[Daniel's week] October 4, 2024

Daniel Stenberg daniel at haxx.se
Fri Oct 4 16:58:20 CEST 2024 

Hello,

We survived another cycle we call week. Here is some of what I did this 
week...

## CVEMITRECVSSNVDCNAOSS WTF

The presentation I did at the NSSS conference in under thirty minutes actually
took almost 50 minutes when I redid it [1] on Monday.

I talked about how working with CVEs work for an Open Source project that is
widely used and how the interaction with MITRE, NVD and the likes is. I think
we will see a continued growth in number of CVEs going forward and that
setting a single score per CVE is a flawed concept that remains problematic in
the future as well.

## MVP

I was awarded a "Microsoft Most Valuable Professional" [2].

## function calls per KLOC

I believe that we can reduce the risk for doing security mistakes in curl by
minimizing code doing "direct" memory buffer fiddling. To minimize the risk
that wrong arithmetic can make us slip outside of buffers or other boundaries.
The way I measure progress on this "mitigation journey" is to count how many
direct memory allocation calls we do (realloc, malloc, calloc) and how many
copy calls we do (memcpy, strcpy, strncpy) - and most importantly how many of
those we do per thousand lines of code (what I call KLOC).

Call density is of course more interesting that the "raw" amount because it
gives a comparable number that is independent of the total code size, which is
important since the total amount of curl code keeps growing year after year.

I started this effort in May 2020 with the introduction of the internal
'dynbuf' module, which is an internal buffer management API. At that time, we
were at about three allocations and three memory copies per KLOC.

I mentioned work in this area last week as well and I continued this week and
managed to avoid a few additional calls. I also figured out that the code [4]
for the graph I use to visualize the progress [3] was slightly flawed. In
particular the grep patterns for counting memory allocations was a little too
liberal so it also counted both comments and even a set of #define lines. The
corrected script now rates us below 2 per KLOC for both allocations and
copies.

In total numbers, the libcurl code has grown about 30K lines since 2020, but
the current much larger code base has 50 fewer memory copy and 30 fewer
allocation instances.

This is work that never really gets completed. I count on having to come back
to this regularly and to keep monitoring the code base for buffer management
code that can be simplified.

## removing hyper sooner

Back in April 2024 we started a discussion about the future of hyper support 
in curl. We then decided to postpone the decision when "someone" told us they 
perhaps could "cough up" engineering resources to work in this area. By August 
we decided to instead move ahead and mark hyper as DEPRECATED, and scheduled 
the final removal of all hyper related code to happen after February 2025 (six 
months into the future from August).

However, since we decided to finally mark hyper as DEPRECATED, that was also 
the "final nail in the coffin" for it. Since it has no future in curl, 
everyone cares about it even less than before and as we move forward we slowly 
add even more tests that are disabled for hyper builds.

The increased pace of the "code erosion" for hyper combined with the fact that 
not a single person, user or developer, has objected or mentioned that they 
want hyper support in curl to remain, made us this week decide to speed up the 
removal schedule. To shorten the developer pain.

We now intend to remove all support for hyper [5] already in the first curl
release done in 2025.

## Snaxx

If you are a friend in the Stockholm area, note that we have scheduled
snaxx-44 [6] on October 14. For meeting up, chit chatting and having a beer
with like-minded peeps.

## Coming up

- another week of polishing, reading, merging curl code

## Links

[1] = https://daniel.haxx.se/blog/2024/09/25/talk-keeping-the-world-from-burning/
[2] = https://daniel.haxx.se/blog/2024/10/02/im-a-professional/
[3] = https://curl.se/dashboard1.html#func-calls
[4] = https://github.com/curl/stats/blob/master/cpy-over-time.pl
[5] = https://github.com/curl/curl/pull/15120
[6] = https://snaxx.se/44/

-- 

  / daniel.haxx.se

More information about the daniel mailing list