[Daniel's week] May 23, 2025

Daniel Stenberg daniel at haxx.se
Fri May 23 18:00:18 CEST 2025 

Hey all,

Another week ends and it was not a boring one.

# May 23, 2025

## security

This week brought several new HackerOne issues for the team to spend time on.
Another AI slop one [1] a few ones that were just wrong but also two proper
ones that we have confirmed and concluded to be real. They will result in the
publication of two new CVEs next week.

## rc3

On Wednesday I put together and uploaded the third and final release candidate
[2] for this cycle. It would seem we are in a good state now for next week.

## sftp speeds

A customer reported SFTP performance issues with curl. It took me down a deep
rabbit hole of transfer performance on high latency connections. I did several
benchmarks with the OpenSSH sftp tool, with curl+libssh and curl+libssh2 and
also comparisons with http and https etc.

The results are quite depressing. Already at 400ms RTT the SFTP transfer
performance is quite abysmal. The OpenSSH tool is still the best performer out
of the SFTP tools and curl+libssh is the worst. I have all the numbers etc
written down and I might turn it into a blog post at some point but there is
so much to unpack that I'm not sure I can manage to make it also sensible and
interesting.

I had a brief conversation with some libssh maintainers and they insist the
primary explanation for libssh's under-performance is that we don't use the
appropriate API. I have no reason to doubt that. curl+libssh2 is currently
almost 4x faster than curl+libssh on high latency connections. Of course, every
protocol goes slower over high latency connections, just not quite as bad as
SFTP does.

I wrote a blog post fifteen years ago about how I made libssh2 faster[3].
Clearly it could use some more love.

## existence

I got the most lovely email this week [4] thanking me for my existence so I
just had to put it up in my email collection [5].

## survey

The curl user survey 2025 is up [6] and we have so far managed to collect over
600 responses. Hopefully we can double that amount before we close it at the
end of next week.

## deprecation

We have decided to add two new items to the list of things to deprecate [7] in
curl:

- We drop support for Windows CE in November 2025

- We drop support for building with VS2008 (and earlier) on Windows in
   November 2025.

## My Open Source Journey

I was invited to write a short blurb about myself and Open Source for
opensource.org because of May being "maintainer month" and that post went live
this week[8].

## CRA panel

I am one of the panelists on live-stream on Tuesday next week where we will
talk CRA and open source [9]. As part of the preparation for this event,
Eclipse posted this "profile" of me [10].

## Open Infra Forum

On Thursday I took the subway in to Stockholm city and had the honor of doing
a keynote for the Open Infra Forum [11]. A series of meetups that celebrated
their 10th anniversary. This event was held in a lovely old-style cinema built
in 1923 with some 110 souls or so in the audience.

I titled my presentation "curl is everywhere" and I told the story about curl
from 1996 until today in 45 minutes. I got a set of good questions from the
audience and several people approached me after the talk to say the enjoyed
it. Got large amounts of positive comments and feedback afterwards. I had a
blast.

## complexity

The work on decreasing curl code complexity continued this week. Several
larger functions were split into smaller sets. Still working on my blog post
on the subject.

We now run a CI job [12] that verifies that no function gets scored above 100.

## Coming up

- Monday: podcast episode with me as guest gets released, about AI insanity
- Tuesday: CRA and Open Source panel
- Wednesday: curl 8.14.0 release
- Wednesday: curl release presentation live-stream 10:00 CEST
- Thursday: Swedish national holiday
- Thursday: meeting with GitHub about disallowing copilot to submit issues
- Thursday: another podcast recording
- Friday: Open Source Academy meeting

## Links

[1] = https://hackerone.com/reports/3158093
[2] = https://curl.se/rc/
[3] = https://daniel.haxx.se/blog/2010/12/08/making-sftp-transfers-fast/
[4] = https://daniel.haxx.se/email/2025-05-20.html
[5] = https://daniel.haxx.se/email/
[6] = https://daniel.haxx.se/blog/2025/05/19/the-curl-user-survey-2025-is-up/
[7] = https://curl.se/dev/deprecate.html
[8] = https://opensource.org/maintainers/bagder
[9] = https://maintainermonth.github.com/schedule/2025-05-27-CRA
[10] = https://blogs.eclipse.org/post/juan-rico/github-maintainer-month-speaker-spotlight-daniel-stenberg
[11] = https://www.meetup.com/openinfra-user-group-sweden/events/306139678/
[12] = https://github.com/curl/curl/pull/17398

-- 

  / daniel.haxx.se || https://rock-solid.curl.dev

More information about the daniel mailing list