[Daniel's week] October 25, 2024

Fri Oct 25 10:59:10 CEST 2024

Yikes,

Another week already? I worked on things.

## emails

The set of emails that I like to call "The Daniel email collection", the
amusing and weird emails that I have received over the years and show off
online used to be hosted on GitHub but this previous weekend I moved them over
to instead be rendered and hosted [7] on my personal site.

To keep my audience on my site and to get better control of how the content is
displayed. Now I could for example finally address the issue that they looked
terrible when viewed in mobile browsers.

It also took me out on a small detour when I learned how social media sites
figure out what to show for a URL when for example the link to the email
collection is pasted in one, so starting now I believe various daniel.haxx.se
content should show up better-looking when linked to.

## file formats

I got an email requesting that we provide curl releases for Windows using 7zip
instead of zip for its much better compression ratio reasons. (Yes, this user
obviously thought the tar.* formats to not be for Windows people.)

It made me experiment with generating the tarball into .7z and even .zst
files, and ask about this on the libcurl mailing list [8].

As a result I learned from users that the 7zip tool on Windows can already
handle tar.xz files, which by size are roughly the same size as 7z files are
(as tested), which then takes away much of the reason to shake the boat and
introduce any new format.

I also learned that Windows itself has gotten support for handling tar.xz
natively recently, which strengthened the decision: no new file format is
introduced this time. And also none is removed: we keep shipping every curl
release using these four file/compression formats: zip, tar.gz, tar.bz2,
tar.xz.

## hackerone

The potential security issue I mentioned in last week's email was in regards
to an HSTS parsing issue that we eventually decided is not a security issue
and it has already been fixed in master as a regular bugfix.

Instead yet another issue landed on our doorstep late Friday evening that we
have been working on since. It is a complicated thing, that even though we are
leaning towards not a security problem we have not yet worked out a fix for
it. We have brought in a few external awesome people two help us out.
Hopefully this will be resolved within shortly.

A second issue arrived early this morning, the 480th since the bug-bounty
program started. We just started looking into it.

## foss-north 2025

I have agreed to do a keynote on the foss-north 2025 conference [9] in 
Gothenburg Sweden in April 2025. I have not figured out what I actually want 
to talk about. If you have ideas, let me know.

## job

I polished my personal website a little further and since I do get the
question quite often, I decided to add a page just to answer the question:
what do I actually do all days? [10]. How can I work full-time on a project
that is entirely free and open and still get food on the table?

## complexity

Two contributing factors that make code hard to read are function length and
function complexity. To keep source code easy to read, understand and debug we
should therefor strive towards keeping functions short and "simple".

This week I added two graphs to the curl dashboard [1] showing exactly these
two factors in curl code [2] and [3]: one plot for the worst function and one
plot for the 99th percentile. For both graphs, the 99th percentile plots
shrink gradually over time but the worst offenders grow. This means that there
are a few functions that with attention could improve readability and code
maintainability.

One the main points with graphing the project from as many angles as possible
is to bring up things like this. Areas that might need attention, and then
keep a check on these areas going forward. Details like these are otherwise
rather subtle and not easily detected when manually browsing around.

I subsequently took it upon myself to improve the situation and both reduce
the size of the largest function in the code base and simplify the most
complex one. Incidentally they were different functions: the largest function
was the big switch handling curl_easy_setopt() options [4], and the most
complex one was the main curl tool function setting up a single transfer [5].

These two functions had simply just slowly and consistent been growing over
time, in size and complexity. No one's "fault" and not with any specific plan
or intention. The graph helped me decide to act and the pmccabe tool [6]
helped me identify them. We can of course argue about the specific method or
number that pmccabe presents for complexity, but I think it at least is pretty
good at actually highlighting the correct functions and the exact particular
score it sets is not terribly important.

Both pull-requests became > 2000 modified lines monsters, but they also had a 
immediate and distinct affect on the graphs; which ideally should mean that 
the code readability is now a little better than before. And make the 
functions easier to improve and work with going forward.

## blog downtime

My blog was inaccessible about twelve hours this week after a server system
update done Tuesday (2024-10-22) evening my time until I could press the right
key sequence and bring it back up again the morning after.

During these twelve hours all it showed was "Replace this text with the error
page you would like to serve to clients if your origin is offline." - which
now finally made me go and change that text so that it actually says something
slightly more spiritual the next time this happens.

## bug-bounty

Mårten Mickos, CEO of Hackerone, did a talk at the "SOSS Fusion" conference
this week in which he mentioned the curl bug-bounty, which was caught by media
and resulted in some positive attention [12].

## Coming up

- next week I will pre-alert the distros at openwall mailing list about the
   pending CVE

## Links

[1] = https://curl.se/dashboard.html
[2] = https://curl.se/dashboard1.html#complexity
[3] = https://curl.se/dashboard1.html#funclen
[4] = https://github.com/curl/curl/pull/15376
[5] = https://github.com/curl/curl/pull/15385
[6] = https://manpages.ubuntu.com/manpages/focal/en/man1/pmccabe.1.html
[7] = https://daniel.haxx.se/email/
[8] = https://curl.se/mail/lib-2024-10/0001.html
[9] = https://foss-north.se/
[10] = https://daniel.haxx.se/job.html
[11] = https://thenewstack.io/there-is-just-one-way-to-do-open-source-security-together/

-- 

  / daniel.haxx.se