[Daniel's week] September 27, 2024

Daniel Stenberg daniel at haxx.se
Fri Sep 27 17:42:50 CEST 2024 

Hello,

I think weeks go by faster these days. At the end of a work week again but I 
suppose me spending two days out of the cave made it feel shorter than 
usual...

## Feature window

We opened the feature window for curl, and while we have merged a few features
I think this cycle might be a little less news packed as the latest non-patch
release (8.10.0).

I suspect introducing WebSocket support as non-experimental for the first time
is going to be the biggest.

## NSSS

I got the honors of doing the first talk at the Nordic Software Secure Summit
[1] conference which took place Monday and Tuesday this week here in
Stockholm. I attended both days. This was the first time this conference ran,
but they have already decided to run it again next year.

My talk titled "CVEMITRECVSSNVDCNAOSS WTF" [6] seemed to be appreciated by the
audience and lots of remainder of the talks over the two days would come to
refer to it.

I got to learn a lot about CRA, NIS2, SBOMs and related topics.

None of the presentations during the two days were recorded or streamed, so I
decided to take matters into my own hands and I will re-do my presentation in
a live-stream on Twitch on September 30 [2].

## CI performance

Viktor Szakats and Stefan Eissing have worked fiercely on curl test and CI
performance recently, making sure as many CI jobs as possible completes as
fast as possible, so that contributors get as quick feedback as possible.
Stefan blogged [3] some fun progress details.

## boast

Over on the bluebird site, Andreas Kling posted [4] about his work on
improving network performance in the ladybird browser [5] by switching to a
libcurl-based solution:

   "Massive speed-up compared to our old HTTPS stack (that we built from
   scratch for SerenityOS). Uncached load of my For You page goes from 38 sec
   to 8 sec!"

# (mem|str|strn)cpy

I eradicated the last strncpy() calls from libcurl and added it to the list of
banned functions to avoid any calls to get reintroduced without us noticing.
The function *can* be used nicely, but typically it is a sign that the code
should rather be done differently.

The share of memcpy and strcpy use in libcurl production code is now down to
less than two per 1000 lines of code for the first time ever. The idea of
course being that by reducing direct use of these functions, we avoid mistakes
better. The rate of (m|re|c)alloc() calls is a little higher at 2.387 per 1000
lines of code, but I managed to trim off a few of those as well. That too is
the lowest frequency ever.

## Coming up

- Monday: live-streamed presentation on curl, open source and security [2]

## Links

[1] = https://nsss.se/
[2] = https://daniel.haxx.se/blog/2024/09/25/talk-keeping-the-world-from-burning/
[3] = https://github.com/icing/blog/blob/main/curl-ci-performance.md
[4] = https://x.com/bagder/status/1837526496488944108
[5] = https://ladybird.org/
[6] = https://nsss.se/y2024/talks/cvemitrecvssnvdcnaoss-wtf/


-- 

  / daniel.haxx.se

More information about the daniel mailing list