[Daniel's week] May 30, 2025
Daniel Stenberg
daniel at haxx.se
Fri May 30 17:13:53 CEST 2025
Hello friends.
Another week. Another email.
## release
On Wednesday morning I put together, signed and uploaded the curl release
tarballs for curl 8.14.0 [1]. The 267th curl release that crowned the full 56
days release cycle that also included three release candidates before this
happened. We also published two security advisories associated with this
release for CVE-2025-4947 [x] and CVE-2025-5025 [x].
While I streamed and recorded the release presentation my machine completely
froze up maybe twelve minutes in or something and I had to restart it, reset
the stream and start over the presentation... Oh well. I suppose that's just
what might happen but looking back, was it actually an omen? :-)
In spite of all the efforts, good intentions and hard work we did not even
manage to get through a whole day until we got the first regression reported
[2] that we consider "bad enough" to warrant a follow-up patch release.
Of course it stings deep into my soul with this happens and it makes me all
itchy, but there is nothing I can do or say to make it go away and I just have
to accept reality. We just need to fix this and continue on.
The plan is now to ship curl 8.14.1 a week after the dot zero version on
Wednesday next week. A new take and a new release.
Consequently, we also push the opening of the feature window a few days to
give us some time to let this pending release to settle. The next release
cycle was already going to be one week shorter (because of some calendar
collisions with personal stuff of mine) and with this patch release getting in
the way it has shrunk even more...
## 300+ subscribers
As my weekly emails [3] now have actually been going for over two years, there
are over 300 subscribers. Maybe not so many compared to popular newsletters
but I'm overwhelmed by the fact so many people actually want to follow along
my adventures and ramblings. Thank you for trust and I will try to keep the
style, subjects and context.
## AI slop
Clearly people want to hear and talk about our adventures with and stories
about AI slop in security reports to curl. This week started with a podcast
episode with Josh Bressers going public [4] in the Open Source Security
series. We talked AI slop and curl's newly adopted AI guidelines [5] for the
project.
Yesterday (Thurdsday) I was a guest on a completely different podcast and did
a recording, but this one is going to take yet another month or so until it
goes public so you just have to wait for this.
Also yesterday I attended a meeting with people from GitHub about their
feature to submit issues on GitHub with the help of copilot. I have voiced my
opinion to them that I would like that to be an opt-in feature because I
suspect it may become a way for users to a little too easily overwhelm
projects with huge reports based on little input.
GitHub did withdraw the most easily accessed way to file such issues based on
community feedback and I felt we had a very constructive discussion where my
concerns were received and we discussed means and methods on how this feature
might be rolled out. We'll see. I appreciate that I got to tell them my side
of the story but I of course realize that it might not matter much in the end.
## complexity
I converted details about reducing complexity of curl source code as I have
written about in my weekly emails for several weeks in the past into a blog
post [6], together with some fresh graphs to illustrate the progress.
I merged some code this week that finally moved the worst function down to
"100". At least according to the tool, the curl source code is less complex.
## CRA panel
I participated in a live-streamed panel discussion tiled "The Cyber Resilience
Act and Open Source: What Maintainers Really Need to Know". The recoding is
abaible on YouTube [7]. Felix Reda, Tobie Langel, Maarten Artesen and me
talked about the CRA and what to expect from it and how it impacts Open Source
maintainers.
I think it went really well and we were able to answer several good questions
from the audience and straighten out several question marks - mostly thanks to
my panel colleagues. I think it is important to realize that if your opinions
and facts about CRA are a few years old: things have changed and it is good to
get an update.
Three key points about the CRA for Open Source maintainers:
1. mere contributors have no obligations, most maintainers have no
obligations. Only maintainers that make a profit can be considered
manufacturers - the outstanding question is where exactly that line is
drawn. (And really, such projects should not have a hard time to fulfill
the obligations anyway.)
2. Almost no maintainers are "stewards".
3. Read the orcwg FAQ [8] to keep up
4. Don't panic (yeah, I can't count)
## user survey
The curl user survey 2025 [9] is still running for a few more days. If you
have not already provided us with your views of life and curl, please consider
donating us a few minutes of your time and tell us about your curl use and
help us guide our future.
While we already have over 1,000 responses collected, we managed to get almost
1,500 last year. The survey closes midnight Sunday my time (CEST).
## security
To really solidify the "never a dull moment" phrase I tend to use, we started
out this Friday morning with a fresh security report on HackerOne. At the
time of me writing this, we have not yet managed to conclude if it is a
security problem or not. It might be. If it is, I am not sure if we will
manage to get it fixed before Wednesday.
## wikipedia
Early this week, I spotted that Wikipedia had this note displayed on the
curl[11] page: "This article's lead section may be too short to adequately
summarize the key points. Please consider expanding the lead to provide an
accessible overview of all important aspects of the article"
I mentioned this on Mastodon "In case you're looking for something to do.",
and it within a short while the article was updated and the note is no longer
displayed. Lovely. It could of course still use a little more love, but hey, I
appreciate what we get! (The person who did the update told me about it but
asked to remain anonymous.)
## Coming up
- Monday: doing interview for a research project on Open Source funding
- Tuesday: EOSA webinar on Open Source and security [10]
- Wednesday: curl 8.14.1 release
- Wednesday: curl release video live-stream
- Friday: national holiday in Sweden
## Links
[1] = https://daniel.haxx.se/blog/2025/05/28/curl-8-14-0/
[2] = https://github.com/curl/curl/issues/17473
[3] = https://lists.haxx.se/listinfo/daniel
[4] = https://opensourcesecurity.io/2025/2025-05-curl_vs_ai_with_daniel_stenberg/
[5] = https://curl.se/dev/contribute.html#on-ai-use-in-curl
[6] = https://daniel.haxx.se/blog/2025/05/29/decomplexification/
[7] = https://www.youtube.com/live/DLxZdU8kzxM?si=tLuMJia-894rY5Ch
[8] = https://github.com/orcwg/cra-hub/
[9] = https://daniel.haxx.se/blog/2025/05/19/the-curl-user-survey-2025-is-up/
[10] = https://europeanopensource.academy/events/open-source-cybersecurity-securing-and-maintaining-europes-open-source-dependencies
[11] = https://en.wikipedia.org/wiki/CURL
--
/ daniel.haxx.se
More information about the daniel
mailing list