[Daniel's week] June 2, 2023

Fri Jun 2 14:49:34 CEST 2023

Hi friends,

We made it another week!

# June 2

## The Gemini protocol

The Gemini pull-request that appeared for curl the other day made me check the
protocol spec and eventually have me write a blog post on the topic [1]. It
got some attention, comments and a fair amount of critique. Today, several
days after and hundreds of comments later, I think I still stand by most of my
comments.

It will be interesting to see if the increased attention to the topic and the
pull request will make it more forward better. So far it seems to move rather
gently. Or maybe not at all.

## trurl 0.7

There were some larger updates in the command line options department and JSON
layout which warranted this new release [2]. Some regressions and further
changes done since then are likely to push us into doing another release in
the not too distant future. Probably next week.

trurl 0.7 was the first trurl release in which I did not do most commits:
Emanuele Torre did.

## curl 8.1.2

For the third week in a row I did a curl release [3]. This patch release had
significantly fewer bugfixes than last week's and the even more positive
outcome is that we have not since had any alarming reports about regressions
or serious problems remaining.

This will make the release cycle to continue mostly as planned, with the 
feature window just a week shorter than originally anticipated and we still 
aim for an 8.2.0 release on July 19.

I will appreciate having at least one week of NOT doing a curl release.

## libssh2 1.11.0

Topping of this release week of mine: libssh2.

In the libssh2 project we shipped a new release for the first time since 
August 2021 and it was nothing but very long overdue: 1.11.0 [4]. It has been 
requested and longed for by the community for a while so it felt good to 
finally get that out the door. With such a long time between release and which 
a massive amount of changes and bugfixes merged since the previous time, it 
will not surprise me if we have material and reason enough to do a patch 
release in the near future.

Will and Viktor did all the heavy lifting. I just pushed the buttons to ship
it.

## security

We have had a rather large influx of security reports lately, but most of them
have been rather rubbish and we are right now at zero actual valid reports in
the queue.

I have continued my "fight" against NVD and their inflating curl CVEs. This
week I found CVE-2023-27536 which we ranked Low, and NVD claimed to be
Critical. After my complaint they downgraded their score to High. Still
ridiculous and I told them [5] in clear terms. Harry Sintonen posted a comment
[6] in favor.

On the curl website [7] we now provide a prominent message saying "Alert: if
you look up curl CVEs in public sources like NVD you will find they use
inflated severity levels and CVSS scores" to make the audience more aware of
the situation.

On that same page [7], I changed the "severity-symbols" in the table of
vulnerabilities to make them more accessibility friendly and now features
letters in "circles" for that purpose.

I started the huge job of adding Severity to all the rest of the historic
curl security advisories that lacked them [8]. It's a manual job that
certainly could use more eyes and opinions so I will allow that for a few days
at least before I merge.

In a separate sudden idea, I started listing [9] information per vulnerability
if it affects the tool, the library or both - and show that in the same
security problems table.

This newly added meta data might trigger me to render some new plots or trend
graphs going forward.

## dot onion

In the curl discussions we have had a slightly heated debate about curl's
recently added feature: blocking the resolving of ".onion" host names. Just
like the classic XKCD strip [10], of course it turned out that there are
users out there who actually want to resolve .onion host names and they do it
deliberately and now curl will not work for them.

The question has probably already moved on to how to best offer such a disable
option [11] in a future version.

## fossified

We did an attempt of a Fossified episode with a guest and we lost the
recording! The pain. We need to schedule a new time and do it again and of
course have better precautions to not experience this again. Poor guest.

## curl user survey

The survey [12] is still up until mid next week. If you have not already,
please head over and give us your feedback! We have received exactly 484
survey responses so far, which is more than last year, but we have had several
years in the past with over a thousand responses!

## Coming up

  - curl feature window opens tomorrow Saturday
  - probably another trurl release
  - websocket with curl webinar on Thursday

## Links

[1] = https://daniel.haxx.se/blog/2023/05/28/the-gemini-protocol-seen-by-this-http-client-person/
[2] = https://github.com/curl/trurl/releases/tag/trurl-0.7
[3] = https://daniel.haxx.se/blog/2023/05/30/8-1-2-ate-one-too/
[4] = https://libssh2.org/
[5] = https://mastodon.social/@bagder/110471046103049377
[6] = https://infosec.exchange/@harrysintonen/110473934190094002
[7] = https://curl.se/docs/security.html
[8] = https://github.com/curl/curl-www/pull/256
[9] = https://github.com/curl/curl-www/pull/257
[10] = https://xkcd.com/1172/
[11] = https://github.com/curl/curl/pull/11236
[12] = https://daniel.haxx.se/blog/2023/05/24/curl-user-survey-2023/

-- 

  / daniel.haxx.se