[Daniel's week] September 6, 2024

Fri Sep 6 17:39:39 CEST 2024

Hello!

End of work week means another email.

## OpenSSL CVE

OpenSSL announced CVE-2024-6119 this week [1]. The wording in this advisory is
however so vague and non-specific so even though I read through the short text
several times I simply cannot tell if curl users are affected by this problem.

Let's use this as an example of how NOT to write a security advisory.

## New graph

I read a text somewhere about how few lines of code a developer actually
produce over time, when it struck me that it would be fun so check how many
lines that have been added to curl compared to how many lines are still
present [2].

In other words, it shows how many times we have changed every line in the
project on average. Amazingly enough the factor has around three and slightly
above (pi?) for the last twenty years. Meaning that every line has been
changed twice and a little more.

Stefan Eissing blogged a few words [3] about it.

## Webinar

I ran my webinar "mastering the curl command line" [4] on Thursday,
concurrently over both Zoom and Twitch. I think it worked fine, both content
wise and technically so that attendees in both channels got a good experience.

The content was a refreshed and updated version of a presentation I have done
before, focusing on curl command line options we have introduced in recent
years.

There were 40+ people in the Zoom and more than 220 unique viewers of the
Twitch stream. I could not be happier. The recording and slides are provided
in the blog [4] post now.

## HTTP Workshop

I was invited to attend the HTTP workshop [5] in London in November. I have
previously expressed my desire and apparently there was a big interest this
time so it is especially fun to be able to go. I have arranged travel and
booked a hotel and Stefan Eissing told me [6] he is going as well,
representing both curl and Apache.

The HTTP workshop is one of my favorite events. Packed with good people and
old friends - so double networking. Shock-full of HTTP and network content
makes it a learning and educational opportunity beyond most other events.
Usually implementers from almost every major HTTP implementation show up.

## 4 open issues

In the beginning of this week there was a brief moment when we only had four
(4) open issues [7] for curl. The number has since bumped up back a little but
has remained at a very manageable level. The graph over open issues and PRs
over time [8] proves that we are at a low amount even seen historically.

The explanation? Hard work, multiple people working on fixing issues and the
fact that we move stale issues to the KNOWN_BUGS and TODO documents.

## Server push death

Valentin Gosu in the Firefox networking team announced [9] that Firefox is
about to drop support for HTTP/2 server push as the last one out of the three
big browser engines.

In curl the command line tool never supported server push, but libcurl
supports it and there are no plans to remove it. The way the feature is
provided in the API, we cannot drop support for it without breaking backwards
compatibility. Something we have not done deliberately since 2006. We have no
idea if there are users using this, or how many they might be.

Of course, with not a single browser still supporting this protocol feature is
is unclear who exactly is going to provide it in servers. The feature was
implemented in libcurl back in 2015 on a contract with Netflix, but I have no
idea if they still or ever actually used the feature.

## CVEMITRECVSSNVDCNAOSS WTF

That's the title of a presentation that I am set out to do on September 23 in
at the Nordic Software Security Summit [10] conference in Stockholm, Sweden.

The talk abstract describes it this way:

Bogus CVEs, know-better organizations, conflicting databases, AI
hallucinations, inflated severity scoring, security scanners, Jia Tan. As the
lead developer in the curl project, Daniel describes some of the challenges
involved and what you need to do to stay on top of security when working in a
high profile Open Source project running in some twenty billion instances. The
talk will be involving many examples from real life.

I have started working on this new presentation and I have a working outline
already, so now I just need to keep polishing it over the coming weeks until
the event happens.

It still not entirely clear if the presentation will be recorded and made
available, so I plan to maybe do a second take and run this presentation
online live-streamed over twitch (and recorded for YouTube) at a later date.
Maybe I can then take feedback and experiences from the initial live
performance and improve the v2 a little. We can hope. :-)

## Coming up

  - curl 8.10.0 release on Wednesday
  - the live-streamed curl release video

## Links

[1] = https://openssl-library.org/news/secadv/20240903.txt
[2] = https://curl.se/dashboard1.html#added-per-line
[3] = https://github.com/icing/blog/blob/main/proof-of-pi.md
[4] = https://daniel.haxx.se/blog/2024/09/02/webinar-mastering-the-curl-command-line/
[5] = https://httpworkshop.org/
[6] = https://chaos.social/@icing/113084180221456888
[7] = https://github.com/curl/curl/issues
[8] = https://curl.se/dashboard1.html#github-open
[9] = https://groups.google.com/a/mozilla.org/g/dev-platform/c/vU9hJg343U8/m/4cZsHz7TAQAJ?pli=1
[10] = https://nsss.se/

-- 

  / daniel.haxx.se