[Daniel's week] August 8, 2025

Daniel Stenberg daniel at haxx.se
Fri Aug 8 17:46:34 CEST 2025 

# August 8, 2025

Another intense week ends.

## HackerOne

We received a new security report [1] over the weekend while I was out in the
Stockholm archipelago enjoying the Swedish summer. After coming back home on
Sunday afternoon I spent several hours tracking down a problem that only
seemed to reliably trigger when involving several hundred concurrent
transfers. While of course that shouldn't be a problem, figuring out the
source for a problem with so many targets moving simultaneously can be tricky.

It turned out to be a mistake in our splay tree management. We use a splay
tree (a binary tree that is kind of self-balancing) in which we add all
concurrent transfers as nodes, and we sort them based on the time for the
closest-in-time timeout expiry.

I find that understanding what triggers the bug and how to fix it is a good
first step. Then follows a deep dive into figuring how how an attacker can
trigger it, if at all, and what the outcomes could possibly be when that
happens etc.

It took a few more days of discussion in the issue until we finally could
solve the case as not-a-security-problem - even though the reported pointed
out two bugs. Phew, we dodged this one but it was close - and a LOT of work.
Two bugfixes were merged as a direct result of the report.

## Negative DNS caching

After having worked intensely on the HackerOne issue that used a massive
amount of parallel transfers - and mostly in setups where they all immediately
failed I figured I should make return to the topic of caching negative name
resolves for a while. Imagine a use case when you ask curl to fire up maybe
500 parallel transfers from a single hostname, and that name fails to resolve.
Having curl cache the failure for a short while will make it fail much better
and nicer for about 499 of those transfers.

This kind of negative caching has been attempted before. Björn Stenberg (my
brother) wrote a PR years ago that we never managed to merge due to several
reasons.

This time around we have slightly better infrastructure for testing and I
could also implement it quite easily and without a lot of code, so it easy to
review.

It made me able to merge the feature [2] already within days. Failed name
resolves are now cached half the time the positive results are stored. By
default successful name resolves are cached for 60 seconds. Before you ask: we
can't easily use the TTL for the name because the default threaded resolver we
use invoke getaddrinfo() and there is no TTL in the response.

## Happier Eyeballs

Stefan Eissing brought this cool improvement for curl's happy eyeballs take
that I decided I should explain a little to the wider world [3]. Connecting to
hosts better and faster is one of those things that has the potential to make
life easier and better for so many users. Without even anyone having to do
anything particular other than upgrading to the next curl version.

## c10kday

On August 5 curl turned exactly 10,000 days old [4] and it has been a blast to
read people's stories involving curl [5].

This turned into an "anniversary week" because two days later on August 7
libcurl turned 25 years old as that was the day in the year 2000 when we
shipped the first curl version with libcurl: Version 7.1 [12].

## %time

A customer of mine brought up the suggestion about adding time information to
the --write-out option and after some deliberating and discussions, this
feature is now merged [13] and will come in the curl version.

## HTTP is not simple

I posted this blog post that I have had brewing for a long time and some
recent events made me resurface and published it this week: HTTP is not simple
[14]. In spite of what many might think.

## blogging frenzy

I have now done a fresh blog post every work weekday for two weeks in a row.
Certainly a higher frequency than I normally muster and I am sure I will not
be able to keep this up much longer.

I have been wanting to cover and explain about new features and things that we
introduce in the pending curl release and as we have another week of feature
window I suspect there might be a post or two left to do in similar vein.
There are also a few things merged that I have not blogged about, but I have
to draw a line *somewhere*!

## complexity

I keep running the top-complexity script that lists the most complex functions
in the curl source code every now and then and I keep polishing the top
entries. As I write this, the worst offender is now down at score 74. Down
from 100 back in June, 85 in mid July and 78 just yesterday... [9]

I'm not sure how far I can keep going, but I guess we will find out.

## Ubuntu server

Several outlets reported [7] this week that Ubuntu Server 25.10 (release
coming in October) plans to ditch wget in favor of wcurl [15] in their default
install. This is a decision made entirely by Ubuntu themselves and we in the
curl (or wcurl) project have not been involved or asked.

## 1400 authors

This week we surpassed 1400 commit authors [6] in the curl repository.

## FrOSCon

I have accepted. I have flight tickets and a hotel reservation. I will be in
Bonn, Germany, at FrOSCon [10] on August 16 and do my keynote titled "AI slop
attacks on the curl project".

Come say hi and offload curl stickers from me.

## Open Source Summit Europe

On August 25 I will be in Amsterdam, the Netherlands, and keynote the Open
Source Summit Europe [11]. The title of this (short) talk is still not set in
stone, but my updated proposal reads "giants, standing on the shoulders of".
How it is to maintain a well-used Open Source project in 2025.

## Quote of the week

"This is the fastest bugfix I have ever seen on an open source project."

Said about Stefan's bugfix for [8].

## Coming up

- another week of curl feature window
- Froscon next weekend might interfere with my weekly email

## Links

[1] = https://hackerone.com/reports/3283232
[2] = https://github.com/curl/curl/pull/18157
[3] = https://daniel.haxx.se/blog/2025/08/04/even-happier-eyeballs/
[4] = https://daniel.haxx.se/blog/2025/08/05/c10kday/
[5] = https://github.com/curl/curl/discussions/17930
[6] = https://curl.se/dashboard1.html#authors
[7] = https://www.omgubuntu.co.uk/2025/08/ubuntu-server-25-10-replaces-wget-with-wcurl?v1
[8] = https://github.com/curl/curl/issues/18177#issuecomment-3155269810
[9] = https://curl.se/dashboard1.html#complexity
[10] = https://froscon.org/
[11] = https://events.linuxfoundation.org/open-source-summit-europe/
[12] = https://curl.se/ch/7.1.html
[13] = https://daniel.haxx.se/blog/2025/08/07/curl-tells-the-time/
[14] = https://daniel.haxx.se/blog/2025/08/08/http-is-not-simple/
[15] = https://curl.se/wcurl/

-- 

  / daniel.haxx.se

More information about the daniel mailing list