[Daniel's week] January 3, 2025

Daniel Stenberg daniel at haxx.se
Fri Jan 3 16:27:59 CET 2025 

Hello friends.

Welcome to a new year. With more emails.

## new year

Another week with some extra slow days.

As the bump the year counter we also reset a lot of counters that now start
over from zero. Among the conclusions for 2024 is that we had 155 unique
commit authors in curl during the year [2], which was fewer than the previous
three years. This, while we had more commits done in the project than any
other previous year. Last year's 188 unique authors in a single year remains
the project record.

One theory for the lower number this year is that when the general project
activity goes up, it might make some users less likely to contribute. Another
is that when key maintainers are highly active themselves, maybe they are less
good at helping and adopting changes from newcomers.

## return values

When I was helping out a user this week, I fell over some inadequate return
code documentation for some libcurl options, which then made me go through
almost *every* single manpage for libcurl functions and options and update the
texts for what they return. I updated close to five hundred documents and now
they at least speak a little more and link the appropriate page that lists
more info.

After this update we are at 97,000 lines of documentation in the docs/ folder.

## webinar next week

On Thursday January 9, I will do another run of my "getting started with
libcurl" webinar [1]. As always, it's entirely free - over Zoom.

I will go through the basic APIs and their concepts. How get started in doing
internet transfers. You will discover that it is straight forward or even
downright easy.

As always I also do a Q&A at the end. A perfect chance to ask me any and all
libcurl API related questions you might have.

## graph comparisons

In the curl dashboard I render several graphs that are just one plot compared
with another - like for example how many lines of documentation we have for
KLOC, one thousand lines of source code [3]. This week I polished the script
that makes that comparison operation so that the generated output would get
more and more accurate data points. I doubt anyone will actually spot the
differences, but if you reload an old vs a new render the differences are
certainly visible.

## infrastructure

One of the few remaining details in the curl project that is not meticulously
documented already is the infrastructure. The services, machines and related
stuff that we use and depend on to run a smooth operation.

I decided to give it a first shot and created a PR to get the ball rolling
[4].

## security

The curl project received its 500th report on HackerOne this week and
unfortunately we had to agree with the reporter that it was indeed pointing
out a legitimate security issue. We joked that we would now have the chance to
get a *-0001 CVE, but even though Jim Fuller submitted the CVE Id request in
the early hours of January 1st, the CVE Id we got was CVE-2025-0167.

(There were a little over 40,000 CVEs registered last year, making some 110
CVEs per day on average, so it seems unlikely that 167 "real" CVEs actually
were registered within just the first few hours on a date that many people are
not working on.)

We rate this new issue as severity LOW and it will be published in sync with
our pending release already planned to ship on February 5. And as usual we do
not set a CVSS score for the vulnerability but instead wait for the world to
trip itself up later when doing it.

On the topic of security, we also recently have had a single user ask about
in-depth details for several past CVEs on the mailing list. While it is
important and worthwhile to have accurate info about security vulnerabilities,
there is also a limit to how much effort and energy we can spend on
archaeology. For issues that are older than perhaps a few years, I think you
need to really put up a strong motivation for us to work hard to go back and
"relive".

## Coming up

- Two weeks left of the curl feature window
- libcurl Webinar on Thursday

## Links

[1] = https://us02web.zoom.us/webinar/register/4216747720523/WN_2Yazx8c5THuav0P2JTc2Zw#/registration
[2] = https://curl.se/dashboard1.html#authors-per-year
[3] = https://curl.se/dashboard1.html#lines-per-docs
[4] = https://github.com/curl/curl/pull/15906



-- 

  / daniel.haxx.se

More information about the daniel mailing list