[Daniel's week] August 17, 2025

Daniel Stenberg daniel at haxx.se
Sun Aug 17 19:45:13 CEST 2025 

# August 17, 2025

This week the email gets out at an odd day because of my travels.

## cars

For reasons I have forgotten I fell over my seven years old blog post about
curl used in cars [1] and it took me down a rabbit hole of updating the list
of car brands that use curl and ... and after having bounced around lists and
thoughts on Mastodon I summed up the findings in a blog post about it [2],

## codeberg

After the GitHub CEO first said that we either should "embrace AI or get out"
(which made us all want to be in the "out club") only to just days later leave
GitHub and the news sites told us that instead of replacing the CEO, Microsoft
will have GitHub report to and get organized under some AI department,
numerous people have asked or even outright demanded that the curl project
would better leave GitHub (before it all burns).

curl stays solidly on GitHub for now, not the least because they are generous
sponsors of the curl project that are worth a significant amount of dollars to
the project - primarily for the plenty CI services we use. We have no
alternative sponsors that would step up and cover such an expensive thing
should we move elsewhere.

No service lives forever and we are perfectly aware that anything we rely on
today can of course suddenly die and vanish. We should always be prepared to
just move on to the next. This of course includes GitHub. As a sign of this
"preparedness", we fired up a git mirror hosted on codeberg [3] to partly show
that there are available alternatives that are backed up in real-time, and it
offers a non-GitHub host for people to get a read-only git clone from if they
really want to avoid GitHub.

Amusingly, I then joked on Mastodon about GitHub's inability to count
contributors for a project on their site [4] - because for an inexplicable
reason they don't count contributors who don't have GitHub accounts (meaning
200+ committers in the curl project), only to then discover that codeberg ALSO
had a counting problem [5], albeit because of a completely different reason
and a bug, which thanks to awesome followers and quick developers seems to
have been fixed already [6]!

## security

After more than THIRTY false alarms in a row, we received a security report
for a legitimate severity low curl vulnerability this week that will be
announced and published in sync with the curl 8.16.0 release on September 10.
I *think* an AI was involved in the detection which might bring some attention
to this. If that is true, it is the first time a real issue has been found in
curl with AI.

## feature freeze

We entered the curl feature freeze today for the pending curl 8.16.9 release.
Now we will only merge bugfixes until the version ships on September 10. There
have been an extra large amount of features merged in this cycle [7] already
so I'm both happy to see so much activity and good stuff done and also scared
at the same time because typically with many new features it also means we
caused at least one or two ugly regressions somewhere in there...

Because of my travels this weekend (see below) I decided I will put the
8.16.0-rc1 together on Monday instead when I'm back home again.

## FrOSCon

I was in Bonn, Germany at FrOSCon [10] on Saturday where I did the keynote
titled "AI slop attacks on the curl project" [8]. In a completely packed room.
The presentation was well received and I got a series of good questions that
proved the subject feels contemporary and maybe even urgent.

I of course brought a lot of curl stickers with me there and I offloaded a
good portion of them to people I met.

## Open Source Summit Europe

On August 25 I will be in Amsterdam, the Netherlands, and keynote the Open
Source Summit Europe [11]. The title of this (short) talk is still not set in
stone, but my updated proposal reads "giants, standing on the shoulders of".
How it is to maintain a well-used Open Source project in 2025.

## Coming up

- Monday: curl 8.16.0-rc1 may the regressions be kind to us
- Tuesday: video recording for secret thing to be revealed later

## Links

[1] = https://daniel.haxx.se/blog/2018/08/12/a-hundred-million-cars-run-curl/
[2] = https://daniel.haxx.se/blog/2025/08/15/car-brands-running-curl/
[3] = https://codeberg.org/curl/curl-mirror
[4] = https://mastodon.social/@bagder/115014380441391322
[5] = https://mastodon.social/@bagder/115018206618718553
[6] = https://codeberg.org/forgejo/forgejo/pulls/8882
[7] = https://curl.se/dev/release-notes.html
[8] = https://youtu.be/6n2eDcRjSsk
[10] = https://froscon.org/
[11] = https://events.linuxfoundation.org/open-source-summit-europe/

-- 

  / daniel.haxx.se

More information about the daniel mailing list