From daniel at haxx.se Fri Jun 6 23:27:06 2025 From: daniel at haxx.se (Daniel Stenberg) Date: Fri, 6 Jun 2025 23:27:06 +0200 (CEST) Subject: [Daniel's week] June 6, 2025 Message-ID: Hi friends! Another week ended. Enjoy this post, because as mentioned below, this email series will take a pause the coming two weeks. ## Network framework As we are closing the release when we will remove support for the Secure Transport TLS backend from curl, there has been increased interest in working on something that will help user use the native CA store on Apple devices. This week started out with some first attempts in making a *Network framework* (NWF) TLS backend that can do this [1]. I had previously been told that this could be done so I figured it was mostly a matter of getting the code done, but as the embryo was laid out, it actually became disturbingly clear that NWF, the successor to Secure Transport, is not at all suitable as a TLS backend for curl. curl manages the sockets, the name resolves and the TCP connection phase and the TLS backend needs to provide the TLS layer. NWF is simply not flexible enough to do this and does not provide the API for it. The only way it can be used if the NWF itself is allowed to connect and do a lot of protocol things which makes it a weird alien in the curl family and would just be problematic. I had to say NO. We cannot do a NWF TLS backend for curl. It can't be done. The quest for getting native CA support when using TLS on Apple operating systems is not dead because of that. Another PR was created [2] that does this, among other things. While the discussion is ongoing about what exactly the PR should do and what we want from it, I believe there is hope that curl can soon get support for "native CAs" when using one of the other TLS backends. ## panel I participated in another live-stream panel on Tuesday where we talked Open Source and security, organized by the European Open Source Academy. I have not seen any recording of it posted yet. ## patch release On Wednesday I did a patch release: curl 8.14.1 [3] to do some annoying regressions in the dot-zero version. We managed to get 30+ bugs fixed, including a security vulnerability (CVE-2025-5399 [10]) in the WebSocket code. We managed well into the Friday until we got the first regression on this version reported, and it was not a terrible one [9]. ## GitHub chat I had a quick meeting with a GitHub team to tell them how I work with GitHub and what features and work flows that mean the most to me, and perhaps also which particular screens and features I never use. ## what we can't measure I did an interview this week for a research project about Open Source funding and then I got this interesting question: when getting funded for maintaining an open source project, how do you measure that you're doing a good job? How does the funder know they're getting value from it? Tricky question. It made me realize we don't really know if we're doing good job in general. So I wrote up this blog post [4] how we really can't easily tell. ## flow chart In preparation for a blog post to come, I worked on a flow chart for how curl selects a host to connect do when doing HTTP(S) and I posted a few iterations of it to Mastodon [5]. I might tweak it a little more before I eventually make the post go public. ## switch 2 Peter Svensson on Mastodon graciously pointed out to me and the world with a lovely screenshot that curl is being used in the new Nintendo Switch 2 game console [6]. This was of course also added to the collection [7]. ## national holiday Today Friday was a Swedish holiday so I'm writing and sending this way later and probably also shorter than normal. The day was mostly spent preparing for my son's graduation party on Sunday. ## fish This week I started to experiment with using fish [8] as my daily shell for interactive use. I have been using bash as my daily driver for decades, but I figure it could perhaps be time for me to try something that actually helps out more with interactive shell use. So far I am quite positive, even if there are some operations and key-presses that might take a while to relearn. ## OSS CNA We had a meeting with the OSS CNA team, the informal group of Open Source CNAs, and today me and Greg KH of the Linux kernel team could educate the others about some of the deficiencies of "package URLs" (aka "purl") [11] and how they still don't actually work to identify all and every project. Only a subset. It is not necessarily a problem - but it needs to be known and sometimes worked around. ## paused weekly emails Since I'm taking off on vacation next week and that will go into the following week, I will not send any weekly emails the coming two weeks. You can always keep up with some of my doings anyway on Mastodon [12]. ## coming up - Wednesday: feature window opens. I'll be away for a large porion of this window so we'll see how this goes. - Thursday: I'm taking off for a one week vacation with my family ## links [1] = https://github.com/curl/curl/pull/17509 [2] = https://github.com/curl/curl/pull/17525 [3] = https://daniel.haxx.se/blog/2025/06/04/curl-8-14-1/ [4] = https://daniel.haxx.se/blog/2025/06/05/what-we-cant-measure/ [5] = https://mastodon.social/@bagder/114629687491020075 [6] = https://mstdn.social/@patriksvensson/114633578307776279 [7] = https://daniel.haxx.se/blog/2016/10/03/screenshotted-curl-credits/ [8] = https://fishshell.com/ [9] = https://github.com/curl/curl/issues/17545 [10] = https://curl.se/docs/CVE-2025-5399.html [11] = https://github.com/package-url/purl-spec [12] = https://mastodon.social/@bagder -- / daniel.haxx.se From daniel at haxx.se Fri Jun 27 22:44:11 2025 From: daniel at haxx.se (Daniel Stenberg) Date: Fri, 27 Jun 2025 22:44:11 +0200 (CEST) Subject: [Daniel's week] June 27, 2025 Message-ID: <0s225nq7-3nn3-8581-o390-p6rsns840n0p@unkk.fr> Hello friends. It's been a while! Two weeks off and then I'm writing this up while on a conference trip to the Netherlands so it is a shorter-edition-than-usual this week. ## vacation My vacation trip with the family was awesome. Sun, good food, wine, kayaking in the Mediterranean sea and spending time with people I love. Fantastic! ## NETRC Someone emailed the libcurl mailing list and pointed out that curl does not support the NETRC environment variable when it is told to use the .netrc file, while apparently there is nowadays a range of other tools and libraries that do. I have created an initial PR for this, but it was too late for this feature window so maybe this can get merged for 8.16.0. ## rc1 The short feature window this cycle has been closed again and I uploaded the rc1 build of the coming 8.15.0 release. So far only minor regressions have been reported on this. I suppose the fact that we did not merge very many features this time also helps reducing the risk for regressions. ## dropped TLS libs The single but fairly big change that was merged in time before the rc1 build, as the removal of support for the TLS backends Secure Transport and BearSSL. This event has been informed about repeatedly for well over six months so it should not be a surprise to anyone, but yet I expect this to a cause some raised eyebrows or even complaints when this release gets used for real out there. We have seen some work show up on adding support for the native CA store on Apple operating system for other TLS backends so I expect that to happen in the not so distant future, and that should probably make most former users of the Secure Transport backend happy. ## Joy of Coding I spoke at the Joy of Coding conference in the Netherlands today and it was a blast. A single-track conference with a 150 something attendees. I titled my talk "accidental world domination for fun" and talked about how curl came to be, with the angle of explaining how anyone can do Open Source and that a major part of it is to make sure to have fun doing it. ## family of forks I have for a while felt the need to explain to interested parties what it takes to support the different OpenSSL forks in curl and a little bit about how the differentiate from each other so I wrote a blog post about it this week. Details next to one actually needs to know or care about but now I've written them down! ## security We have had a range of new security reports filed over the recent weeks but so far every single one of them have been found to be either just nothing to mention or just "ordinary" bugs. Also, the number of AI slop reports seems to have died down a little. A temporary thing or a trend? We'll see. ## Coming up - Monday curl 8.15.0-rc ## Links Sorry, I'm on the road so I decided to not collect all the links this week. Google them. -- / daniel.haxx.se