[Daniel's week] November 21, 2025

Daniel Stenberg daniel at haxx.se
Fri Nov 21 22:48:56 CET 2025 

Hello!

I manage to sum it up a little shorter this week. You gain several minutes!

## strict torture

I've continued with some success this week to detect function flows in curl
that wrongly ignores OOM errors and continues anyway.

I have some ideas on how to develop my tooling for this to avoid the false
positives it now shows. A significant challenge is for example that curl can
do multiple transfers and it transfer one fails without out of memory, it is
still okay for it to try to perform transfer two.

Until I have a solid approach or work-around for these cases I can't really
run this widely, like in CI.

## 3,000

We have surpassed 3,000 commits done to curl this year. Way more than any
previous year in curl history [5].

## Hackerone

We have received *seven* security reports on Hackerone regarding curl within
the last seven days. Some of them have required significant time and effort to
assess, research and discuss. As I am writing this, we still have two issues
open and under discussion but I am leaning towards not treating any of them a
vulnerability.

I've started toying on a new graph showing Hackerone submissions per year[4],
including the number of confirmed vulnerabilities among them. Not yet added to
the dashboard. Shows us receiving more reports than ever in 2025 and yet the
share of confirmed vulnerabilities is lower than in many years.

## Known risks

In one of the Hackerone issues an idea popped up that we should make it easier
for users to find a document discussing and documenting known risks when using
curl.

A PR [1] has been created with the first draft, and as soon as it looks decent
we will make sure to make it available and findable on the curl website.

## QUERY

The HTTP QUERY method [2] is now officially approved and it will published as
an RFC within shortly. We can think of it as GET with body.

You can of course use curl fine to do QUERY requests. I will write up a blog
post about it to sync with when the specification gets an official RFC number.

## Daniel uses

I made a new page available on my website called Daniel uses [3] which is,
yes, exactly that. A list of (mostly software) stuff that I use.

## AI tooling

This week we had a meeting with yet another company doing source code security
scanning and analyzing software using AI to discuss what they provide and what
we want. They have a beta product we are queued up to test going forward. I
will of course share details and experiences once we have any.

## Coming up

- debug, patch, fix, merge, repeat

## Links

[1] = https://github.com/curl/curl/pull/19631
[2] = https://www.ietf.org/archive/id/draft-ietf-httpbis-safe-method-w-body-14.html
[3] = https://daniel.haxx.se/uses.html
[4] = https://mastodon.social/@bagder/115588600803203406
[5] = https://curl.se/dashboard1.html#commits-per-year

-- 

  / daniel.haxx.se

More information about the daniel mailing list