[Daniel's week] June 14, 2024

Fri Jun 14 23:13:49 CEST 2024

Hello,

I had another busy week.

## survey

I have continued to work on the curl user survey analysis this week, but it is
tedious and slow work. As I had to prioritize some other things this week the
analysis is going to take a little longer than what I hoped for previously. I
don't know yet when I might finish this.

## roffit

I released roffit 0.16 [1]. The tool for converting manpages to HTML. I use it
on several of the websites I run, the curl one perhaps being the primary one.

## trurl

I polished trurl a little, one of the new features uses a new URL parser
feature that libcurl introduces in the pending next release: 8.9.0. With this,
trurl gets the ability to set the scheme for a URL if it was only guessed and
not actually set [2]. Like for 'example.com'. This seemingly innocent little
detail was not possible before because libcurl internally always assigns a
scheme when it parses a URL. If one is not provided, it will pick one
according to heuristics.

So another release at least in sync with the curl release makes sense.

## webinar

Thursday I did a webinar called "advanced libcurl" [3] where I explained a lot
of libcurl API using details at a level that is at least not exactly beginner
level, even if perhaps also not terribly advanced.

## cmdline options

We now have no less than four new command line options merged to introduce in
the next release: --ip-tos, --vlan-priority, --mptcp and --keepalive-cnt.

Include these new ones, we are now counting 263 curl command line options.

## everything curl

I created corresponding issues [4] for everything curl about what I realized
is now currently lacking in the curl book - when we keep adding and changing
curl, it is just natural that the book needs attention to keep up. Feel free
to grab one and write an explanation. I intend to do so as soon as I get time
over.

## closed PRs

As I keep getting questions every now and then about why we close pull
requests on GitHub "instead of merging them", I decided to write a detailed
explanation [5]. It also got discussed further on hacker news [6].

## hackerone

Today we suddenly received three separate security vulnerability reports about
curl on hackerone [7]. My initial research on them have so far been that none
of them are flaws in curl. This said, I am prone to sometimes dismiss issues a
little too early and it happens that I get persuaded over time into agreeing
that they are vulnerabilities. The last word has not been said on any of these
three yet. It has been a slow period for us on hackerone recently so it felt
really surprising and unexpected that we would get three reports by different
individuals filed on the same day.

## contracts

Packaging curl for Q* has taken a small step forward as I have produced a
first test shot version to test the waters and see what more changes I need to
do to have my curl packages up to snuff. I expected to continue taking steps
forward when I get feedback on my rights and wrongs and can deliver further
test shots.

CA caching when using wolfSSL (for R*) has been merged into git and is going
to ship in the pending next release: 8.9.0.

Stefan Eissing has landed a few PRs already and there is at least one PR
pending in the rather large rework to improve curl's shutdown of TLS
connections. This is work (for N*) to minimize the TCP wait times that curl
would otherwise often end up with because it would get a TCP RST when shutting
down before the full TLS close notify dance was complete.

(company names redacted to just their leading letters)

## graphs

Okay I admit. I could not stay away so I have polished the graphs further [8].
I rewrote the docs-over-time graph, which now should be more correct, can use
cached content better but also now shows a little less documentation lines in
the end. Curious, but apparently the previous version had some bug. I also
cleaned up and rectified the backends graph to be accurate.

I also made the graphs end up in a fixed order (alphabetical per the
shortname) so no more moving around at every update.

## coming up

- Tuesday: podcast recording with awesome hosts
- Friday: midsummer's eve, Swedish national holiday
- Saturday: we enter curl feature freeze for 8.9.0

## links

[1] = https://github.com/bagder/roffit/releases/tag/0.16
[2] = https://github.com/curl/trurl/pull/314
[3] = https://youtu.be/DQcFZEQ4Iyc?si=GWaV4gSMWiz8FNJp&t=121
[4] = https://github.com/curl/everything-curl/issues
[5] = https://daniel.haxx.se/blog/2024/06/11/why-curl-closes-prs-on-github/
[6] = https://news.ycombinator.com/item?id=40644459
[7] = https://hackerone.com/curl
[8] = https://curl.se/dashboard.html

-- 

  / daniel.haxx.se