[Daniel's week] July 5, 2025

Daniel Stenberg daniel at haxx.se
Fri Jul 4 23:01:27 CEST 2025 

Hi,

The weeks just continue to pass by.

## rc2

I packaged and published the second release candidate [1] for the coming curl
8.15.0.

curl now ships a little tweak we did that makes libcurl now generate more
output using uppercase hexidecimal numbers for percent encoding -
consistently, where it previously would sometimes use lowercase. This change
caused a minor problem in the trurl project which run tests using these
libcurl APIs and compares the output case insenensitively and now a few of
those tests fail with the latest libcurl.

No other particular regression has been mentioned.

## survey

It was already a while since the curl user survey 2025 done performed but due
to life and commitments I did not start my analysis of it until this week. I
spend a good chunk of this week on the task and published the full thing on
Thursday [2], with follow-up polish done on Friday. 60+ graphs, lots of
numbers, and lots of user feedback.

I also started a separate but related project: I converted the entire survey
form into a set of markdown files which all the questions and their
alternatives with the hope and intent to allow anyone who wants to, to
participate and help out getting it done, polished and improved for next year
[3].

I started already by removing a few questions I think don't work very well and
by adding more alternatives to some questions. Feel free to dig in and help
out! Ideally, we can find a system to automatically convert this markdown
files into something we can import directly into some form/survey site that
can then host them and collect the answers in 2026. A secondary idea with this
move being to avoid using Google for that - at the request of many users.

## --longopt=value

In an attempt to make the curl command line parser act perhaps a little more
similar to how other tools work, I have a proposal in the works [4] that makes
curl add support for accepting arguments to long options with an equals sign,
like in `--longopt=value` for the version that today has to be written
`--longopt value`.

An idea is to merge this improvement but not push for this format and not use
it much in documentation for the moment, because using this format makes the
command line only work with curl versions => 8.16.0. It's better to wait a
while until the format has been supported for multiple versions before we
start making some noise about it.

## --out-null

Stefan Eissing discovered when running performance tests that removing the
actual writing part from curl, even when it writes everything to `/dev/null`
could improve things up to 15%. This, combined with the repeated requests in
the survey to offer a shortcut (and is portable) for `-o /dev/null` made him
write up a pull-request and propose `--out-null` [5].

The exact option name is now being bike-shedded. Join in!

## EUSTF

I received and reviewed a pending proposal for creating an EU-wide version of
the German Sovereign Tech Agency, called EU-STF in the document. I'm casually
positive and give me virtual thumbs-up. I'll write some more later when this
paper goes public.

## EOSA invitations

This week emails went out to a few selected awesome people, inviting them to
become members of the European Open Source Academy [6].

## slop

I put together a list of all the AI slop security vulnerability reports we
have received so far for curl, submitted via HackerOne [7]. For posterity,
perhaps education and quite frankly, for the fun.

We have also updated the curl vulnerability disclosure policy to clearly state
that ALL security reports should be disclosed and made public - not only those
that actually identified legitmate problems. In the name of transparency and
to better show the world what we do and work with.

## joy of talking

Last week I spoke at the lovely Joy of Coding conference in Rotterdam, and
this week the video recording of that was published [8]. To readers of this
email, I don't think the talk reveals a lot of news - it was basically a
mashup of previous talks I have made. Like I suppose most talks are...

## test bundles

I might have forgot to mention this before, but an interesting change that we
have merged in curl during the last few weeks is Viktor Szakats huge work to
bundle all the libcurl tests, unit tests and test servers into single
binaries. This way, instead of building hundreds of separate stand-alone
executables we instead build only a handful. This approach shortens the build
time significantly, and yet the impact on the code and use was almost
invisible. This is of course good news to all of us who build curl and its
test suite frequently, but it also makes our CI jobs finish faster which of
course is much appreciated by everyone who submits pull-requests.

## Coming up

- Wednesday: curl 8.15.0-rc3 day. One week before the real release

## Links

[1] = https://curl.se/rc/
[2] = https://daniel.haxx.se/blog/2025/07/03/curl-user-survey-2025-analysis/
[3] = https://github.com/curl/user-survey
[4] = https://github.com/curl/curl/pull/17789
[5] = https://github.com/curl/curl/pull/17800
[6] = https://europeanopensource.academy/
[7] = https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd
[8] = https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd

-- 

  / daniel.haxx.se

More information about the daniel mailing list