[Daniel's week] September 8, 2023

Daniel Stenberg daniel at haxx.se
Fri Sep 8 17:19:54 CEST 2023

Hello friends!

I survived another week. Here is some stuff that kept me busy:

## Venn

For some reason people never seem to get tired of comparing curl and wget or 
asking me about the differences and similarities, which is why I made yet 
another comparison. This time in the form of a Venn diagram [1].

I repeat: use the tool that works. There is no need to tell me that you use 
wget. I know you do. If that solves your problem then all is good.

## bogus follow-up

After some back and forth emailing with NVD they updated the scoring on the 
bogus NVD and then I could post my update [2] about it. MITRE refuses to take 
it down because they insist there is a security problem in there. They don't 
specify exactly how or why and they do not allow for discussion or follow-up 
questions so I am forced to just accept that silly decision.

Since MITRE refuses to remove it, NVD will set a score for it as if it was 
real. A broken system.

Brodie Robertson did a good video summary of issue [9].

I have not managed to advance my CNA plans much this week.

## 500,000 removed lines

The curl git stats [3] now show me having removed over 500,000 lines from the
curl repository. It has doubled since March 2011.

I have also added 687,000 lines. Doubled since April 2008.

My personal share of the total commits in the curl project is gradually 
shrinking slowly since many years. We have so may awesome contributors I 
cannot (and honestly I don't want to nor need to) keep up against!

## new CVE

I alerted the distros mailing list this week about the pending security 
problem in curl known as CVE-2023-38039. This vulnerability, which we grade 
security medium, will be made public in association with the curl 8.3.0 
release on Wednesday.

## snaxx-43

If you are in Stockholm Sweden, me and bunch of friends run snaxx-43 [4] on 
Monday and you are welcome to join. Beers with nerdy friends.

## tiny-curl

Since I did not make a tiny-curl release yet I decided to wait a little more
and instead make the next tiny-curl release based on 8.3.0. The new release
comes with a few more knobs to switch off things from the build so possibly a
tiny-curl on that version could end up even smaller when everything but plain
HTTPS GET is disabled.

## coffee

I had a recorded video-conversation with Christian Heilmann for the Coffee
with Developers series. Christian and I have shared history both as old
Commodore 64 hackers from back in the day but also as ex-Mozillians. We talked
mostly about curl and related development topics (of course). The recording
has not been made public yet.

## mastering

The mastering the curl command line video [6] has been viewed over 3,400 times
already. I have received bucketloads of positive feedback and two great
spin-off resources done by cool friends are:

1. Mastering curl: interactive text guide [7] by Anton Zhiyanov
2. cURL - The Ultimate Reference Guide [8] by Peter Girnus

## Coming up

- snaxx-43 on Monday
- curl 8.3.0 on Wednesday
- release video presentation on Wednesday, live-streamed on Twitch
- talk at Keyfactor Community Tech Meetup [5] on Thursday

## Links

[1] = https://daniel.haxx.se/blog/2023/09/04/the-curl-wget-venn-diagram/
[2] = https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/
[3] = https://curl.se/gitstats/authors.html
[4] = https://snaxx.se/43/
[5] = https://www.keyfactor.com/community-tech-meetup-23/
[6] = https://youtu.be/V5vZWHP-RqU
[7] = https://antonz.org/mastering-curl/
[8] = https://www.petergirnus.com/blog/curl-command-line-ultimate-reference-guide
[9] = https://youtu.be/2Mfgjp_aK3I?si=eZAhOJ_9kRvsJW5K


  / daniel.haxx.se

More information about the daniel mailing list