[Daniel's week] December 27, 2024

Fri Dec 27 14:47:18 CET 2024

Hello!

Here's the last weekly email from me this year.

## feature window

We opened the curl feature Window on Saturday and I spent time this week
merging a series of pull requests we had queued up waiting for this moment.

Out of the changes in this batch of merges, the largest patch and perhaps the
one that has been kicking up some dust already before this, is the removal of
hyper support from curl [1]. I posted the separate blog post about it to help
explain the reasoning.

I might post a few more blog articles the coming days about some of the other
changes.

## disconnected

On the evening of December 25th, my fiber Internet connection to my house went
down and it was down until lunch time today on December 27th. By far the
longest connectivity break I've ever had on my fiber that wasn't caused by me
(cutting the cable) in over a decade.

Certainly makes me appreciate how stable it normally is.

## code analyzers

This week we switched off CodeQL in the curl GitHub repository. This is
GitHub's seemingly primary static code analyzer and we have been running it in
curl for 4.5 years by now.

This week when we got yet another annoying reminder to bump it and pin it to
the latest hash, I checked and I could not even find one single commit in our
git history that credits CodeQL for a find. It is however the undisputed king
of false positives among the regular code analyzers we use (Coverity,
CodeSonar and scan-build).

After having asked around [4], nobody raised any objections and voila, the CI
job is now gone.

Perhaps CodeQL serves a purpose if you have a more immature code base or if
you don't run as many other high quality analyzers, but for us it really just
adds noise and we can certainly do with less of that.

While I fiddled with this, I decided to revisit clang-tidy. We used to run
clang-tidy as a CI job a while back and removed it in 2022 when we got a lot
of false positives that we at that time did not have the time or energy to
fix.

clang-tidy immediately detected a few mistakes in curl that none of the other
analyzers had found. No really bad ones but still issues we want to have
fixed. I got further help by Viktor Szakats to create a new CI job [5] for
running clang-tidy, and he subsequently also found a few more mistakes.

The main quirk with the clang-tidy CI job is that it of course runs a fairly
old version so we get a fair share of false positives we need to disable the
checks for. False positives that are fixed in clang-tidy version 19 and later,
but such new versions are not provided by default in the CI machines.

## metalink

A user brought up the subject "what would it take to revive metalink support
in curl today?" [2]

I think it will be very hard to convince us to take it back under our wings.
Also, it would require significant work and efforts that I suspect the asking
user did not anticipate or maybe is not prepared to put in.

Frankly, metalink support is better handled in a separate tool. If at all.

## slop of the week

This Hackerone report [3], submitting a vulnerability that is simply our
previously published CVE in a rewritten form.

## Coming up

- We bump the year counter on Wednesday

## Links

[1] = https://daniel.haxx.se/blog/2024/12/21/dropping-hyper/
[2] = https://github.com/curl/curl/discussions/15818
[3] = https://hackerone.com/reports/2912277
[4] = https://curl.se/mail/lib-2024-12/0026.html
[5] = https://github.com/curl/curl/pull/15825

-- 

  / daniel.haxx.se