[Daniel's week] February 14, 2025

Daniel Stenberg daniel at haxx.se
Fri Feb 14 16:18:15 CET 2025 

Hey ho!

## regressions

While I was still writing last week’s summary email, we received a report 
about yet another regression in the then still fresh curl 8.12.0 release. We 
had a few other regressions filed already, but the Friday crash report was the 
one that took away the last doubt and made us decide we really needed to make 
a patch release. People in the Kodi project experienced crashes when they used 
the latest libcurl [1]. Fully reproducible too. While I really should learn to 
expect this every time we ship a dot-zero version, I’m just such an optimist 
that I think that noooo, this time surely everything will go smoothly.

Me, Stefan and Harry spent hours last Saturday on IRC, debugging the problem. 
We found the reason, reproduced it, wrote up test cases, submitted a 
pull-request that was soon confirmed to fix the problem as quite clearly even 
a bunch of Kodi devs were active on the weekend and keen on getting this 
working. Twenty-six hours after the crash was reported, we had a fix merged in 
git.

By Monday morning I announced that we would do a patch release on Thursday; 
curl 8.12.1. And so I did [2].

## AI slop

We got yet another AI slop security vulnerability reported [3]. It followed a 
pattern we have seen before. The AI found a claimed problem in an internal 
function that would be vulnerable if used in a particular way, clearly not 
quite understanding the concept of a public API. No attacker can reach the 
internal functions and no libcurl code uses the function in a way that would 
trigger the problem. Clearly the AIs need to be educated better about API 
boundaries and public and private functions in libraries.

As always, if the user would just have understood their own report they would 
not have done it.

## tightening every bolt

The video recording of my talk I did at FOSDEM 2025 called tightening every 
bolt went online [5]. It is a walk-through of all the procedures and 
precautions we do in the curl project to ship a secure product.

## mascot

I ran a poll on Mastodon [6] and GitHub [7] asking the question if we should 
get ourselves a mascot for the curl project. Over 70% out of 1,500 answers 
said yes. I had previously asked the question what such a mascot would be, and 
we have received an extensive list of creative, fun and thought-provoking 
ideas.

I intend to ponder on the next step a little bit. Probably I should pick the 
maybe four best ideas and then crowd-source ideas/layouts/designs for all the 
four, then have some kind of vote among those. Once we have a winning mascot 
concept, I would like to engage and cooperate with a real designer/illustrator 
who can work with us and create the actual final creation to use.

Until then, I want to keep an open mind for exactly what and how this will 
look like and what we should eventually call it.

## disabling cert checks: we have not learned much

This week I fell over a Mastodon post from the author of a fairly high profile 
project that mentioned that they use curl (with PHP) and they linked to a just 
merged pull-request. Curious about this, I took a quick look at the patch and 
swiftly discovered that in their commit, the TLS server verification was 
partly disabled. I replied to this effect, both in the commit and on Mastodon. 
The original toot was shortly thereafter removed. I don’t know why.

I decided to quickly search for the same code pattern I had seen in that 
commit on GitHub, only to realize there were hundreds of thousands of matches. 
While some of them surely were false positives, a sufficiently large share of 
them are not. An unsatisfactory state of affairs.

So I did my thing. I wrote a blog post about it [8].

## codeql

After the meeting I mentioned last week I had with the CodeQL team, I fired up 
a new PR [9] in which I brought back the tool into the family of curl CI jobs 
to see if it would make a difference big enough to make it worthwhile for us 
to run it. I was told that with a new special config entry I would get more 
relevant and better results.

It did produce a list of 113 new issues. Out of these, one was an unnecessary 
conditional check that I fixed. The other 112 alerts were all things I did not 
care much about and that are mostly opinions and sure-maybe-but items.

I have not decided where to go with this just yet. I might take this back to 
the CodeQL people again and see what they say.

## OpenSSL QUIC

OpenSSL finally this week actually merged an API that allows other QUIC 
implementations to use its TLS stack [4]. This is of course something the QUIC 
community has been waiting for since many years back and I have written about 
it many times before. This new API they now offer is not done like the one 
previously debated (and that the OpenSSL forks provide) but is instead special 
and different - which puzzles me greatly. I intend to write up a longer blog 
post about this API move soon, as soon a little more details ideally have 
fallen into place.

## cleanups

My curl code cleanups this week include removing superfluous memory 
allocations in the threaded resolver and switching over number parsing to use 
our own parser API for better integer overflow detection and easier maximum 
checks. I have merged some work in both these areas but I have more polish 
pending as well.

## coming up

Fingers crossed we don’t need to do another patch release.

## Links

[1] = https://github.com/curl/curl/issues/16236
[2] = https://daniel.haxx.se/blog/2025/02/13/curl-8-12-1/
[3] = https://hackerone.com/reports/2981245
[4] = https://github.com/openssl/openssl/pull/26683
[5] = https://youtu.be/Yr5fPxZvhOw
[6] = https://mastodon.social/@bagder/113973438175404365
[7] = https://github.com/curl/curl/discussions/16276
[8] = https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/
[9] = https://github.com/curl/curl/pull/16263


-- 

  / daniel.haxx.se

More information about the daniel mailing list