[Daniel's week] November 8, 2025

Sat Nov 8 12:10:44 CET 2025

Hi friends,

A release week has ended and here's what I did:

## release

On Wednesday morning I followed the checklist and put together yet another
curl release [1] in the never-ending series: curl 8.17.0. This 271st release
contained a record-breaking number of bugfixes (448) ever merged and crammed
into a single curl tarball.

One new severity low CVE was also published [15].

Every bugfix we do comes with a certain risk of also introducing a problem and
basic math then tells us that the more fixes we do, the larger is the risk
that we also introduced a regressions somewhere, so we were a little nervous
to see what kind of blow-back this could result in.

As I write this, we have in fact only spotted two regressions, one of them we
found ourselves and was not reported by a user (yet). I think they small
enough issues that probably by themselves will not trigger a patch release
next week. If we have not seen anything worse reported by the end of the
weekend I think we can call this dot-zero a success, skip the patch release
backup plan and instead move the focus to do another dot-zero release after a
full release cycle. That would mean the next release happens on January 7,
2026.

Of course the release for Windows [2], QNX [3] and container [4] also
happened.

## code

The code age graph [x] shows that more than 50% of all current curl production
code has indeed been (re-)written within the last four years.

Our long term mission to simplify curl code is now also quite visible in the
complexity distribution graph [17], which shows how large parts of the
production code that is considered how complex. The complexity in question is
the score the pmccabe tool in Debian gives. Look how we at the right side of
the graph now have eradicated all high complexity functions. The big question
is of course if this actually in the end actually makes a difference...

## stand-alone examples

Do you have an example source code for us?

Do you have an idea for an example source code we should create?

We have this collection of stand-alone example source codes [5] in the libcurl
documentation that we have written and collected trough the years. The
examples typically show-case different parts of the API in a small program, so
serve as inspiration and education. To be easy to copy selected pieces from
when you want to build a new application using libcurl.

They are all less than five hundred lines each. Most of them are even smaller
than one hundred lines (including a fairly big header).

We could use some help to extend the collection!

## everything curl

On the topic of improving documentation, the list of outstanding issues to fix
in everything curl [6] is slowly growing. Here's a great opportunity to join
in and help out in the curl project without doing any coding at all.

Everything curl is different than the regular in-repository curl documentation
in that it is meant to be more tutorial and explanatory and less of reference
look-ups. So even if the subjects of course are overlapping a lot with the
existing man pages, the approach and language differ.

## wikipedia

I took pity over the curl wikipedia page [7] and clarified the protocol and
HTTP support somewhat because the way that paragraph was written before has
bugged me for a long time - not the least because the protocol list was
incomplete.

I was then pointed to the section about "Conflict of Interest" by someone and
it became clear to me that editing the curl page is close to editing the page
about myself [8] and I should probably not do it at all. I'll keep that in
mind for the future.

Anyway, I of course messed it up a little bit which made for some fun [9] and
good people helped me fix it again.

## curl is still developed

Just because it is such a common question and I got a question about it again
this week, I published a blog post about curl's never-ending and
always-ongoing development [10]. Should be absolutely no surprise and contain
no news to readers of my weekly email.

## wcurl

Because of the wcurl release this week [12] I again saw some questions and
comments about what it is and I decided to start a short page detailing the
similarities and differences between wcurl and wget [11].

I trust you tell me if you find mistakes or can think of improvements.

There was also a CVE published for wcurl [13], fixed in this new release.

Viktor also made a fun hack that makes it possible to run wcurl on Windows
[14].

## Coming up

- a week of cooling down before we can open the curl feature window again

## Links

[1] = https://daniel.haxx.se/blog/2025/11/05/curl-8-17-0/
[2] = https://curl.se/windows/
[3] = https://curl.se/qnx/
[4] = https://quay.io/repository/curl/curl
[5] = https://curl.se/libcurl/c/example.html
[6] = https://github.com/curl/everything-curl/issues
[7] = https://en.wikipedia.org/wiki/CURL
[8] = https://en.wikipedia.org/wiki/Daniel_Stenberg
[9] = https://mastodon.social/@bagder/115488083692214101
[10] = https://daniel.haxx.se/blog/2025/11/04/yes-really-curl-is-still-developed/
[11] = https://daniel.haxx.se/docs/wcurl-vs-wget.html
[12] = https://github.com/curl/wcurl/releases/tag/v2025.11.04
[13] = https://curl.se/docs/CVE-2025-11563.html
[14] = https://github.com/curl/wcurl/pull/73#issuecomment-3488132572
[15] = https://curl.se/docs/CVE-2025-10966.html
[16] = https://curl.se/dashboard1.html#source-code-age
[17] = https://curl.se/dashboard1.html#complexity-distribution

-- 

  / daniel.haxx.se