[Daniel's week] September 1, 2023

Daniel Stenberg daniel at haxx.se
Fri Sep 1 17:30:46 CEST 2023

Hi friends.

What a week I had!

## bogus

We were told about this bogus curl CVE, I blogged about it [1] and there was a
lot of traffic about it. It is good to see people getting their eyes up for
these system problems in CVE management.

There was in fact so much activity that I am about to write a follow-up blog
post about the fall-out and how we intend to move forward. I am still waiting
for NVD to put down their foot in a decision on how to rescore the CVE before
I post it, or if they don't do it within a few more days I will do it anyway.

## CNA

This adventure has just even more confirmed to me that the entire CVE and NVD
situation is hopelessly bad. There is but one proposed solution that is
available to us in the short-term, and it is not really more than a band-aid:
we register ourselves as a CNA for our own issues. I have taken the first
step. More will follow.

## curl_multi_get_handles

A discussion started [3] about possibly adding a function call to libcurl to
extract all the easy handles that were previously added to a multi handle. I
made a first draft PR [2] to have something to talk around and it seems we
might go with something like that when the feature window reopens.

Until then we of course value your feedback if this is something you would
like to see and use in a future version. Is it good enough? Should it do more?
Should it do less?

## tiny-curl

I was about to do a tiny-curl [4] release this week. I have a version based on
8.2.1 mostly done in a branch that mostly just needs me to run the release
scripts, but I got all tangled up in the CVE details and other work so I had
to push the release into next week.

## hackerone reports

This week I used the "ban user from reporting more issue" button for the first
time on HackerOne as we rejected the 4th or 5th invalid report from the same
user in a very short period of time and there was no sign of the person
getting the clues or learning from what we tried to tell them.

A slightly concerning development I might be sensing in security issue
reporting is that the rubbish reports seem to get longer and more detailed
than before. It makes finding the needle in the haystack harder, or in the
case of rubbish reports: it's more like figuring out that there actually is no
needle in the provided haystack. A 400 line report can take significant time
to read through and wrap your head around even when it ends up getting closed
as Not Applicable, compared to a 15 line one. Is there perhaps a chat-gptism
involved that drives this?

## podcast

I did a long and good recorded conversion on Tuesday with Brodie, host of the
Tech over tea podcast [5]. Supposed to get published in a week or so. Topics?
mostly curl related as you might suspect.

## curl talk

On Wednesday I did a curl presentation for Stockholm based cloud company in
their offices. I talked about curl's start, growth, current status and where
it could go next. I always enjoy doing this kind of talk. I know the subject
well. It seems to be appreciated by audiences everywhere. Too bad I forgot to
bring my large stash of curl stickers this time!

The roof-top drinks and snacks afterwards were a nice addition!

## mastering

With me talking quite extensively already Tuesday and Wednesday I was all
warmed up for this "mastering the curl command line" class [7] I had been
touting for so long. My anticipated 2.5, maybe three hours turned into an over
3.5 hours presentation. For this I used 154 slides [8]. More than 800 unique
visitors watched a part of the stream, while it peaked at 228 simultaneous.

An exhausting but fun experience. The recording [6] will hopefully also turn
out useful and educational to many curl users going forward.

## Coming up

- that tiny-curl release maybe?
- updates on the CVE front and a follow-up blog post
- advance the CNA application process
- last full week before curl release week

## Links

[1] = https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/
[2] = https://github.com/curl/curl/pull/11750
[3] = https://curl.se/mail/lib-2023-08/0034.html
[4] = https://curl.se/tiny/
[5] = https://www.youtube.com/@TechOverTea
[6] = https://youtu.be/V5vZWHP-RqU?si=OPq-OON8HO68Fevs
[7] = https://daniel.haxx.se/blog/2023/08/08/mastering-the-curl-command-line/
[8] = https://www.slideshare.net/DanielStenberg7/mastering-the-curl-command-linepdf


  / daniel.haxx.se

More information about the daniel mailing list