[Daniel's week] February 28, 2025

Daniel Stenberg daniel at haxx.se
Fri Feb 28 15:50:33 CET 2025 

Hello,

Another work week ends.

## Commute / Awards

I decided it was about time I did a new video about my “commute” to work[^1], so I uploaded one to YouTube on Saturday. I did my first commute video when I started working for Mozilla back in 2014 and then a follow-up when I joined wolfSSL in 2019\. I figured it was just about time to do a third. As can be seen in the video, not a lot looks different eleven years after that first one.

Later in the week I did another shortie, when I showed off my small award collection[^2].

I suppose it was because I made them portrait mode and that they are in the two minute range that made them appear as “YouTube shorts” rather than normal videos.

## Distro meeting

We have set a date for another curl distro meeting[^3]: April 10\. A two-hour video meeting with curl developers and package maintainers who package curl for distros, operating systems and the likes. We had such a meeting last year and I think we got some really nice outcomes from that, so we do it again. Anyone is invited who feels this is a subject they care about. There is a wiki page in which you can add your name if you feel like it, or suggestions for topics you would like to have brought up. Last year we had 20+ attendees joining.

## Feature window

The curl feature window opened and we started merging features and changes for the pending release. As I write this we have few new things already in master and we have a few more that are contenders to also get there. I myself have something, as I will describe below.

## Web traffic

Every once in a while I skip over to the management interface to Fastly CDN for the curl website and I check the state of things. This time around I noticed that the bandwidth use has yet again increased a little since the last time I looked, and this time I dug a little deeper to figure out for example how many curl downloads such a bandwidth use might equal. To my surprise, the larger part of the bandwidth spend is not used for curl downloads but on other things. I blogged about it[^4].

## httpget 0.2

My good old friend Kjell Ericson mailed me this week with a finding. He had accidentally fallen over an email that I sent to him on January 17, 1997 and it contained the httpget 0.2 source code.

I had previously believed all those early source code versions had been lost so I was happy to get this as the new oldest httpget source I have. It is obviously a little tampered with, but it is close to the original one. I created a httpget repository[^5] on GitHub to show off some httpget releases. While at it, I also made one for httpget’s successor urlget[^6].

Fun math: httpget 0.2 was 110 lines of code, 30 lines of comments. curl is right now about 174,854 lines of product code, not counting blank lines but comments.

That makes it 1248 times larger over 28 years. That number equals a steady growth of 29% per year for 28 years. The math: 140\*1.29^28 \= 174839\. Fascinating.

## New cookie proposals

While we are waiting for the 6265bis draft to show up as a new cookie RFC, Yoav Weiss proposed a new cookie twist: a \_HttpOnly prefix[^7]. I have not really come up with my own take on this idea but have mostly seen the discussion continue and it feels like this is something several people want to see. It seems like a feature we could implement in curl quite easily if this proposal gets adopted.

Yoav also has a second cookie related proposal that also continues to be debated on the httpbis mailing list, and that is for a Delete-Cookie header[^8]. This is functionality that we probably don’t even need to implement in curl as it is “just” a matter of sending the correct header to a server and curl already allows that perfectly fine.

In the midst of these discussions, someone drew a wrong conclusion about the cookie syntax based on faulty reading of the cookie spec, and I could not resist being “that guy” so I highlighted this fact: by documenting the cookie syntax in two places in the spec \- and they are even documented to be different \- readers are easily tricked into finding one of them and thinking then that they have learned the cookie syntax. When the second place explaining the syntax is required reading to get the full picture. I am clearly not on the winning team in that particular debate.

## wcurl

Samuel shipped a new wcurl release[^9] this week. They use date based versioning so this one is called v2025.02.24.

## QUERY

The proposal for a new HTTP method called QUERY[^10] is still alive and well. QUERY is proposed to be an alternative to POST: a safe, idempotent request method that can carry request content,

I have already since a while back been thinking about what we need to do in curl to support QUERY nicely and properly when it becomes reality, and this week I started a discussion[^11] about it. Of course, most of the real plumbing for this and where we need some tweaking is of course in libcurl and not in the curl tool.

## FOLLOWLOCATION

We want to allow users to use QUERY tomorrow just as convenient as they use normal POSTs today; when using the command line tool as well as when using libcurl. To make sure this is true, I have realized that we need to offer some new tweaks related to redirect-follows with custom methods. The way we do them now is a bit limited and it will probably not be good enough going forward.

Two years ago I worked on a proposal that offered an alternative take on redirects with custom methods, and I even had my old git branch left dangling in my source code tree\! Too much had happened to make a rebase practical, so I instead brought the concept and spirit of that patch into the current source code and wrote up a pull-request[^12]. After some deliberating, this patch now offers *two* new redirect-following modes to better allow users to tell curl exactly how to do custom request methods in combinations with redirects. I have not received much feedback on this PR yet and with only one week left of the feature window I am not sure if I should move to merge this or wait for more feedback. Tricky.

## thenewstack

This site did a pretty slick write up[^13] about my FOSDEM 2025 talk on how we secure curl.

## Release candidates

As an attempt to maybe discover regressions earlier, we are introducing release candidates into the curl release cycle[^14]. Ideally, hopefully, this will get some more people to try out code that is about to ship in a pending release. It is a bit of an experiment and test, but one I think is worthy to at least give a try for a few years.

## Coming up

- curl roadmap 2025 webinar on Thursday[^15] 
- final week of curl’s feature window before freeze

[^1]:  https://youtube.com/shorts/xKylJYScl0Q

[^2]:  https://youtube.com/shorts/M7a6-z2Ydhg

[^3]:  https://daniel.haxx.se/blog/2025/02/24/a-second-curl-distro-meeting-2025/

[^4]:  https://daniel.haxx.se/blog/2025/02/22/curl-website-traffic-feb-2025/

[^5]:  https://github.com/curl/httpget

[^6]:  https://github.com/curl/urlget

[^7]:  https://yoavweiss.github.io/httponly\_prefix/draft-httponlyprefix-weiss-http.html

[^8]:  https://yoavweiss.github.io/delete-cookie/draft-deletecookie-weiss-http.html

[^9]:  https://github.com/curl/wcurl/releases/tag/v2025.02.24

[^10]:  https://www.ietf.org/archive/id/draft-ietf-httpbis-safe-method-w-body-08.html

[^11]:  https://curl.se/mail/archive-2025-02/0010.html

[^12]:  https://github.com/curl/curl/pull/16473

[^13]:  https://thenewstack.io/curls-daniel-stenberg-on-securing-180000-lines-of-c-code/

[^14]:  https://daniel.haxx.se/blog/2025/02/28/adding-curl-release-candidates/

[^15]:  https://daniel.haxx.se/blog/2025/02/25/the-curl-roadmap-webinar-2025/

-- 

  / daniel.haxx.se

More information about the daniel mailing list