[Daniel's week] September 8, 2023
daniel at haxx.se
Fri Sep 8 17:19:54 CEST 2023
I survived another week. Here is some stuff that kept me busy:
For some reason people never seem to get tired of comparing curl and wget or
asking me about the differences and similarities, which is why I made yet
another comparison. This time in the form of a Venn diagram .
I repeat: use the tool that works. There is no need to tell me that you use
wget. I know you do. If that solves your problem then all is good.
## bogus follow-up
After some back and forth emailing with NVD they updated the scoring on the
bogus NVD and then I could post my update  about it. MITRE refuses to take
it down because they insist there is a security problem in there. They don't
specify exactly how or why and they do not allow for discussion or follow-up
questions so I am forced to just accept that silly decision.
Since MITRE refuses to remove it, NVD will set a score for it as if it was
real. A broken system.
Brodie Robertson did a good video summary of issue .
I have not managed to advance my CNA plans much this week.
## 500,000 removed lines
The curl git stats  now show me having removed over 500,000 lines from the
curl repository. It has doubled since March 2011.
I have also added 687,000 lines. Doubled since April 2008.
My personal share of the total commits in the curl project is gradually
shrinking slowly since many years. We have so may awesome contributors I
cannot (and honestly I don't want to nor need to) keep up against!
## new CVE
I alerted the distros mailing list this week about the pending security
problem in curl known as CVE-2023-38039. This vulnerability, which we grade
security medium, will be made public in association with the curl 8.3.0
release on Wednesday.
If you are in Stockholm Sweden, me and bunch of friends run snaxx-43  on
Monday and you are welcome to join. Beers with nerdy friends.
Since I did not make a tiny-curl release yet I decided to wait a little more
and instead make the next tiny-curl release based on 8.3.0. The new release
comes with a few more knobs to switch off things from the build so possibly a
tiny-curl on that version could end up even smaller when everything but plain
HTTPS GET is disabled.
I had a recorded video-conversation with Christian Heilmann for the Coffee
with Developers series. Christian and I have shared history both as old
Commodore 64 hackers from back in the day but also as ex-Mozillians. We talked
mostly about curl and related development topics (of course). The recording
has not been made public yet.
The mastering the curl command line video  has been viewed over 3,400 times
already. I have received bucketloads of positive feedback and two great
spin-off resources done by cool friends are:
1. Mastering curl: interactive text guide  by Anton Zhiyanov
2. cURL - The Ultimate Reference Guide  by Peter Girnus
## Coming up
- snaxx-43 on Monday
- curl 8.3.0 on Wednesday
- release video presentation on Wednesday, live-streamed on Twitch
- talk at Keyfactor Community Tech Meetup  on Thursday
 = https://daniel.haxx.se/blog/2023/09/04/the-curl-wget-venn-diagram/
 = https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/
 = https://curl.se/gitstats/authors.html
 = https://snaxx.se/43/
 = https://www.keyfactor.com/community-tech-meetup-23/
 = https://youtu.be/V5vZWHP-RqU
 = https://antonz.org/mastering-curl/
 = https://www.petergirnus.com/blog/curl-command-line-ultimate-reference-guide
 = https://youtu.be/2Mfgjp_aK3I?si=eZAhOJ_9kRvsJW5K
More information about the daniel