From daniel at haxx.se  Fri Jul  4 23:01:27 2025
From: daniel at haxx.se (Daniel Stenberg)
Date: Fri, 4 Jul 2025 23:01:27 +0200 (CEST)
Subject: [Daniel's week] July 5, 2025
Message-ID: <30r0s3ps-n06r-9nnq-65q0-n6ns0sspnrrs@unkk.fr>

Hi,

The weeks just continue to pass by.

## rc2

I packaged and published the second release candidate [1] for the coming curl
8.15.0.

curl now ships a little tweak we did that makes libcurl now generate more
output using uppercase hexidecimal numbers for percent encoding -
consistently, where it previously would sometimes use lowercase. This change
caused a minor problem in the trurl project which run tests using these
libcurl APIs and compares the output case insenensitively and now a few of
those tests fail with the latest libcurl.

No other particular regression has been mentioned.

## survey

It was already a while since the curl user survey 2025 done performed but due
to life and commitments I did not start my analysis of it until this week. I
spend a good chunk of this week on the task and published the full thing on
Thursday [2], with follow-up polish done on Friday. 60+ graphs, lots of
numbers, and lots of user feedback.

I also started a separate but related project: I converted the entire survey
form into a set of markdown files which all the questions and their
alternatives with the hope and intent to allow anyone who wants to, to
participate and help out getting it done, polished and improved for next year
[3].

I started already by removing a few questions I think don't work very well and
by adding more alternatives to some questions. Feel free to dig in and help
out! Ideally, we can find a system to automatically convert this markdown
files into something we can import directly into some form/survey site that
can then host them and collect the answers in 2026. A secondary idea with this
move being to avoid using Google for that - at the request of many users.

## --longopt=value

In an attempt to make the curl command line parser act perhaps a little more
similar to how other tools work, I have a proposal in the works [4] that makes
curl add support for accepting arguments to long options with an equals sign,
like in `--longopt=value` for the version that today has to be written
`--longopt value`.

An idea is to merge this improvement but not push for this format and not use
it much in documentation for the moment, because using this format makes the
command line only work with curl versions => 8.16.0. It's better to wait a
while until the format has been supported for multiple versions before we
start making some noise about it.

## --out-null

Stefan Eissing discovered when running performance tests that removing the
actual writing part from curl, even when it writes everything to `/dev/null`
could improve things up to 15%. This, combined with the repeated requests in
the survey to offer a shortcut (and is portable) for `-o /dev/null` made him
write up a pull-request and propose `--out-null` [5].

The exact option name is now being bike-shedded. Join in!

## EUSTF

I received and reviewed a pending proposal for creating an EU-wide version of
the German Sovereign Tech Agency, called EU-STF in the document. I'm casually
positive and give me virtual thumbs-up. I'll write some more later when this
paper goes public.

## EOSA invitations

This week emails went out to a few selected awesome people, inviting them to
become members of the European Open Source Academy [6].

## slop

I put together a list of all the AI slop security vulnerability reports we
have received so far for curl, submitted via HackerOne [7]. For posterity,
perhaps education and quite frankly, for the fun.

We have also updated the curl vulnerability disclosure policy to clearly state
that ALL security reports should be disclosed and made public - not only those
that actually identified legitmate problems. In the name of transparency and
to better show the world what we do and work with.

## joy of talking

Last week I spoke at the lovely Joy of Coding conference in Rotterdam, and
this week the video recording of that was published [8]. To readers of this
email, I don't think the talk reveals a lot of news - it was basically a
mashup of previous talks I have made. Like I suppose most talks are...

## test bundles

I might have forgot to mention this before, but an interesting change that we
have merged in curl during the last few weeks is Viktor Szakats huge work to
bundle all the libcurl tests, unit tests and test servers into single
binaries. This way, instead of building hundreds of separate stand-alone
executables we instead build only a handful. This approach shortens the build
time significantly, and yet the impact on the code and use was almost
invisible. This is of course good news to all of us who build curl and its
test suite frequently, but it also makes our CI jobs finish faster which of
course is much appreciated by everyone who submits pull-requests.

## Coming up

- Wednesday: curl 8.15.0-rc3 day. One week before the real release

## Links

[1] = https://curl.se/rc/
[2] = https://daniel.haxx.se/blog/2025/07/03/curl-user-survey-2025-analysis/
[3] = https://github.com/curl/user-survey
[4] = https://github.com/curl/curl/pull/17789
[5] = https://github.com/curl/curl/pull/17800
[6] = https://europeanopensource.academy/
[7] = https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd
[8] = https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd

-- 

  / daniel.haxx.se

From daniel at haxx.se  Fri Jul 11 23:08:52 2025
From: daniel at haxx.se (Daniel Stenberg)
Date: Fri, 11 Jul 2025 23:08:52 +0200 (CEST)
Subject: [Daniel's week] July 11, 2025
Message-ID: <2sq0r593-501o-sr16-9039-4r79r9q16n0p@unkk.fr>

Hello again,

A week ends and an email is sent! I did things...

## graphs

This week got so much work on new graphs that I ended up spending a whole blog
post talk about them and the data that is now visible in them [1].

What has turned out to be a really productive way for me to make these new
graphs is this way: Once I think of a new way to illustrate something in the
curl project I make a first attempt and post it on Mastodon. People then react
to that, ask questions and bring excellent suggestions and I can iterate,
polish, post updated versions and polish my scripts. It's fun too!

Illustrating data in an image often takes some extra laps and wrestling until
it gets good.

## memory limits

I spent time and effort adding a new way to test for and verify memory use in
curl and libcurl. This too ended up a separate blog post [2].

## security

This week we received no less than six security reports for us on HackerOne.
Six reports that all ended up closed as not applicable. We ended up marking
one of them as AI slop [3], which now grew the slop list [4] to twenty entries
long.

The report that possibly raised the most eyebrows this week was still probably
this [11]: "Arbitrary File Read via file:// Protocol in cURL".

## rc3

I put together the third release candidate [5] of curl 8.15.0 on Wednesday
without much noise - no particular regression was reported so far. We are now
preparing for the actual release to ship next week.

## CRA questions

The fact that manufacturers of digital services and products within the EU
need to have better control of and insist on better quality from their
dependencies has kept me dreaming of companies either paying for that or
contributing otherwise to enforce and improve the Open Source ecosystem.

Today I received my first email [7] asking me to provide a lot of information
to a big enterprise on behalf of their work to comply with the CRA.

## old TLS

One of the hackerone issues this week insisted that curl allowing TLS v1.0 is
a security problem [8] and while I'm not willing to that far, it might be time
to at least make sure that curl selects 1.2 as the minimum version by default
[9]. I started working on a PR for this [10].

## release

As there is a release next week I have started to put together the release
presentation slides for the video, I have taken the very important "release
photo" with my wooden tiles and am slowly starting to get ready.

A brief moment we managed to get all the way down to just five open issues for
curl on GitHub, and there are less than twenty pull-requests open right now
that are *not* marked feature-window. The feature-window ones can only be
merged during an open feature window and that opens 10 days after the release
if things go smoothly.

After the release next week I will take some vacation again so I probably will
not do an email next week and probably not the week after either.

## QNX

It was pointed out to me that the curl for QNX release [6] were not in sync
with the latest curl release, but now they are!

## CI=true

A proposal was made that curl should automatically assume a set of option if
the environment variable `CI` is set [12]. Apparently there are now tools
doing that and there are arguments to do so. Personally I'm skeptical and I'm
not alone but the discussion is going on.

## curl_multi_getinfo()

Stefan Eissing brought this proposal to introduce a new libcurl API call to
provide information to applications from a libcurl multi handle [13]. This
interface is commonly used for doing multiple concurrent transfers in a
non-blocking fashion and over the years people have occasionally wanted to
extract information from it.

I think the idea has merit. What immediately was brought up was how to design
the API. The established "libcurl style" or something different that might
offer better type safety

## Coming up

- Wednesday: curl 8.15.0. Let's make it the best curl release ever
- Wednesday: the curl release video
- Thursday: assuming no major regressions, I'm vacationing

## Links

[1] = https://daniel.haxx.se/blog/2025/07/10/more-views-on-curl-vulnerabilities/
[2] = https://daniel.haxx.se/blog/2025/07/08/keeping-tabs-on-curls-memory-use/
[3] = https://hackerone.com/reports/3242005
[4] = https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd
[5] = https://curl.se/rc/
[6] = https://curl.se/qnx/
[7] = https://daniel.haxx.se/blog/2025/07/11/cybersecurity-risk-assessment-request/
[8] = https://hackerone.com/reports/3246519
[9] = https://curl.se/mail/lib-2025-07/0007.html
[10] = https://github.com/curl/curl/pull/17894
[11] = https://hackerone.com/reports/3242087
[12] = https://github.com/curl/curl/discussions/17838
[13] = https://github.com/curl/curl/discussions/17870

-- 

  / daniel.haxx.se || https://rock-solid.curl.dev