[Daniel's week] February 7, 2025
Daniel Stenberg
daniel at haxx.se
Fri Feb 7 16:18:28 CET 2025
Hello!
There was no Daniel weekly email last week. I was busy blabbing with people in
Brussels. This week's edition is therefore including details that occured over
the last TWO weeks.
## OLD security
In the curl security team we struggled a lot with the security report that
eventually ended up as CVE-2024-0725 [1]. The only way to trigger the bug is
if someone uses a zlib version released over twenty-one years ago. Such an old
version then also contains numerous security problems.
This again brings up CVSS problems and now this kind of information is
impossible to get into the calculator.
Due to this, we added some new wording into our security policy that we will
not consider issues as security vulnerabilities if they require use of "legacy
dependencies" such as this zlib case. We also of course try to narrow down
what legacy means in this context.
This CVE was also quoted in LWN [2].
## SSH security
In a separate report [3], it was found that curl really does not do an ideal
job in protecting SSH connections, but in the end we concluded (contrary to
the reporters' will) that while imperfect it is not a security vulnerability.
Harry wrote up a separate document [6] about it.
This has lead to some next to alarmist-sounding bug reports file against at
least Debian [4] and Gentoo [5] about this behavior. While I disagee about the
vulnerability part, I think there is room for improvement here and I instead
took to the pull-requests and have made some first attempts [7]. I think what
makes it the most problematic is the possible impact any changes here will
have on existing use cases as I want them to be as minimal as possible while
at the same time making curl better.
As a follow-on from this, I have received a series of "less than friendly"
phrased messages from users disagreeing with our assessment of this report. It
is of course easy to sit in the audience and have opinions. As always.
## BBC
A while ago I had a conversation/interview with technology reporter Joe Fay
about contingency in Open Source and how I work (or not) on planning for
curl's future when I in a future abandon the project. It went online on
bbc.com in the end of January. Will young developers take on key open source
software? [8]
## URLs from file
I am putting together some short bullet points and items that I want to work
on and see happen for curl in 2025. I have asked around widely [10], but to
tell the truth I have not gotten many responses. Honestly, I did not expect
otherwise.
To get inspiration for my upcoming curl 2025 roadmap webinar, I went back and
read the analysis I did for the user survey 2024 and in particular the free
form requests from users of what we could possible work on.
Several of the things that are mentioned in this survey and before in earlier
ones, we end up eventually implementing. In this new reread of mine I noticed
that several users brought up the topic of wanting to download a number of
URLs easier. URLs provided in a file.
I figured that for the easy use case of someone having a set of URLs one by
one per line in a file, I could easily add this to curl in just thirty new
lines of code. I wrote up a pull-request for this [9] and now that is being
proposed and discussed for merge into a coming release. Good? Bad?
## "you can help"
Another direct effect of me reading that analysis is that I decided to more
actively highlight to users what current topics and users that we could use
help with [11]. A lot of feedback says that users often are not aware of the
fact that we in the curl project sometimes actually could need assistance -
and with what.
My idea is to send such an email on a monthly basis and maybe evaluate later
this year if it is appreicated or makes any difference.
## curl up
Thanks to Jim Fuller, established curl core contributor since years back, we
confirmed and announced that our anual curl development get-together curl up
[12] is going to happen in Prague, Czechia, over the weekend of May 3-4.
We really would like to extend the invitation to also attract users of
curl/libcurl as well as new contributors interested in learning more and
getting involved in the project, in addition to the "old guard".
## CVE-2024-7264
This CVE-2024-7264 [13] appeared in the security scanners and now users find
numerous libcurl DLLs on Windows claimed to be vulnerable and dangerous and
they struggle how to proceed. This time, the DLLs were in Microsoft Office
installations as well as a number of other high profile products.
As usual nowadays, we cannot acually do anything about this except inform the
users what this means from our point of view and underscore that the only ones
that can actually fix these libcurl DLLs are the ones who built them and ship
them as part of their products. Which then in cases like this is a whole range
of different software companies.
A less than ideal situation for the poor users who get these alerts and really
have no clue how to act.
Situations like this trigger discussions in my circles about what the total
"societal cost" for a single curl CVE could end up at. The ripple effects are
sometimes just beyond imagination. I think this is important to remember as
avoid just one curl CVE from getting publushed is a giant save in the world. A
save no one sees of course.
## EOSAwards 2025
On Thursday January 30, 2025. Me and my wife appeared at the European Open
Source Awards 2025 gala in Brussels. Dresscode: black-tie. With sparkling
drinks in our hands we got to hang out with EU and Open Source policy people
and then receive the "achivement award" on the big stage [14]. Maybe 150 peeps
in the audience or so.
A great day for me personally of course and I hope that it will be a good
thing for Open Source in general as the European Open Source Academy [15] is
started and I am a part of this effort.
## Workshop
On the Friday before FOSDEM I was invited to the FOSS license and security
compliance tooling workshop, a FOSDEM fringe event.
As I got there I was always immediately brought on "stage" and made to talk
about dealing with security issues, CVE, CVSS and the likes in a widely used
Open Source project. A friendly and curious crowd and I hung around for food
and drinks afterward, that then also included conversations with a bunch of
good people. The details shall of course remain undisclosed.
## FOSDEM
FOSDEM 2025 [16] was bigger than ever before with more talks and bigger
audience - an estimated perhaps ten thousand attendees. I managed to hand out
several thousands of curl stickers. I was initially a little troubled how I
was going to manage the sticker distribution this time since there was no
wolfSSL stand to base it on. (wolfSSL was surprisingly denied a booth this
year, after having had one for many a dozen years straight).
I was graciously offered table space in the Debian stand by Samuel Henrique
and it turned out be a truly effective sticker spreading place. I think around
three thousand curl stickers in many different designs and shapes were given
away during the two days.
I talked to MANY people - old friends and new. I saw some talks. I had many
beers. I did a talk in the Security devroom about how we do security in the
curl project [17]. At the time of writing this, the video recording is not yet
available.
On the Sunday evening I attended the what now seems to be an anual thing: the
Github Open Source maintainer social event where I got to chat with a whole
bunch of excellent people over (more) beer and pizza.
I flew back home on Monday morning and arrived back totally exhausted. And
backlogged like crazy because I basically had not had time to do any emails or
curl stuff for the last four days and I had a release pending.
## 1337
We eventually got the 1337th commit author in curl and since people have been
talking about it so much recently as we gradually have approached this number
I had to blog about it [18].
## release
curl 8.12.0 [19] was shipped in the morning of February 5. This time I
live-streamed the entire process which then made me able to upload "how to
release" [20] to YouTube as a sort of how-to showing how easy it is.
I most probably will not do every release live-streamed going forward because
they are just so similar and are mostly a series of mechanical steps as
outlined in the procedure document.
I also made my separate release presentation video [21] of course, as per
established tradition.
## regressions
As always when we do a dot-zero release there was risk for regressions and
this time does not seem to be different. As I write this we have not yet set a
date, but there will be a follow-up patch release in a week or so to rectify
some of the biggest frictions we included this time. We just need a few more
days first to figure out the details and a schedule. This also gives us a few
more days for more issues to arrive and get fixed.
The timing is unfortunate because due to some upgrades on GitHub there are
brand new CI complications in the Windows jobs that make them flaky and slow.
## release candidates
I plan to start doing official curl release candidates going forward and laid
out a plan on the mailing list [23]. The idea is to publish (two) release
candidate official tarballs to hopefully trigger users to start testing
earlier and ideally attract feedback on regressions even *before* the pending
release. One can dream, right?
## codeql
A while ago I told the curl team that we are switching off the CodeQL job on
GitHub [22] since as it turns out, it never really helped us detect any proper
problems but we only ever had to silence alerts we did not care about. I then
eventually switched if off and it is no longer used by curl.
This week I had a constructive meeting with people from the CodeQL team at
GitHub as they were keen on learning more about why we took this step and what
would be needed for us to enable it again etc. Turns out there are options we
can enable that possibly makes it more useful for us that might make it find
actual problems and they are also working on more of that going forward. Keen
on figuring out how or if that makes CodeQL useful for us again, I now plan on
testing a re-introduction of that CI job into curl.
## no goods
After several "incidents" the curl project has now made sure to include
wording in several places that when someone donates money to us, sponsors,
they shall not expect anything in return as goods or services. This, after
several companies have asked for refunds after first gladly having sponsored
us, but when we refused to show their logos on the website they changed their
mind and suddenly their sponsorship is retracted. This causes extra work and
annoyances.
The reason we have refused is that these companies have had done business in
areas that we consider not suitable for us to show on the site. This typically
involves gambling, social media manipulations (like buying followers) and the
likes. So yeah, they basically wanted to pay for adspace, not sponsor us. We
still offer that for companies that comply with our guidelines.
## Coming up
- defeat the regressions, arrange a patch release
## Links
[1] = https://curl.se/docs/CVE-2025-0725.html
[2] = https://lwn.net/Articles/1008027/
[3] = https://hackerone.com/reports/2961050
[4] = https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095258
[5] = https://bugs.gentoo.org/949342
[6] = https://sintonen.fi/advisories/curl-ssh-insufficient-host-identity-verification.txt
[7] = https://github.com/curl/curl/pull/16205
[8] = https://www.bbc.com/news/articles/cly7n2jm5m5o
[9] = https://github.com/curl/curl/pull/16099
[10] = https://github.com/curl/curl/discussions/16083
[11] = https://curl.se/mail/lib-2025-01/0080.html
[12] = https://github.com/curl/curl-up/wiki/2025
[13] = https://curl.se/docs/CVE-2024-7264.html
[14] = https://daniel.haxx.se/blog/2025/02/03/european-open-source-achievement-award/
[15] = https://europeanopensource.academy/
[16] = https://fosdem.org/2025/
[17] = https://fosdem.org/2025/schedule/event/fosdem-2025-4204-tightening-every-bolt/
[18] = https://daniel.haxx.se/blog/2025/01/29/a-1337-curl-author/
[19] = https://daniel.haxx.se/blog/2025/02/05/curl-8-12-0/
[20] = https://youtu.be/7UQgcSWkSYw
[21] = https://youtu.be/FDBw2uxI-R8
[22] = https://curl.se/mail/lib-2024-12/0026.html
[23] = https://curl.se/mail/lib-2025-02/0012.html
--
/ daniel.haxx.se
More information about the daniel
mailing list