[Daniel's week] November 28, 2025

Fri Nov 28 23:27:30 CET 2025

Friends!

I had a birthday. Another week ended.

## strict torture

My mission I started a few weeks ago continued this week as I have
successfully spotted more code flows in which we did not return error
immediately on out of memory errors. During this I have also slowly polished
my tooling for this. I still have outstanding pending findings to fix so I'm
still a bit away from doing another pull-request try with this.

## backtrace

In my work on fixing code that continues even after an OOM has occurred, I
figured I needed some additional help in tracing exactly how the function
flows go in the problematic cases. For this purpose I this week added support
for building curl with libbacktrace so that when I run a debug build and I ask
it to return error for a specific memory allocation call, I can have it dump a
stack trace in a log. It has made able be find and and fix several such
problems way faster compared to how I did before.

## tiny curl webinar

On Thursday December 4 at 18:00 CET (16:00 UTC, 09:00 PT) I will do a
webinar [2] about tiny curl [1]. I have spent a little time this week creating
and polishing my slide set for this. tiny curl is a patch set on top of
regular libcurl intended for smaller devices.

I will tell you all about it on Thursday, and yes the presentation will be
made available on YouTube after the fact.

## slop graph

I added a Hackerone reports per year graph [3] to the dashboard. It shows
several interesting stats. Including:

1. the submission rate has gone up significantly in general. In 2024 we
    received 86 reports and in 2025 we have already received 140 with a whole
    month left to go.

2. the slop rate has increased even more. From six reports in 2024 to 28 in
    2025 so far. Also, this is counting slop rather conservatively.

3. the share of confirmed vulnerabilities has really plummeted. It was almost
    13% of the submissions last year and we are below 6% this year. I suspect
    that the decreased quality of the submissions this year is partly because a
    portion of the reports we have not concluded to be AI slop was still partly
    using AI to get to the faulty conclusions. Determining what is AI slop is
    tricky. I just can't find any other explanation as to why security
    researchers have become so stupid this year compared to previous years.

This particular week was however slower than in a while as only two Hackerone
submissions landed within the last seven days.

## stdint

This week on the curl hackers video meeting we had again had a discussion
about the possibility to move curl from C89 to C99 as the C standard to
support and I believe we are slowly warming up to it. It would force us to
move the lowest supported Visual Studio version up from today's 2010 to 2015
and we are not yet certain exactly how much that would affect people.

No decision has been taken yet, but I sense and anticipate that we might soon
set a date at some point in mid 2026 or so when we do the switch.

While waiting for that to happen, we have adopted the stdint types into the
curl source code ahead of time, so we are now using uint8_y, int32_t etc all
through the source code. Several pull-requests for this were merged this week
to clear things up a little.

## AI tooling

I just activated an AI bot from augmentcode.com for opt-in PR reviewing in the
curl repository. I would not mind having a high quality code analyzer help us
highlight our mistakes before we merge them. I'm not convinced this one will,
but I am willing to give it a try and see how it behaves. I will report back
once we have put it up to some challenges. Stay tuned!

## Coming up

- last week before the curl feature freeze
- Monday: customer meeting about improved HTTP upload performance
- Thursday: tiny curl webinar [2]

## Links

[1] = https://curl.se/tiny/
[2] = https://us02web.zoom.us/webinar/register/2616747721343/WN_4Q1yoktwQJGJ8snjywnmAw#/registration
[3] = https://curl.se/dashboard1.html#hackerone

-- 

  / daniel.haxx.se