[Daniel's week] December 13, 2024
Daniel Stenberg
daniel at haxx.se
Fri Dec 13 16:31:48 CET 2024
Hello friends!
Believe it or not. Turns out this was also not a dull week.
## slop
The register [2], Slashdot [3], heise.de [4] and several other sites wrote
articles early this week that included wording and quotes from me, as I had
responded to a Hackerone submission [1] that spiced up my Sunday afternoon.
Because what would you otherwise spend your spare time hours on? I may also
have uttered some comments on Mastodon about the issue.
The issue was of course AI slop and further in the Hackerone issue the
AI-using person even expressed discontent with us when we swiftly and abruptly
stopped the dance by closing the issue and marking it spam. It made me proceed
and amend the overview text for our bug bounty program on Hackerone that we
require users to reveal if they used an AI to generate the report and that we
strongly recommended they do not. I'm pretty sure that won't have any effect,
but now at least we have text to point to and a URL to paste into replies.
The slop frenzy was not over for this week: on Friday morning someone again
asked an AI for assistance, generated reports and submitted at least twelve
different ones on GitHub for widely used projects. curl being one of them.
This time the user was a bit sloppy for some of the reports and accidentally
also pasted his conversation with chatgpt into the reports so we know what was
done.
user: "what is the major bug in this code"
chatgpt: [makes up something that sounds plausible but is patently false]
user: "Write a GitHub bug report for that issue, make it sound extremely
major"
... and then they submitted the wall-of-text chatgpt gave them.
Within four hours GitHub had removed the user and all their submissions. For
educational and entertaining purposes, I made a screenshot of the issue and
put it up for everyone interested to see [5].
## FOSDEM
My proposed talk "Tightening every bolt" [6] was accepted for the security
devroom at FOSDEM 2025. It was my only submission this year, and I think
sticking to just doing a single talk is a good idea. It keeps my on my toes to
at least do one talk, but doing several of them the way I have done some past
years might be overdoing it a little.
I hope to meet a lot of friends in Brussels. I will of course bring plenty of
stickers. I also plan to bring curl mugs and tshirts this time around.
## release
This week curl 8.11.1 was released [7], a bugfix-only release so it should in
theory be less risk of turbulence and regressions this time around. We
announced CVE-2024-11053 [9] which turns out is the oldest ever security bug
we have fixed in curl so far [8].
Of course, as the project grows older we get more chances to find the new
oldest bug...
I also took the opportunity to mention (again) in that blog post that 40% of
all security problems in curl can be blamed on us using C instead of a
memory-safe language.
Fortunately, we are now at the end of the week and there has only been a
single 8.11.1 regression brought up, but I believe it [14] was mild enough to
not push us to do another patch release.
## advanced libcurl
We did a rerun of my "advanced libcurl" webinar [10] on Thursday. Walking
through in fairly high pace the multi API, the share API, the URL API, the
header API and a few other details.
My next webinar is planned for January 9, 2025 when will I go back to the
"getting started with libcurl". For you who want to learn and get your feet
wet and start doing internet transfers with our favorite library. It is not
hard.
## c-ares for QNX
I took on a little "side assignment" for Blackberry, and as a result I now
provide c-ares builds for QNX [11]. The site went live this week, the packages
are freshly minted and I am eagerly awaiting feedback from actual QNX users on
how they actually work and if I should tweak the packaging or anything going
forward. I don't use QNX myself, but I'm starting to learn how to package and
ship tarballs for QNX users.
These c-ares packages follow the same style of packages for QNX that I started
doing with curl [12]. The visual similarities between the sites is of course
not by accident.
## last sscanf
In my email last week I wrote about my mini-mission to remove all sscanf calls
from curl, and this week I merged the PR [13] that removed the last three
uses. It made the plot in sscanf graph [15] now properly hit the floor.
## wcurl
Samuel Henrique shipped a wcurl release, called 2024.12.08 [16]. It brings two
new options, a new default filename and some minor fixes.
## coming up
- curl remains in feature freeze until Saturday
## links
[1] = https://hackerone.com/reports/2887487
[2] = https://www.theregister.com/2024/12/10/ai_slop_bug_reports/
[3] = https://developers.slashdot.org/story/24/12/10/2334221/open-source-maintainers-are-drowning-in-junk-bug-reports-written-by-ai
[4] = https://www.heise.de/news/Bis-zum-Burn-out-Open-Source-Entwickler-von-KI-Bug-Reports-genervt-10195951.html
[5] = https://daniel.haxx.se/media/curl-github-issue-15736.png
[6] = https://pretalx.fosdem.org/fosdem-2025/talk/review/ZZEYK9BNVRUVD7ZWL3UCETMQEVMSEDXL
[7] = https://daniel.haxx.se/blog/2024/12/11/curl-8-11-1/
[8] = https://daniel.haxx.se/blog/2024/12/12/a-twenty-five-years-old-curl-bug/
[9] = https://curl.se/docs/CVE-2024-11053.html
[10] = https://youtu.be/DQcFZEQ4Iyc?si=4mQR4KFb48Ij1cIO
[11] = https://qnx.haxx.se/
[12] = https://curl.se/qnx/
[13] = https://github.com/curl/curl/pull/15692
[14] = https://github.com/curl/curl/pull/15727
[15] = https://curl.se/dashboard1.html#sscanf
[16] = https://github.com/curl/wcurl/releases/tag/v2024.12.08
--
/ daniel.haxx.se
More information about the daniel
mailing list