[Daniel's week] June 22, 2023
daniel at haxx.se
Thu Jun 22 23:43:53 CEST 2023
This is a short week for me as Friday is a national holiday in Sweden and I
will avoid working then. It is "midsummer's eve" and as a true Swede I will
hang out with family, eat strawberries and have pickled herring served.
I made a trurl 0.8 release  so that the bugs in 0.7 are now history. Aiming
for a first non pre-release at end of summer time frame.
After a lot of effort I managed to finalize my analysis document  about
this year's curl user survey and I did a video presentation about it .
The most boring summary would be: mostly the same as last year! =)
## coffee machine
The Siemens EQ900 is a fancy coffee machine which uses curl it turns out and
it is now added to my collection of screenshotted curl credits .
Let me know if you find curl in a product not already listed.
Someone asked me if is possible to access an environment variable from a curl
config file, to avoid having to hard-code data there and rather use the
current value dynamically at run-time. Maybe help with the challenge of
avoiding to store credentials and secrets in files.
In a "that shouldn't be very hard" way I wrote up initial rough support pretty
quickly, and then one thing lead to another and it took off a little. Opinions
arrived, people commented and after several iterations and feedback-loops I
now have a fairly large PR  for the future curl 8.3.0 (planned release in
September 2023) that introduces support for "command line variables". Using
this concept, you can create named variables with specific content, that can
be read from environment variables, be fixed text or get passed in from files
or via stdin. These variables can be used and expanded in option arguments
when wanted. When expanded, there are a few functions that you can "apply" to
the content so that it appears better in the output: like trimmed newlines,
json quoting and URL encoding.
A very powerful concept that will unleash lots of new possibilities in future
curl command lines.
I'm of course still eager to hear thoughts and feedback on what works with
this and what does not work so that we can maybe polish it further.
I did the necessary work and made sure that both the trurl and roffit projects
now also comply with REUSE. Meaning that every single file in the git repo has
clear and identifiable copyright and licensing details provided.
## new graph
I created yet another graph to the curl dashboard  that I call
"Vulnerability reports high vs low". It shows using vertical bars, how many
security vulnerabilities that were reported every year, with two bars per
year: high or critical vulnerabilities in one red bar, and low or medium ones
in a mustard colored bar.
I wanted to someone illustrate the fact that we actually have reduced the
frequency of reported really serious problems over time, but that is not
visible if we count all issues as equals since we have at the same time
received an increased report frequency in low and medium severity problems.
This graph appears for the first time live in the dashboard on June 23, 2023.
## NVD craziness follow-up
People on the oss-security list was made aware  of the NVD crazy CVE
severity practices this week when it was pointed out that they rated a recent
yasm problem CRITICAL 9.8. The issue? A 32 byte memory-leak  I wonder why
they even qualified a security problem in the first place.
This just proves what I already suspect: this is an NVD "modus operandi", the
weird severity levels they have set for curl many times are not anomalies.
Their assessments are basically oftentimes even worse than a plain roll of
dice would have been.
At the end of this week I will take off on a family trip and be gone for two
weeks. There will be no weekly emails during this period. After those initial
two weeks, I will be "slower" during a few more weeks, meaning that I will be
in summer mode and switch between time-off and working on a day by day
basis. We still have curl 8.2.0 to prepare and ship on July 19.
Be nice while I'm away!
## coming up
- midsummer celebrations
 = https://github.com/curl/trurl/releases/tag/trurl-0.8
 = https://daniel.haxx.se/blog/2023/06/17/curl-user-survey-2023-analysis/
 = https://youtu.be/eTPDNUri590
 = https://daniel.haxx.se/blog/2016/10/03/screenshotted-curl-credits/
 = https://github.com/curl/curl/pull/11346
 = https://curl.se/dashboard.html
 = https://www.openwall.com/lists/oss-security/2023/06/20/6
 = https://github.com/yasm/yasm/issues/210
More information about the daniel