[Daniel's week] July 11, 2025

Daniel Stenberg daniel at haxx.se
Fri Jul 11 23:08:52 CEST 2025 

Hello again,

A week ends and an email is sent! I did things...

## graphs

This week got so much work on new graphs that I ended up spending a whole blog
post talk about them and the data that is now visible in them [1].

What has turned out to be a really productive way for me to make these new
graphs is this way: Once I think of a new way to illustrate something in the
curl project I make a first attempt and post it on Mastodon. People then react
to that, ask questions and bring excellent suggestions and I can iterate,
polish, post updated versions and polish my scripts. It's fun too!

Illustrating data in an image often takes some extra laps and wrestling until
it gets good.

## memory limits

I spent time and effort adding a new way to test for and verify memory use in
curl and libcurl. This too ended up a separate blog post [2].

## security

This week we received no less than six security reports for us on HackerOne.
Six reports that all ended up closed as not applicable. We ended up marking
one of them as AI slop [3], which now grew the slop list [4] to twenty entries
long.

The report that possibly raised the most eyebrows this week was still probably
this [11]: "Arbitrary File Read via file:// Protocol in cURL".

## rc3

I put together the third release candidate [5] of curl 8.15.0 on Wednesday
without much noise - no particular regression was reported so far. We are now
preparing for the actual release to ship next week.

## CRA questions

The fact that manufacturers of digital services and products within the EU
need to have better control of and insist on better quality from their
dependencies has kept me dreaming of companies either paying for that or
contributing otherwise to enforce and improve the Open Source ecosystem.

Today I received my first email [7] asking me to provide a lot of information
to a big enterprise on behalf of their work to comply with the CRA.

## old TLS

One of the hackerone issues this week insisted that curl allowing TLS v1.0 is
a security problem [8] and while I'm not willing to that far, it might be time
to at least make sure that curl selects 1.2 as the minimum version by default
[9]. I started working on a PR for this [10].

## release

As there is a release next week I have started to put together the release
presentation slides for the video, I have taken the very important "release
photo" with my wooden tiles and am slowly starting to get ready.

A brief moment we managed to get all the way down to just five open issues for
curl on GitHub, and there are less than twenty pull-requests open right now
that are *not* marked feature-window. The feature-window ones can only be
merged during an open feature window and that opens 10 days after the release
if things go smoothly.

After the release next week I will take some vacation again so I probably will
not do an email next week and probably not the week after either.

## QNX

It was pointed out to me that the curl for QNX release [6] were not in sync
with the latest curl release, but now they are!

## CI=true

A proposal was made that curl should automatically assume a set of option if
the environment variable `CI` is set [12]. Apparently there are now tools
doing that and there are arguments to do so. Personally I'm skeptical and I'm
not alone but the discussion is going on.

## curl_multi_getinfo()

Stefan Eissing brought this proposal to introduce a new libcurl API call to
provide information to applications from a libcurl multi handle [13]. This
interface is commonly used for doing multiple concurrent transfers in a
non-blocking fashion and over the years people have occasionally wanted to
extract information from it.

I think the idea has merit. What immediately was brought up was how to design
the API. The established "libcurl style" or something different that might
offer better type safety

## Coming up

- Wednesday: curl 8.15.0. Let's make it the best curl release ever
- Wednesday: the curl release video
- Thursday: assuming no major regressions, I'm vacationing

## Links

[1] = https://daniel.haxx.se/blog/2025/07/10/more-views-on-curl-vulnerabilities/
[2] = https://daniel.haxx.se/blog/2025/07/08/keeping-tabs-on-curls-memory-use/
[3] = https://hackerone.com/reports/3242005
[4] = https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd
[5] = https://curl.se/rc/
[6] = https://curl.se/qnx/
[7] = https://daniel.haxx.se/blog/2025/07/11/cybersecurity-risk-assessment-request/
[8] = https://hackerone.com/reports/3246519
[9] = https://curl.se/mail/lib-2025-07/0007.html
[10] = https://github.com/curl/curl/pull/17894
[11] = https://hackerone.com/reports/3242087
[12] = https://github.com/curl/curl/discussions/17838
[13] = https://github.com/curl/curl/discussions/17870

-- 

  / daniel.haxx.se || https://rock-solid.curl.dev

More information about the daniel mailing list