[Daniel's week] January 24, 2025

Fri Jan 24 22:31:24 CET 2025

Hi friends,

I'm a little later than usual, but here's some of the stuff I worked on this 
week:

## from start to end

After the sun had already set in the afternoon here in Stockholm Sweden, I did
my brand new curl presentation I call "from start to end" [1], trying to
explain in some kind of high level, what happens from when a curl command line
is entered into a shell, does its job and then exits back to the shell again.

This time I did the talk live-streamed on Twitch [2] only, and some 230
persons viewed at least part of the live-stream. Fun! The presentation is of
course now available on YouTube.

The Q&A session turned out to be unusually long as I kept getting questions
about all sorts of things around and related to curl development. I think that
part was even longer than the initial presentation itself.

## HTTPS

I continued working on HTTPS RR support for curl this week (in the background
while trying to do other things at the same time ) and I have made some
progress. The idea being to get a foundational architecture in place to do
HTTPS RR resolves for all commonly used resolver solutions. When that is in
place, we can continued to work on expanding exactly what we receive and use
in the HTTPS RR fields. There's a lot of data in there.

My take is to work on the HTTPS RR support within the proper ifdefs so that we
can merge it even during the feature freeze - it is experimental and switched
off by default.

Stefan Eissing has been working on a minor HTTP version refactor in the mean
time [3]. With this also merged, we should be able to do alt-svc and https rr
use going forward.

Niall O'Reilly and Stephen Farrell work on implementing ECH support in curl
and elsewhere. Apparently ECH support is slowly being adopted into OpenSSL -
BoringSSL, AWS-LC and wolfSSL already have it. How to test ECH in the curl
test suite is a question [4].

## CVSS

I figured it was about time I explained the current CVSS situation for us in
the curl project so I wrote up this 1700 blog post "CVSS is dead to us" [5] on
the topic that then was commented and discussed a bit in my extended circles
during the week.

## CVE

We have reserved a second CVE for the pending curl release 8.12.0. This one is
also rated severity LOW by us and while annoying, is not going to burn the
world.

We have a third potential issue still under heavy discussion. We are truly
wrestling with this one for reasons I hope I can share with you in the future.

## FOSDEM

Next weekend is FOSDEM and I think I will already now decide that I will not
send a weekly email next Friday. This year I'm leaving for Brussels already
on Wednesday. I will participate on the European Open Source Awards thing on
Thursday, do an appearance on the FOSS license and security compliance tools
workshop on Friday, do my talk "Tightening every bolt" in the FOSDEM security
room on Saturday then participate in the GitHub social on Sunday.

I think that will keep me busy. During all this my plans is to distribute as
many curl stickers as I can. This year wolfSSL does not have any booth so
there is no single physical natural place for me to base me distribution from.
I will just have to wing it. If you read this and want to help me get rid of a
few stickers at FOSDEM: if you don't manage to just find me and get one by
chance, feel free to ping me and we can arrange a handover.

## decompression

I did a cleanup of the content-encoding code [6] in which I removed support
for zlib versions older than twenty-one years and while working on this, I
noticed that we (accidentally) used enormous amounts of memory allocated for
buffers used for the gzip, brotly and zstd decompression. So I changed that.

I reduced the allocations done from 10MB to 16KB and they are no longer done
repeatedly during a transfer but are reused during the transfer's life time.
Doing repeated alloc/free calls in the transfer loop is something we generally
try to avoid.

As this change is quite large in terms of how much or little memory the code
now uses, I have asked people on the mailing list to perhaps perform a
performance measurement or two, just to verify that it still performs decently
[7].

## HAPPY

There's new IETF working group being setup called HAPPY ("Heuristics and
Algorithms to Prioritize Protocol deploYment"). It is set to work on a revised
Happy Eyeballs specification, a version three.

I sent an email there elaborating on the problems applications can have to
introduce support for additional DNS records while using getaddrinfo and the
problems of replacing getaddrinfo [8]. In my head this is common knowledge. A
problem with "common knowledge" is of course that it is not always as common
as one would think.

## 106

This week I got confirmation from a customer who successfully built curl for
the RTOS called PikeOS. I mentioned this on Mastodon, showing my updated brag
slide with 105 named operating systems that have run curl. It did not take
long until someone mentioned one that was missing one and now it lists 106
[9].

## CRA

I have been asking questions about CRA and tried to generally help out to
slowly build this FAQ about CRA for Open Source projects in the cra-hub
repository [10]. This is a significant law for software developers in Europe
and certainly so for Open Source developers as well so there are certainly a
lot of questions we want to find answers to.

## Coming up

- the FOSDEM extended weekend
- the pending curl release the week immediately following FOSDEM

## Links

[1] = https://daniel.haxx.se/blog/2025/01/16/presentation-curl-from-start-to-end/
[2] = https://www.twitch.tv/curlhacker
[3] = https://github.com/curl/curl/pull/16066
[4] = https://curl.se/mail/lib-2025-01/0058.html
[5] = https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/
[6] = https://github.com/curl/curl/pull/16079
[7] = https://curl.se/mail/lib-2025-01/0073.html
[8] = https://mailarchive.ietf.org/arch/msg/happy/VBG3L8fDEej71sn7SquNufQFyTM/
[9] = https://mastodon.social/@bagder/113867279340075436
[10] = https://github.com/orcwg/cra-hub

-- 

  / daniel.haxx.se