[Daniel's week] May 20, 2023

Daniel Stenberg daniel at haxx.se
Sat May 20 12:34:16 CEST 2023


Hello friends.

Another week full of action.

# May 20

## FreeRTOS broken sscanf

A customer of mine struggled for a while to get cookies working in their curl
installation running on FreeRTOS and it puzzled both them and me a lot. On
Monday we had a joint debugging session over video and I could quickly verify
that they used the API correctly, there were valid cookies being sent from the
server but for some reason curl did not seem to recognized and receive them
appropriately!

It eventually turned out that the sscanf() function in their system (not sure
if they use some custom libc or if this is the default one that ships or
shipped with FreeRTOS) is broken and failed to successfully parse cookies.

By a rather interesting coincidence, I rewrote the cookie parser function
recently exactly to avoid sscanf - albeit for different reasons - but this
came handy now since I could very quickly provide my customer with a patch
that would upgrade their slightly older curl source code to use the new cookie
parser logic. And it then worked for them on first try.

This my friends, is why you purchase support contracts.

## podcast recording

I joined as a guest on an episode recording of the Sustain OSS podcast [1] on
Tuesday where we of course talked a lot about curl in relation to
sustainability and holding out in a project through the decades. I had a great
time. The episode has not been published yet. I will let you know when it is.

## curl release

On Wednesday I released curl 8.1.0, posted the release blog post [2] and did a
video presentation [3] of all the news on a live-stream on Twitch as I do for
every release these days.

Only hours after the release we started receive the first bug reports and
among the first ones was an issue that we deem to be important enough to
warrant a patch release. There will be a 8.1.1 release and I set the release
date for this to Tuesday 23 to allow us a few more days to merge more fixes
and prepare another release again. The old truth that only actual releases get
properly tested was proven yet again and as I write this we have already
landed over 15 bugfixes.

I'm now thinking that we should rather prepare ourselves that we should do
releases with this cadence in the future: a dot-zero release at the end of the
8 week cycle and then .1 release again in the following week where we tighten
up the worst issues we shipped the week before.

## national holiday

Thursday was a national holiday in Sweden and I spent large parts of it doing
gardening work.

## c-ares

The c-ares [4] security audit has been completed. A few vulnerabilities were
detected and has been worked on. There will be a fresh c-ares release on
Monday 22nd that include fixes to the vulnerabilities and the associated CVEs
and security advisories will be published in sync. Most of that work done by
Brad House. I'm mostly a back seat driver for this.

## Coming up

  - Monday: c-ares release
  - Tuesday: curl release
  - Thursday: doing a curl talk in Stockholm
  - Saturday: if the curl release goes well: open feature window

## Links

[1] = https://podcast.sustainoss.org/
[2] = https://daniel.haxx.se/blog/2023/05/17/curl-8-1-0-http2-over-proxy/
[3] = https://youtu.be/fLP141KZ7l4
[4] = https://c-ares.org/

-- 

  / daniel.haxx.se


More information about the daniel mailing list