[Daniel's week] November 3, 2023

Fri Nov 3 15:58:45 CET 2023

Hello

Another intense week ends.

## slides

I've continued to work on the two presentations I will do next week and the 
"mastering libcurl" grew so large (at 180(!) slides right now) I decided to 
split it into two parts. They will happen November 16 and November 20. Both 
sessions are likely to run two plus hours. I posted a few teaser snapshots 
from the presentation on Mastodon this week.

While working intensely on the libcurl presentation it struck me that I should 
of course provide all the example source code snippets I show in the 
presentation as stand-alone examples in a dedicated git repository [5]. This 
allows users easier copy and paste, plus I can make sure that the provided 
examples compile warning free and include a few extra lines that are not 
visible in the presentation.

My presentations for Øredev and Pycon Stockholm next week are now also mostly 
done. I like spending a few days before an speaking event polishing and 
fine-tuning the slides and texts.

## security issues

We keep getting new suspected security vulnerabilities submitter on HackerOne 
[8] and it at least feels like I am spending an increasing amount of time and 
energy on researching, assessing and in some cases debunking issues.

Just this week we have had discussions in five issues. Out of those, two were 
eventually closed as "informative" as they lead to bugfixes, one triggered a 
documentation update after a loooong discussion, one was closed as spam and 
the fifth was confirmed a security problem and is now queued up as the second 
issue subject for CVE Ids and the associated security dance. Planned to happen 
in sync with the curl 8.5.0 release on December 6. They are currently graded 
severity Medium and Low, so no really earth shuttering things.

## security scanners

I emailed the curl-users mailing list this week [10] only to stress the point 
that neither I nor the curl project at large can do anything about the fact 
that security scanners generate warnings for the curl tool installed as part 
of Windows.

I keep getting a steady stream of emails from users asking me about this.

## HTTP/3

HTTP/3 support in curl based on ngtcp2 [11] library is now official no longer 
experimental. We recommend and encourage anyone and everyone to enable it in 
their builds, including in production. This, since ngtcp2 and nghttp3 [12] 
both were released in 1.0.x versions, meaning they are no longer in beta and 
that they intend to stick to their APIs going forward.

The two other HTTP/3 backends curl supports are however still marked 
experimental.

## podcast

Episode 399 of the Open Source Security podcast when public [1], in which I 
participated and we talked curl related stuff including of course quite a bit 
about the "CVE issues" we have experienced lately. A most enjoyable experience 
as Josh and Kurt are as friendly as they are quick and smart.

This also marks the 40th show episode I have appeared in as a guest [2].

## workplace

Earlier this year, photos and descriptions of my workplace were posted and 
hosted on the site hacker station [3], and this week I made the same material 
available on my own site. My workplace [4]. This should satisfy a few curious 
fans.

## tiny-curl release

The long awaited tiny-curl [6] release finally happened. tiny-curl 8.4.0 is a 
patch set on top of vanilla curl 8.4.0 that primarily makes it build and run 
on a few extra Realtime Operating Systems.

## trurl release

I shipped trurl 0.9 [9], featuring two new command line options and some 
bugfixes.  Me being the one who I am, I forgot to bump the version number in 
the header file so it still says "0.8" if you ask it what version it is!

My plan is to compensate for this and aim for a 1.0 release within a few weeks 
to make it slightly more obvious for users that we intend to stick to the 
general interface and "approach" now. I also removed the "pre-release" 
checkmark on GitHub for 0.9, which makes it appear better as a release there.

## coasters

Tim Westermann is the German creator behind the new awesome curl coasters [7] 
made out of PCB boards with curl sheet cheats on them. I'm promoting them 
because they are cool and because they have curl on them. I have a set myself 
so I can vouch for their sturdy quality. This is a coaster that can survive 
for a while.

## FOSDEM

I have booked flights and hotel for FOSDEM 2024. I have some ideas on talks to
propose there.

## Coming up

- Wednesday: Polhem Prize award ceremony
- Thursday: Pycon keynote. "you can do it"
- Friday: HTTP/3 presentation at Øredev

## Links

[1] = https://opensourcesecurity.io/2023/10/29/episode-399-curl-security-and-daniel-stenberg/
[2] = https://daniel.haxx.se/podcasts.html
[3] = https://hackerstations.com/setups/daniel_stenberg/
[4] = https://daniel.haxx.se/workplace.html
[5] = https://github.com/bagder/mastering-libcurl
[6] = https://curl.se/tiny
[7] = https://daniel.haxx.se/blog/2023/11/03/curl-coasters/
[8] = https://hackerone.com/curl
[9] = https://github.com/curl/trurl/releases/tag/trurl-0.9
[10] = https://curl.se/mail/archive-2023-11/0000.html
[11] = https://nghttp2.org/ngtcp2/
[12] = https://nghttp2.org/nghttp3/

-- 

  / daniel.haxx.se