[Daniel's week] March 3, 2023

[Daniel Stenberg]

Nailed another week. Here we go...

## Hacker Stations

My photos and associated descriptions of my home office went up 
hackerstations.com [1] and people on hacker news got the opportunity to 
discuss how or if my desk is from IKEA or not. (The legs are, the rest is 
not.)

## nuget

Someone helped me realize the bad situation for the curl package hosted by 
nuget for their package manager and I kicked off my mission to rectify that. 
It got a lot of attention and ended fairly well [2].

## GitHub Security Advisory Database

That nuget story turned my attention over to the GitHub Security Advisory 
Database, since the nuget people referred to them for vulnerability lookup for 
projects. Turns out there are a few issues with this database from a curl 
point of view and I've talked to someone in that team during the week to get 
some answers and there is a coming slightly critical blog post slowly being 
written in my head.

## security warning on Windows

My third Microsoft encounter this week (in addition to nuget and GitHub) 
started with several companies approaching the wolfSSL curl support "hotline" 
asking questions and being worried about security warnings on Windows! It 
turns out that at least the security scanner Tenable Nessus this week started 
to issue warnings when it finds curl 7.83.1 in a Windows machine. The warning 
concerns CVE-2022-43552 [4] which is a use-after-free that we rated 'low' in 
the curl project because of the mitigating factor that the time window for it 
is narrow (microseconds).

The curl installation it warns about is of course the *bundled* curl version 
that Microsoft themselves builds and ships and I don't feel comfortable 
recommending users to just erase or replace it. Not to mention that a mere 
user probably cannot even do it.

According to my contact, Microsoft is aware of this and might address with at 
least some sort of public communication about it. I don't know when or even if 
it actually will happen. Until then I remain uncertain what to tell the users 
that are hurt by this.

## Fossified

We released the pilot episode of our new podcast "Fossified" [5]. I co-host
this show together with my old Swedish Open Source friends Henrik, Johan and
Magnus. We need your feedback. Propose topics on our GitHub and vote on the
existing proposals for coming episodes. If things work out, we should be doing
them on roughly a weekly schedule.

## Hacker news three times

The hacker stations, the nuget situation and then finally uncurled [8] got
attention and were up on hacker news within some 30 hours this week. Probably
more attention to myself than what is considered healthy.

Some of the comments there are certainly downright health hazards.

## Intro music

I am going to speak at the myconf conference in Karlskrona [6] in May, and I 
was asked what "intro music" I would like played when I enter the stage. When 
tested with a challenging question I did what every sensible person would do: 
I deflected it and asked my Mastodon followers for help [7]. It turned out 
people had lots of creative suggestions and I ended up with many awesome 
proposals. Now I just need to pick one. I'm leaning towards The Imperial March 
from Star Wars because it is both pompous and fun.

## curl regressions

Several curl regressions have been reported and fixed recently. They are 
fall-outs from the big HTTP/3 and HTTP/2 refactors where testing has been 
sparse. What is good is that almost every single one of these regressions are 
now fixed in assocation with the addition of a new test case to first 
reproduce the problem and then verify the fix. Then they remain there to make 
sure we avoid that regression again in the future.

An upside here is also that fixing lots of bugs now will only make the coming
8.0.0 release better.

## Coming up

- fix bugs, merge pull-requests

## Links

[1] = https://hackerstations.com/setups/daniel_stenberg/
[2] = https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
[3] = https://www.tenable.com/plugins/nessus/171859
[4] = https://curl.se/docs/CVE-2022-43552.html
[5] = https://fossified.com/
[6] = https://myconf.io/
[7] = https://mastodon.social/@bagder/109952980359681383
[8] = https://un.curl.dev/

-- 

  / daniel.haxx.se