[Daniel's week] August 1, 2025

Fri Aug 1 17:40:19 CEST 2025

# August 1, 2025

## vacation

Hello again. I'm back after some weeks of vacation. As usual I kept mostly up
with what happened in the curl project so I was pretty aware of what I had to
look forward to get when got back.

My end of vacation was also in sync with the opening of the curl feature
window so my return to work really took off at high speed as we have had an
avalanche of pull requests to work with this week.

Since this is the first weekly email since July 11, there are some details in
this edition that feel a little old but I decided to include them anyway for
completeness.

## laptop funded

Just before my vacation I did a laptop crowdfund thing [1] that went way
beyond all my expectations and hopes and as a result I then also subsequently
ordered a machine that was delivered and I have since assembled it and written
a blog post about my first impressions [2].

I promised veryone who donated >= 200 USD a say in stickers on my cover and
two people have taken me up on this. I of course intend to honor my promise.
Pictures and stories about them will follow as they happen.

## how I do it

Since I sometimes receive questions about how I work on curl in my day to day
workings, I decided I would attempt to answer it in a blog post [3]. It's
mostly just a lot of work.

## death by slop

As we were "struck" my a wave of new AI slop reports in the middle of July, I
wrote a blog post [4] about it and our thought process on what to do next or
not. The short story is that we have not decided yet exactly what to do, but
unless we see the rate go down in one way or another we will consider
completely dropping the curl bug-bounty later this year. I will of course keep
you dear reader updated on this development. Or perhaps lack of.

## curl 8.15.0

On July 16 we shipped curl 8.15.0 and it was good. This time around we shipped
a dot-zero release for which we did not discover bad enough regressions to
trigger a .1 follow-up release!

Ten days after the release, just about when I got back from vacation, we
opened the feature window and at that time we had over twenty pull-requests
queued up waiting for this. A week in, there are still pull-requests pending.
Some of them might not be ready in time, but I suspect several more are going
to get merged and make the coming 8.16.0 release quite a feature-packed
edition.

Merging new features also makes me keen at documenting the changes and
explaining them to the world so it has also made me write a whole series of
new blog posts this week. Mentioned below. Of course, as I have already
written (long) blog posts about the topics, I only summarize them in this
email and I will let you dig through the actual posts if you want all the
details.

## EU-STF

As I was asked to review the proposal before it was made public, I knew about
it and I support the idea. I wrote about the proposal a blog post: the EU-STF
for funding critical Open Source [5].

## msh3

We have been telling the world about this for over six months and now it has
finally happened: we dropped support for msh3 from curl [6]. msh3 is a HTTP/3
library that never quite worked in curl and as nobody seemed too eager to get
it into shape, we instead removed it. Maybe we can add it again in a future if
someone is up to doing the work. curl still supports HTTP/3 using three
different backends, so there are still a multitude of working options.

## --out-null

A little by chance Stefan Eissin discovered that completely skipping writing
response data is actually notably faster than writing it to /dev/null and so
the new command-line option --out-null was born [7].

## equals sign

We polished the general curl command line parser somewhat to accept long
options and a syntax detail that is commonly supposed by many other command
line tools but curl never previously did [8]. Until now, or yeah, curl 8.16.0.
The little detail of course being that switching usage over to using this
newly supported syntax makes those command lines not work with old curl
versions...

## parallel-max-host

As we got a bug report on parallel downloads that involved limiting the number
of concurrent connections to a single host, it struck me that we don't
actually offer this control to command line tool users even though it is
actually quite a handy thing to have [9]. So I made it so.

## FrOSCon

I have accepted. I have flight tickets and a hotel reservation. I will be in
Bonn, Germany, at FrOSCon [10] on August 16 and do my keynote titled "AI slop
attacks on the curl project".

## Open Source Summit Europe

On August 25 I will be in Amsterdam, the Netherlands, and keynote the Open
Source Summit Europe [11]. The title of this (short) talk is still not set in
stone, but my updated proposal reads "giants, standing on the shoulders of".
How it is to maintain a well-used Open Source project in 2025.

## Day Two DevOps

Back in late May I joined the Day Two DevOps podcast hosts and we talked curl
development, the increasing amount of AI slop in (curl) security reports and
more and that episode has since been published [12].

## Security

Over the last few weeks we have had a range of HackerOne submissions of
suspected curl vulnerabilities; from brainless entries to really complicated
time-consuming ones. As I write this, the inbox is at zero and there is still
no known vulnerability in curl's two most recent releases.

Stats from curl's bug-bounty program so far in 2025:

A total of 69 reports submitted

31 (44.9%) were marked "not applicable" because they were neither a bug nor a
vulnerability.

18 (26.1%) were considered "normal bugs"

15 (21.7%) were marked "AI slop"

5 (7.2%) turned out to be vulnerabilities

## cheat sheet

We did what I believe was our first "curl cheat sheet" back in 2015 [13], and
it was refreshed five years later [14] and then turned into ints separate
GitHub repo [15].

It is meant to be a small table featuring the most common curl HTTP options
with a brief overview how they are used.

There is also am awesome and beautiful PCB coaster of (an extended version) it
available for purchase [16].

Now, John Haugabook, came up with the idea that curl should be able to output
an ASCII version of this by itself [17] and I can't find any flaws in that
idea! It is now being bike-shedded, polished and discussed and we will of
course also value your opinions and feedback. To make it as useful and
practical as possible.

I've always wanted to make a tshirt with the curl cheat sheet printed
up-side-down on the front to allow someone wearing the shirt to look down to
get help, but so far I have not made it happen...

## Coming up

- merge more features
- curl turns 10,000 days old on Tuesday

## Links

[1] = https://daniel.haxx.se/blog/2025/07/12/sponsor-my-laptop/
[2] = https://daniel.haxx.se/blog/2025/07/28/hello-sprout/
[3] = https://daniel.haxx.se/blog/2025/07/13/how-i-do-it/
[4] = https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/
[5] = https://daniel.haxx.se/blog/2025/07/23/eu-stf-for-funding-critical-open-source/
[6] = https://daniel.haxx.se/blog/2025/07/29/carving-out-msh3/
[7] = https://daniel.haxx.se/blog/2025/07/30/output-nothing-with-out-null/
[8] = https://daniel.haxx.se/blog/2025/07/31/option-parsing-in-curl/
[9] = https://daniel.haxx.se/blog/2025/08/01/curl-adds-parallel-host-control/
[10] = https://froscon.org/
[11] = https://events.linuxfoundation.org/open-source-summit-europe/
[12] = https://packetpushers.net/podcasts/day-two-devops/d2do277-ai-security-submissions-at-curl-dev/
[13] = https://daniel.haxx.se/blog/2015/09/16/a-curl-cheat-sheet/
[14] = https://daniel.haxx.se/blog/2020/01/20/curl-cheat-sheet-refresh/
[15] = https://github.com/curl/curl-cheat-sheet
[16] = https://daniel.haxx.se/blog/2023/11/03/curl-coasters/
[17] = https://github.com/curl/curl/pull/18071

-- 

  / daniel.haxx.se