[Daniel's week] July 28, 2023
daniel at haxx.se
Fri Jul 28 22:57:19 CEST 2023
I put together curl 8.2.1  this Wednesday due to two rather silly
regressions and now after this we have not heard about serious flaws. It feels
pretty certain that we can now let the rest of the cycle proceed as planned.
I continued to be a little annoyed with Debian, which still ships curl 7.88.1
in their unstable branch even though we have now done seven releases
since. Debian *used* to stay up to date with the latest curl releases and I
have not figured out what caused this to change or why they are seemingly
stuck on this particular release.
## mastering curl
I continue to work on my "mastering curl" lesson  for end of August. Doing
a 2.5 hour presentation requires quite a lot of preparations. I intend to do
it with a large number of slides, but also with a live terminal window on
screen for numerous live command lines showing off what I explain in the
slides and using words.
I will do a separate blog post announcing this event in another week or so, to
drum up some more attention.
Tomorrow Saturday July 29 we open the curl feature window  for this release
cycle. We will then accept new features to get merged during the coming three
weeks (exactly 21 days) before we close it again. We have a number of PRs
pending marked "next-feature-window" but I am not sure we will manage to merge
them all this time around. If YOU have a feature you want to merge, please
make sure it is well polished as soon as possible to maximize its chances to
get merged in this cycle.
This week the IETF 117 meeting  took place in San Francisco, but I did not
attend any sessions. Partly because it is ridiculously pricey if you only want
to attend single sessions; 140 USD per day for attending remotely, and the two
HTTP sessions I was interested in were set on two different days and had a
total duration of three hours. But the nine hour time difference also making
it very hard in this my last week of part-vacation. I will simply stick to the
mailing list conversations. There are no major HTTP changes in the works right
now, which also helped contribute to me making this decision - in spite of
HTTP being such a core part of my life and work.
Several people have asked me what I think about the Google "Web Environment
Integrity" proposal. I don't feel I have the energy and bandwidth to write up
a proper blog post to express any detailed opinion, but I think it is really
horrible suggestion and idea that needs to be fought and turned down. It is
not something that is to the benefit of Internet users, in spite of the text
## CVSS 4
Several people have also pointed out to me that the CVSS 4 proposal has been
open for feedback for a while and that I, because of my past complaints about
CVSS and NVD might have ideas or proposals for them. Again, I don't feel I
have room right now to fully get into the details of the current proposal and
investigate how it could be improved. My criticism before has mostly been
about NVD's procedures though rather than with CVSS itself, even if I also
think that CVSS in its current incarnation is far too one-dimensional to be
functional. I put my trust in the process and cross my fingers.
This week, I had conversations with a potential sponsor of new HTTP features
in curl and if we can agree on the details all the way through, we might get a
very exciting autumn. Can't wait to tell you more about this.
## Coming up
- Feature window opens tomorrow
- I'm back at full speed Monday
- Merge feature PRs
 = https://daniel.haxx.se/blog/2023/07/26/curl-8-2-1/
 = https://gist.github.com/bagder/253a2368c17ac6a3411af3861068fb6a
 = https://curl.se/dev/feature-window.html
 = https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md
 = https://datatracker.ietf.org/meeting/117/agenda
More information about the daniel