[Daniel's week] March 17, 2023

[Daniel Stenberg]

Hello friends!

## distros

We adjusted the curl security process slightly last week. The update allows us
to push security fixes to git even they fix problems for vulnerabilities rated
Low or Medium and we only do it without highlighting or mentioning the
security aspect.

The reason for this update is to allow fixes to mature a longer time before
they are shipped in a release, with the hope that with longer time there will
be more scrutinizing and a better chance to detect possible problems with the
fixes. We have seen several times now how we get a repeat-report on *the same*
issue a while later because the previous fix was not correct. Maybe by doing
the fixes in a more relaxed time frame we improve the chances of them being
better?

When I then subsequently pre-notified the distros at openwall mailing list [2] 
about our pending CVE disclosures they got all upset because "the fixes are 
already public" and according to their policies they don't want "embargoes" 
for already disclosed matters. I object to describing these issues as public 
just because there is publicly available commit fixing the problem, because it 
is far from easy for anyone to spot the issue and even if you can, properly 
understand what the security implications are. The *issues* are not public 
even if the fixes are.

If they don't want to be told about advisories ahead of time, then I will of
course abide and not tell them but I have a hard time to see what the benefit
is of delaying them getting the information.

I may have told them this in a strongly worded email reply. I think the idea 
is that they will discuss and get back to me about this topic at a later 
point.

distros at openwall is a members-only mailing list for open operating systems to
which I have sent pre-notifications about ALL curl vulnerabilities since at
least 2011.

## CVE age

We have a new set of six CVEs to report in association with the pending
release. Five of them were found and reported by Harry Sintonen who is a very
prolific flaw finder in curl. The oldest of his finds was introduced over
8,000 days ago, and none of those flaws are newer than 4,000 days! The oldest
one here is still only the 5th oldest vulnerability reported to curl. The
all-time record holder for oldest CVE found in curl is 8,729 days for
CVE-2022-35252 [3].

The sixth flaw however is very new, and is primarily the result of bad
documentation.

You will get to enjoy all the CVE details next week of course.

## v8 prep

I believe I have most of my ducks in order for the release now. Blog post
drafts, commits pushed, changelog mostly written, celebration stuff moving
along, presentation(s) mostly written, six security advisories researched and
written, podcast recording scheduled and I have the 25yo single malt within
reach.

See you Monday [4]. The 25 year celebration party meeting is going to happen
on Google Meet and is going to be simultaneously live-streamed on YouTube and
probably Twitch as well. All details and links will be made available in that
blog post in time before the event kicks off.

## Docker

Docker emailed us and said that they will kill off our "legacy Free Team
organization" effective April 14, 2023 and at that point the images we provide
at docker will become inaccessible.

The curl docker image has been pulled close to 5 *billion* times as of today's
count and is continuously getting pulled at a rate of about 26 pulls/second
right now. That makes over two million pulls per day.

I suppose the community helped build Docker to a point where they no longer
think they need us, but that we need them and they now want us to pay 420 USD
annually to maintain this relationship. By cutting us off they hurt Docker
users, they don't particularly hurt the curl project.

I don't think we should look for alternative hosting for this image as clearly
there is a demand. I realize a move will come at some expense and with
annoyances for users and that here will be hiccups, but I think we can do this
together.

We should never assume services run by others will remain as-is forever.
Services will always come and go. We just need to adapt. Again.

According to Docker's FAQ and public statements, the names of these team
organizations that they will delete are however not be "up for grabs" for new
registrations so name-squatting of old established teams and packages like the
curl one *should not* be possible. Unclear for how long though.

In a follow-up blog post [5], they muddied the water a little by saying that
"sponsored oss" would not be affected (which would mean curl is safe I think)
but also that only those free team members would get booted - which would
include the members of the curl org on Docker. So we're both fine and not
fine. I suppose time will tell if we are welcome or not.

## parallel tests

Long time curl expert and developer (since almost two decades) Dan Fandrich
will get funded to work on enhancing the curl test suite to make it able to
run tests in parallel. The goal being to make it possible to run through the
existing tests (much) faster than now on an ordinary dev machine.

This project is funded by the curl fund, paid for by our generous sponsors.

Dan will post details and his plans in the public soon for everyone to read,
comment, improve and help out with. I'm thrilled to see this come alive!

## tabs in cookies

My old quest to make sure that we "ban" TABs from being embedded in cookie
names [6] and content now seems to be one step closer as there were movements
in the GitHub issue [1] that at least partially agree with me.

## talks

I did two curl related presentations this week. It's good to meet people,
answer questions and learn how things work out there in the real world.

## Coming up

- curl 8.0.0
- all the curl 8 related activities
- curl 2023 roadmap webinar on Thursday

## Links

[1] = https://github.com/httpwg/http-extensions/issues/2262
[2] = https://oss-security.openwall.org/wiki/mailing-lists/distros
[3] = https://curl.se/docs/CVE-2022-35252.html
[4] = https://daniel.haxx.se/blog/2023/03/10/curl-25-years-online-celebration/
[5] = https://www.docker.com/blog/we-apologize-we-did-a-terrible-job-announcing-the-end-of-docker-free-teams/
[6] = https://daniel.haxx.se/blog/2022/10/14/there-is-a-tab-in-my-cookie/

-- 

  / daniel.haxx.se