[Daniel's week] May 16, 2025

Fri May 16 17:32:53 CEST 2025

Hello,

I stayed busy this week as well.

## security

We recevived no less than four HackerOne reports this week and of course each
of them takes time and energy to research and assess. Only one them was AI
slop this time but none of the others were after lots of scrutiny ultimately
found to be a security vulnerability. The AI one of course made me ban the
reported at once.

Two of them did however make us fix related bugs.

## AI guidelines

To better communicate our policies and guidelines when it comes to using AI in
curl, to report bugs, do pull requests or just as a translation tool, I wrote
up some basics early this week. They were when polished, rephrased and cleaned
up thanks to several contributors over serveral days until I merged it on
Thursday and now it is avaible on the curl website [3].

The guidelines don't outright ban AI use because I don't think we can and I
don't think it benefits us. They instead give clear guidelines on how to
approach AI when using such tools when contributing. And thy mention that we
will ban abusers. I trust most people find them agreeable.

## rc2

I put together and uploaded the curl 8.14.0-rc2 build [4] on Monday. It had
most of my rather large curlx refactors (mentioned in last week's email)
included so I was a little vary of the regression risk. But no, not a single
report on a regression from this one - which of course is either a good sign
that things work correctly or a sign that rc2 hasn't been tested enough.

## trurl 0.16.1

While trurl development has been slow for a while we had collected a few
bugfixes and it was in particular a recent segfault that triggered me to put
together a patch release this week. I shipped trurl 0.16.1 [5] on Monday.

Not too surprisingly, we had some new issues showing up probably triggered by
that event, so I am expecting us to maybe collect issues and fixes for another
few weeks or something and then do it again.

## non-ascii in git

The problem with smuggling in look-alike characters in pull-requests using
Unicode was brought up recently and GitHub is not providing any good ways to
find and combat this problem I think. I have mentioned it to them but I got
virtually no response at all.

Instead of writing many lines in this email about this challenge, I wrote up a
blog post [6].

## oniux

When the Tor project revealed their new oniux project this week, it
immediately brought an old complicated curl issue back to life and I again
felt the need to have to explain some of the complexities involved by writing
it all up in yet another blog post [7]. The second blog post of the day. On
the problem of rejecting .onion host names in curl.

## debugging TV

Out of the blue two streaming apps on my TV started to not work and it puzzled
me greaty why those two particular ones would fail and not the others. And
that two of them would suddenly start to fail at the same time? My conclusion:
they are just lame implementations, and I blogged a little about my debuging
this [8].

## curl versions

I had this post lingering that tries to explain how we only just post new
releases of curl in a long never-ending series and that we don't really have
end of life on curl versions etc, and this week I posted it on the blog [9].

Nothing new and nothing strange, but since we get questions about it every
once in a while I figured it could be worthwhile to speak a little about it.

## complexity

I have had this idea for a while and I have worked on it over the past year or
so, but this week I put it into words on the libcurl mailing list [10]. I
intend to work on reducing complexity of curl functions this year, and maybe
ultimately have a CI job that would warn us if we go over some threshold.

This of course in an effort to make the code simpler and easier to understand,
extend and debug.

To assist with this and to visualize the state of where we are and were, I
added two new graphs on the curl dashboard.

One is the cyclomatic complexity of the average source code line [11], which
then should ideally be a line that goes down over time - and it seems to have
gone down nicely the last year or so. Further efforts should probably make it
go even lower.

The second is the "complexity distribution" [12] which just checks how big
share of the curl source code that is claimed to have what complexity. The
goal of course being that as big part as possible should be scored low. The
graph currently shows that the share of code scored really high has decreased
over the last year and the share of low-scored code has increased. I will be
interesting to see how this will develop.

A third interesting graph for this is the graph we already had: Complexity [13]
which shows the complexity score for the worst function, the 99th percentile
and the 90th percentile over time.

I landed a few PRs this week that split up some of the most complex functions
into sub functions.

I will probably write this up in a blog post as well later on.

## podcast

I recorded a podcast episode as a guest and talked AI slop and related
craziness. To be announced later of course when it goes public.

## CRA stream

I have agreed to participate in a panel discussion about Open Source and the
CRA on May 27 [1] organized by the Eclipse Foundation’s Open Regulatory
Compliance Working Group. It's a live-streamed thing.

## Coming up

- Open Infra Forum happens in Stockholm on May 22 [2] and I will talk 
- finish the curl user survey and publish it
- curl 8.14.0-rc3 on Wednesday

## Links

[1] = https://maintainermonth.github.com/schedule/2025-05-27-CRA
[2] = https://www.meetup.com/openinfra-user-group-sweden/events/306139678/
[3] = https://curl.se/dev/contribute.html#on-ai-use-in-curl
[4] = https://curl.se/rc/
[5] = https://curl.se/trurl/
[6] = https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/
[7] = https://daniel.haxx.se/blog/2025/05/16/leeks-and-leaks/
[8] = https://daniel.haxx.se/blog/2025/05/13/1k-0036-means-sad-eyeballs-on-my-lg/
[9] = https://daniel.haxx.se/blog/2025/05/14/supported-curl-versions-and-end-of-life/
[10] = https://curl.se/mail/lib-2025-05/0014.html
[11] = https://curl.se/dashboard1.html#complex-line
[12] = https://curl.se/dashboard1.html#complex-dist
[13] = https://curl.se/dashboard1.html#complexity

-- 

  / daniel.haxx.se || https://rock-solid.curl.dev