[Daniel's week] August 30, 2024

Daniel Stenberg daniel at haxx.se
Fri Aug 30 16:02:03 CEST 2024


Hello,

Another week ends. Here is some of what I did.

## trurl 0.15

I spent some time recently on fixing some outstanding issues in trurl which
ended up with a 0.15 release [1] this week. Mostly fixes, but also a few
functionality tweaks and new ways of doing things.

I ran on poll on Mastodon and since over 70 persons answered 'yes' to the
question if I should do a video presentation of the release, I did.

Also, since we now generate a manpage for trurl that is not present in git
anymore (since it is generated from the markdown source) - I now host release
tarballs for trurl[2]. Previously we have only relied on GitHub's automatic
service that offers tarballs of the entire git Repository at the release tag.
The release tarballs are now also properly signed by me.

I polished the website to be able to automatically update when I upload new
versions in the future.

My recording of the release video hit a bumpy road because all of a sudden my
OBS studio refused to record. I instead made the presentation streamed-only,
then downloaded the stream from twitch after the fact, cut out the relevant
part of that using ffmpeg and uploaded *that* to YouTube [3].

## bots on GitHub

We saw several spambots submit comments to curl GitHub issues this week. They
all posted comments saying "the fix is to download this file", and they
provided a link to an encrypted zip file hosted on mediafire.com - which of
course proved to be infected by something nasty.

In one of the curl issues, the person who submitted the original issue to
which the spambots commented asked if the provided links actually were a
solution. Just proving that there is a risk that some people were fooled.

We banned the offending "users" immediately, notified GitHub about this and
the content and users vanished within twenty minutes. Apparently this attack
went on for several days and many thousand comments like this were posted in a
large number of projects.

The files seemed to be compiled on demand because they were freshly build and
were different, presumably not avoid having the same checksum.

The attack was fortunately a little clumsily done:

- The comments were all almost identical, which it made it possible to find
   most of them across projects by just searching for the used text.

- When the spambots showed up and did a whole series of almost identical
   comments in the same single issue, they worked against themselves as then
   they appeared much more like bots than if they would have submitted just a
   single reply per issue (and repository probably).

## commits in Aug 2024

Nearing the end of the month, we are at 370 commits done so far in the curl
source code repository. This is more commits merged in a single month than
ever done before in the project's entire life time [4].

The explanation behind this is primarily the incredible productivity by
fellow maintainers Viktor Szakats and Stefan Eissing. I think my personal
activity level has been at average. Together with we can accomplish things.

This frenzy has made us merge bugfixes at a crazy rate and we might be on
target to hit a new "most bugfixes fixed in a single curl release" record
again in the pending release. We have logged over 200 bugfixes already with 12
days left (6.7 bugfixes/day). The current record is 260 bugfixes from the
8.9.0 release - which had a longer release cycle.

The number of commits is closely correlated to the number of pull requests,
which also reached an all time high this month [10], approaching 400.

## happy v3

IETF announced that there is a new mailing list [5] created for the new
working group Happy that has been created with the purpose of Happy Eyeballs
v3 algorithm development.

The v3 charter [6] mention details such as taking QUIC, new RRs and ECH into
account which previous versions of Happy Eyeballs have not.

I have subscribed and mean to keep up with the discussions and drafts to see
where it goes and what ideas this will bring up. I am not sure that we will be
able to implement most of this in curl due to legacy and limitations in our
architecture. We have already not been able to adapt the v2 version of Happy
Eyeballs for such reasons.

## play the piano

I received yet another strange email [7]. I really makes you wonder how on
earth they figure out they should email me out of all persons. In this case,
also clearly addressed to me by name but with a reason that is not at all
suitable to tell me: an idea for how to improve piano teaching on Nintendo
Switch.

## coming webinar

I will do a webinar on Thursday, called "mastering the curl command line". It
starts at 17:00 UTC and I will do it live-streamed on twitch[8] and Zoom in
parallel.

Abstract for the presentation:

Everyone uses curl, the Swiss army knife of Internet transfers. While this 
tool has performed transfers and provided and a solid set of command line 
options for decades, new ones are added over time.

This talk goes through and focuses on some of the most powerful and 
interesting additions to curl done in recent years. The perhaps lesser known 
curl tricks that might enrich your command lines, extend your "tool belt" and 
make you more productive. Also trurl, the recently created companion tool for 
URL manipulations you maybe did not yet realize you need.

This presentation might just help you curl better.

## manpage polish

By accident I happened to load a web version of the curl manpage as rendered
by something else than what we use on the curl website [9] and I noticed that
it looked pretty nice when they had the examples shown with a gray
background.

I made a similar change of the CSS for the manpages on curl.se only to then
see that several of the example "boxes" would appear with a superfluous
leading empty line. I fixed the manpage generator to stop that from happening.

When mentioning this tweak on Mastodon, someone immediately pointed out that I
forgot to fix this for dark mode so it looked horrible. So I fixed the dark
mode too. Then someone else mentioned how the text would actually go further
on the right than the gray background would, especially on mobiles that more
commonly has narrower displays, so I had to dig in and fight CSS even more to
make it comply. Done. I do love the quick feedback loop!

I next realized that most examples had a leading white space that made the
lines unaligned in the boxes so I fixed that as well.

It's funny how these small seemingly innocent changes can have such cascading
effects. But nice changes all around so at least we ended up in a better place
than from where I started - I think.

## font

I finally took the step and made sure my personal website [11] selfhosts the
font it uses instead of relying on Google for it.

## thanks

Number of emails from strangers that arrived in my inbox this week saying
thanks for (my work on) curl: 2

## Coming up

- pre-notify the distros@ list on Tuesday about the pending curl CVE
- curl webinar on Thursday

## Links

[1] = https://github.com/curl/trurl/releases/tag/trurl-0.15
[2] = https://curl.se/trurl/
[3] = https://youtu.be/ETxhkW2SsfU
[4] = https://curl.se/dashboard1.html#commits-per-month
[5] = https://mailman3.ietf.org/mailman3/lists/happy.ietf.org/
[6] = https://github.com/tfpauly/draft-happy-eyeballs-v3/blob/main/charter.md
[7] = https://bagder.github.io/emails/2024/2024-08-28.html
[8] = https://www.twitch.tv/curlhacker
[9] = https://curl.se/docs/manpage.html
[10] = https://curl.se/dashboard1.html#commits-per-month
[11] = https://daniel.haxx.se/

-- 

  / daniel.haxx.se


More information about the daniel mailing list