[Daniel's week] June 6, 2025

Fri Jun 6 23:27:06 CEST 2025

Hi friends!

Another week ended. Enjoy this post, because as mentioned below, this email 
series will take a pause the coming two weeks.

## Network framework

As we are closing the release when we will remove support for the Secure
Transport TLS backend from curl, there has been increased interest in working
on something that will help user use the native CA store on Apple devices.

This week started out with some first attempts in making a *Network framework*
(NWF) TLS backend that can do this [1]. I had previously been told that this
could be done so I figured it was mostly a matter of getting the code done,
but as the embryo was laid out, it actually became disturbingly clear that
NWF, the successor to Secure Transport, is not at all suitable as a TLS
backend for curl. curl manages the sockets, the name resolves and the TCP
connection phase and the TLS backend needs to provide the TLS layer. NWF is
simply not flexible enough to do this and does not provide the API for it. The
only way it can be used if the NWF itself is allowed to connect and do a lot
of protocol things which makes it a weird alien in the curl family and would
just be problematic.

I had to say NO. We cannot do a NWF TLS backend for curl. It can't be done.

The quest for getting native CA support when using TLS on Apple operating
systems is not dead because of that. Another PR was created [2] that does
this, among other things. While the discussion is ongoing about what exactly
the PR should do and what we want from it, I believe there is hope that curl
can soon get support for "native CAs" when using one of the other TLS
backends.

## panel

I participated in another live-stream panel on Tuesday where we talked Open
Source and security, organized by the European Open Source Academy. I have not
seen any recording of it posted yet.

## patch release

On Wednesday I did a patch release: curl 8.14.1 [3] to do some annoying
regressions in the dot-zero version. We managed to get 30+ bugs fixed,
including a security vulnerability (CVE-2025-5399 [10]) in the WebSocket code.

We managed well into the Friday until we got the first regression on this
version reported, and it was not a terrible one [9].

## GitHub chat

I had a quick meeting with a GitHub team to tell them how I work with GitHub
and what features and work flows that mean the most to me, and perhaps also
which particular screens and features I never use.

## what we can't measure

I did an interview this week for a research project about Open Source funding
and then I got this interesting question: when getting funded for maintaining
an open source project, how do you measure that you're doing a good job? How
does the funder know they're getting value from it?

Tricky question. It made me realize we don't really know if we're doing good
job in general. So I wrote up this blog post [4] how we really can't easily
tell.

## flow chart

In preparation for a blog post to come, I worked on a flow chart for how curl
selects a host to connect do when doing HTTP(S) and I posted a few iterations
of it to Mastodon [5]. I might tweak it a little more before I eventually make
the post go public.

## switch 2

Peter Svensson on Mastodon graciously pointed out to me and the world with a
lovely screenshot that curl is being used in the new Nintendo Switch 2 game
console [6]. This was of course also added to the collection [7].

## national holiday

Today Friday was a Swedish holiday so I'm writing and sending this way later
and probably also shorter than normal. The day was mostly spent preparing for
my son's graduation party on Sunday.

## fish

This week I started to experiment with using fish [8] as my daily shell for
interactive use. I have been using bash as my daily driver for decades, but I
figure it could perhaps be time for me to try something that actually helps
out more with interactive shell use.

So far I am quite positive, even if there are some operations and key-presses
that might take a while to relearn.

## OSS CNA

We had a meeting with the OSS CNA team, the informal group of Open Source
CNAs, and today me and Greg KH of the Linux kernel team could educate the
others about some of the deficiencies of "package URLs" (aka "purl") [11] and
how they still don't actually work to identify all and every project. Only a
subset. It is not necessarily a problem - but it needs to be known and
sometimes worked around.

## paused weekly emails

Since I'm taking off on vacation next week and that will go into the following
week, I will not send any weekly emails the coming two weeks. You can always
keep up with some of my doings anyway on Mastodon [12].

## coming up

- Wednesday: feature window opens. I'll be away for a large porion of this
   window so we'll see how this goes.
- Thursday: I'm taking off for a one week vacation with my family

## links

[1] = https://github.com/curl/curl/pull/17509
[2] = https://github.com/curl/curl/pull/17525
[3] = https://daniel.haxx.se/blog/2025/06/04/curl-8-14-1/
[4] = https://daniel.haxx.se/blog/2025/06/05/what-we-cant-measure/
[5] = https://mastodon.social/@bagder/114629687491020075
[6] = https://mstdn.social/@patriksvensson/114633578307776279
[7] = https://daniel.haxx.se/blog/2016/10/03/screenshotted-curl-credits/
[8] = https://fishshell.com/
[9] = https://github.com/curl/curl/issues/17545
[10] = https://curl.se/docs/CVE-2025-5399.html
[11] = https://github.com/package-url/purl-spec
[12] = https://mastodon.social/@bagder

-- 

  / daniel.haxx.se