that
this backend does not meet curl standards.
## Coming up
- curl 8.2.1 on Wednesday July 26
 = https://github.com/curl/curl/issues/11475
 = https://daniel.haxx.se/blog/2023/07/19/curl-8-2-0/
 = https://gist.github.com/bagder/253a2368c17ac6a3411af3861068fb6a
 = https://github.com/curl/curl/pull/11346
 = https://github.com/bagder/roffit/releases/tag/0.15
 = https://curl.se/mail/lib-2023-07/0015.html
 = https://github.com/curl/curl/pull/11459
 = https://github.com/curl/curl/pull/11460
 = https://curl.se/docs/CVE-2023-32001.html
More information about the daniel