From daniel at haxx.se Fri Jun 6 23:27:06 2025 From: daniel at haxx.se (Daniel Stenberg) Date: Fri, 6 Jun 2025 23:27:06 +0200 (CEST) Subject: [Daniel's week] June 6, 2025 Message-ID: Hi friends! Another week ended. Enjoy this post, because as mentioned below, this email series will take a pause the coming two weeks. ## Network framework As we are closing the release when we will remove support for the Secure Transport TLS backend from curl, there has been increased interest in working on something that will help user use the native CA store on Apple devices. This week started out with some first attempts in making a *Network framework* (NWF) TLS backend that can do this [1]. I had previously been told that this could be done so I figured it was mostly a matter of getting the code done, but as the embryo was laid out, it actually became disturbingly clear that NWF, the successor to Secure Transport, is not at all suitable as a TLS backend for curl. curl manages the sockets, the name resolves and the TCP connection phase and the TLS backend needs to provide the TLS layer. NWF is simply not flexible enough to do this and does not provide the API for it. The only way it can be used if the NWF itself is allowed to connect and do a lot of protocol things which makes it a weird alien in the curl family and would just be problematic. I had to say NO. We cannot do a NWF TLS backend for curl. It can't be done. The quest for getting native CA support when using TLS on Apple operating systems is not dead because of that. Another PR was created [2] that does this, among other things. While the discussion is ongoing about what exactly the PR should do and what we want from it, I believe there is hope that curl can soon get support for "native CAs" when using one of the other TLS backends. ## panel I participated in another live-stream panel on Tuesday where we talked Open Source and security, organized by the European Open Source Academy. I have not seen any recording of it posted yet. ## patch release On Wednesday I did a patch release: curl 8.14.1 [3] to do some annoying regressions in the dot-zero version. We managed to get 30+ bugs fixed, including a security vulnerability (CVE-2025-5399 [10]) in the WebSocket code. We managed well into the Friday until we got the first regression on this version reported, and it was not a terrible one [9]. ## GitHub chat I had a quick meeting with a GitHub team to tell them how I work with GitHub and what features and work flows that mean the most to me, and perhaps also which particular screens and features I never use. ## what we can't measure I did an interview this week for a research project about Open Source funding and then I got this interesting question: when getting funded for maintaining an open source project, how do you measure that you're doing a good job? How does the funder know they're getting value from it? Tricky question. It made me realize we don't really know if we're doing good job in general. So I wrote up this blog post [4] how we really can't easily tell. ## flow chart In preparation for a blog post to come, I worked on a flow chart for how curl selects a host to connect do when doing HTTP(S) and I posted a few iterations of it to Mastodon [5]. I might tweak it a little more before I eventually make the post go public. ## switch 2 Peter Svensson on Mastodon graciously pointed out to me and the world with a lovely screenshot that curl is being used in the new Nintendo Switch 2 game console [6]. This was of course also added to the collection [7]. ## national holiday Today Friday was a Swedish holiday so I'm writing and sending this way later and probably also shorter than normal. The day was mostly spent preparing for my son's graduation party on Sunday. ## fish This week I started to experiment with using fish [8] as my daily shell for interactive use. I have been using bash as my daily driver for decades, but I figure it could perhaps be time for me to try something that actually helps out more with interactive shell use. So far I am quite positive, even if there are some operations and key-presses that might take a while to relearn. ## OSS CNA We had a meeting with the OSS CNA team, the informal group of Open Source CNAs, and today me and Greg KH of the Linux kernel team could educate the others about some of the deficiencies of "package URLs" (aka "purl") [11] and how they still don't actually work to identify all and every project. Only a subset. It is not necessarily a problem - but it needs to be known and sometimes worked around. ## paused weekly emails Since I'm taking off on vacation next week and that will go into the following week, I will not send any weekly emails the coming two weeks. You can always keep up with some of my doings anyway on Mastodon [12]. ## coming up - Wednesday: feature window opens. I'll be away for a large porion of this window so we'll see how this goes. - Thursday: I'm taking off for a one week vacation with my family ## links [1] = https://github.com/curl/curl/pull/17509 [2] = https://github.com/curl/curl/pull/17525 [3] = https://daniel.haxx.se/blog/2025/06/04/curl-8-14-1/ [4] = https://daniel.haxx.se/blog/2025/06/05/what-we-cant-measure/ [5] = https://mastodon.social/@bagder/114629687491020075 [6] = https://mstdn.social/@patriksvensson/114633578307776279 [7] = https://daniel.haxx.se/blog/2016/10/03/screenshotted-curl-credits/ [8] = https://fishshell.com/ [9] = https://github.com/curl/curl/issues/17545 [10] = https://curl.se/docs/CVE-2025-5399.html [11] = https://github.com/package-url/purl-spec [12] = https://mastodon.social/@bagder -- / daniel.haxx.se