[Daniel's week] November 8, 2024

Fri Nov 8 17:00:35 CET 2024

Hi,

Maybe because my coming three weeks will be a bit slower, this week seems to 
have packed a month's worth of activities...

## release

The days leading up to the release were quite casual and we could do the 262nd
curl release with no stress [1]. 266 documented bugfixes was yet another
record amount within a single release cycle. We also announced another
severity low CVE [2] that I don't think many people will lose sleep over.

It did not take very long until we started getting the first regressions
reported. By Thursday we had received several, some quite annoying, but we had
them all fixed swiftly and without too much work. It clearly shows that it is
blatantly hard to have test cases coverage and that things only ever get real
testing once a real release is done. There is simply an almost infinite
number of different use case combinations. We fix the issues and we add more
tests to at least make it harder to make the exact same mistake again.

A normal release week we would have scheduled a patch release next week to
help everyone out a little bit, but this time things are a bit different.
Because I am going to be traveling a lot the coming three weeks, I really
would prefer to not do a release until I get back home again. This
unfortunately makes us postpone the patch release until December 11.

It might not be strictly necessary that I personally do the release, but since
I have done them all so far and we don't have a process setup to easily allow
anyone else to do them, I think this is for the best this time. We have
discussed doing some "co-releasing" next year so that someone other
maintainers can get a look into the procedure and get some practice, and then
maybe at some point later can offload me from this duty occasionally.

I am referring to my slow three weeks as slowember.

## Rock-solid curl

I had the pleasure of announcing [3] Rock-solid curl [4]. This is long term
support releases of curl for commercial customers. The idea is simply to
backport security fixes and important stability fixes and provide such curl
release with long-term support.

The site is up, edited my yours truly. I intend to run a short webinar about
Rock-solid curl on December 3, but I think that enough details are provided on
the website to make it fairly clear.

If you use curl in commercial environments, this might be what you want to
run.

## FOSDEM

I have submitted a talk proposal for the Security devroom at FOSDEM 2025 [5].
I selected the Security room based on the particular angle I went with.

Title: "Tightening every bolt"

Abstract: Things to do in order to sleep well while having your C code in
twenty billion installations. A talk about what the curl project does to
minimize security risks: Security, Safety, Reproducibility, Vulnerability
handling and the processes and tooling around it.

As BDFL of the curl project, Daniel talks about what this project does to
avoid it causing the world to burn. From code style, reviews and tests to
signings, reproducibility, running a bug-bounty and becoming a CNA to filter
bogus CVEs. curl aims to be top of the class in (Open Source) software
security. Here's your chance to point finger and tell us what we should do
better.

I will know in early December if it gets accepted.

## Talks

I was invited to and have accepted to speak at the Joy of Coding conference
[6] in the Netherlands in the end of June 2025.

I was invited to and have accepted to speak at the EuroBSDcon conference [7]
in Zagreb, Croatia, in the end of September 2025.

The full list of my coming appearances is always up-to-date on my site [17].

## curl -v google.com

Florian Bruhin emailed me on Monday and pointed me to the awesome song "curl
-v google.com" [8] on YouTube. It had 25 views after having been hosted there
for two months.

I immediately posted mentions about this Masterpiece on Mastodon, LinkedIn and
later also on my blog [9] and I submitted a comment on the video saying I
"wholeheartedly approve" of it. Right now, four days later, it has been viewed
39K times and I think it deserves many more.

## Podcasts

I joined Bartek Tatkowski and talked curl, curl.se, Open Source and much more
on his Kompilator podcast [10] - in Swedish.

I joined Jonathan Bennett and Randal Schwartz on the FLOSS Weekly podcast 
[11]. Back again there after almost sixteen years since I was last on [12]. 
Lots of curl talk of course. CVEs, what's changed in sixteen years and how do 
I actually get food on the table.

This second podcast appearance of the week also happened to mark the 50th (!)
podcast episode I have been a guest on, according to my records [18].

## uncurled

Uncurled [13] is my digital book about running and maintaining Open Source 
that I wrote two years ago. This week I shifted the hosting of the content 
over to my own server. A similar move to what I did for everything curl [11] a 
while back. Partly because I like hosting my own content, but perhaps even 
more because the gitbook service is clunky, flaky and sometimes hard to 
configure to work the way I want it to.

There are certainly challenges coming with hosting the content myself as well
but at least I get to own the problems and I can address them with more
flexibility going forward.

## security

We received several bogus security vulnerability reports this week that we
have closed but we also got a few that were not crap. As I write this, we have
two open issues in the hackerone issue tracker that we still have not finished
assessing yet and that might be real.

## Polhem Prize awards

I attended the Polhem Prize awards gala dinner here in Stockholm on Wednesday,
and when I had dressed up in my suit I snapped a photo of myself that I shared
on Mastodon [15]. (I got to test that fancy feature the Pixel phones have:
when using the selfie-camera, raise your palm to start the timer. Make it easy
to take selfies even at a little distance from the phone.)

Imagine my surprise when someone used that photo of me and included that in a
joke image about different software headquarters [16]. The joke was reposted
in several places but I beleve it came from reddit originally.

Oh right: The two Yubico founders, Jakob and Stina, were the worthy winners of
the Polhem Prize this year.

## Coming up

- Tue, Wed, Thu: the HTTP workshop[14] in London and I am attending. Time
   permitting, I will blog something about the topics handled there.

## Links

[1] = https://daniel.haxx.se/blog/2024/11/06/curl-8-11-0/
[2] = https://curl.se/docs/CVE-2024-9681.html
[3] = https://daniel.haxx.se/blog/2024/11/07/rock-solid-curl/
[4] = https://rock-solid.curl.dev/
[5] = https://fosdem.org/2025/
[6] = https://joyofcoding.org/
[7] = https://2025.eurobsdcon.org/
[8] = https://www.youtube.com/watch?v=atcqMWqB3hw
[9] = https://daniel.haxx.se/blog/2024/11/05/curl-v-google-com/
[10] = https://kompilator.se/97
[11] = https://hackaday.com/2024/11/06/floss-weekly-episode-808-curl-gotta-download-em-all/
[12] = https://twit.tv/shows/floss-weekly/episodes/51
[13] = https://un.curl.dev/
[14] = https://httpworkshop.org/
[15] = https://mastodon.social/@bagder/113436518587912520
[16] = https://www.reddit.com/r/commandline/comments/1gl3ymz/this_is_a_curl_headquarters/
[17] = https://daniel.haxx.se/talks.html
[18] = https://daniel.haxx.se/podcasts.html

-- 

  / daniel.haxx.se