From daniel at haxx.se Fri Oct 3 17:34:23 2025 From: daniel at haxx.se (Daniel Stenberg) Date: Fri, 3 Oct 2025 17:34:23 +0200 (CEST) Subject: [Daniel's week] October 3, 2025 Message-ID: Hello! Another week has already passed and yeah, I managed to write many words about this one as well. Enjoy! ## Zagreb I arrived in Zagreb on Saturday and spent the afternoon exploring the quite lovely capital of Croatia. Having the first talking slot on a Sunday morning when the conference (EuroBSDCon [5]) had their social event the night before, with an open bar that did not close until 4am, is perhaps not ideal. I arrived a while before 9 (I even spent extra time circling the building until I found the entrance) as my talk was scheduled to start 09:30. I met friends, said hello, got a coffee and relaxed a bit before I entered room D1 to just double-check that my laptop would agree with the projector. Inserted the projector HDMI cable. Get a pop-up on my screen and it clearly detects the second screen. Nothing appears there. Fiddling with forcing the projector resolution set to 1920x1080 at 30 Hz as per instruction - but nothing. How about a reboot? Nope. Still nothing. Oh, it's not actually the projector cable, it's the cable from the middle video box sitting between my laptop and the projector. We then skipped the middle box and tried the projector directly to make sure that worked: nope. It did not. Now finally there was an explanation! According to the organizers they had problems with it already yesterday and it had an impressive layer of repair tape rolled around it to prove it. Luckily the venue had a separate backup cable to the projector we then untangled, unrolled and... wait, it doesn't fit the connector in the laptop? A closer inspection of the backup cable revealed that the HDMI plug was damaged, like if someone had placed something very heavy on it once. For a brief moment there were thoughts on what could be done to roll out and insert a third, new, cable to the projector in the ceiling but it was determined too dangerous and difficult - no ladder in sight either. Now there was less than 10 minutes left until my talk would start and an excecutive decision was quickly made: let's move to room D2 for my keynote. It wouldn't solve the problem but it would give the organizers some extra time to fix this problem for the talks coming later. In room D2 maybe a hundred people or so in the audience sat down and yeah, the image from my laptop showed up with no problems on that big screen and I could start my presentation pretty much on time. After my talk I spent a few more hours talking to people, handing out curl stickers and doing the occastional selfies with friends and fans. ## AI As the world moves in unpredictable ways, this week Hacker News [1] suddently picked up and reacted on one of my Mastodon posts from a few weeks ago [3] about Joshua's set of issues in curl that he found using AI powered tools. As a direct result of that, Tom Claburn on the Register found out about it and after I replied a short comment to him he posted about the same thing on their site [2]. We have kept in touch and Joshua mentioned that he plans on rerunning his set of tools now after we merged so many fixes based on his initial report set. It is of course going to be interesting, and I'm curious about how this will work as with everything AI reproducibility is a challenge so I wonder how easy/hard those tools are going to have to silence false positives or other issues that we decide are not interesting/worth addressing. After all, we have stopped using static analyzers in the past simply because of their inability to silence issues. Someone else also contacted me after having done similar work and has offered sending me "10-100" issues that could possibly identify nits and problems. I've agreed to this, so let's see where this takes us/me. I will of course report on any progress in future emails. ## HackerOne We have only received two security submissions on HackerOne [4] this week, both deemed to not be security problems. Both have also been disclosed. ## release notes I always have a rather large set of blog post embryos pending publication. Ideas and concepts that could be made into a real post at some future point and this week I picked up, dusted off and publised this text about how I maintain release notes for curl [6]. ## Deprecating We got a bug reported on the OpenSSL-QUIC backend this week and once fixed we had a brief discussion about its use and future, which made me ask for fans of this backend on the mailing list [13]. As not a single person spoke up or showed interest in keeping or using this backend, we decided we should move towards removing this instead [14]. Nowdays we can do QUIC with vanilla OpenSSL using ngtcp2 instead, which is a better and more reliable solution. When on the topic of removing code, we also decided to move up our removal date for OpenSSL 1.1.1 to happen already in December 2025 instead of the later date we previously communicated [15]. This makes the removals of OpenSSL 1.0.2 and 1.1.1 support happen at the same date. The decision to move the date is partly motivated because exactly none of the commercial users of these sponsors us to keep the support and there are no "free users" of these versions anymore. So we decided to make our lives a little bit easier. ## Apple OS native CA Since we dropped support for the native Apple TLS library Secure Transport a few versions ago [9] people have been asking for a way to use the native CA store on Apple operating systems (macOS, iOS, etc) - and this week we merged this new PR [8] written by Stefan Eissing that brings exactly this ability to the OpenSSL and GnuTLS backends. Stefan wrote about this change on his blog [18]. I'm looking forward to hearing from people how this works out in real life. ## man page links Someone pointed out that the web version of the curl man page [16] mentioned a few libcurl man pages without linking to them. This took me into the weeds of roffit, the script we use to convert nroff to HTML, so that we can tell it to detect libcurl man pages and add the proper link to those in the output [17]. Once roffit was poked at and the new version was deployed on the web server, I could fix the rendering and voila, now the man page on the website properly links all mentions of libcurl man pages! This version is now live on the site. When I looked through the curl man page for all references to libcurl man pages I also realized that some of the references were rather unhelpful, as users don't really want to chase around for the information so I worked a little on moving more information into the man page to avoid referencing elsewhere. ## podcast Daniel Stenberg, Swedish Internet protocol expert and founder and lead developer of the Curl project, speaks with SE Radio host Gavin Henry about removing Rust from Curl. They discuss why Hyper was removed from curl, why the last five percent of making it a success was difficult, what the project gained from the 5-year attempt to tackle bringing Rust into a C project, lessons learned for next time, why user support is critical, and the positive long-lasting impact this attempt had. Podcast episode [7]. ## progress meter Someone reported a possible integer overflow in the curl progress meter code for parallel transfers: if the total amount of data is more than what fits in a curl_off_t type (a signed 64-bit variable) it would potentially show crazy numbers. As I fixed this flaw, it got me thinking about downloading very large files with curl and if people might actually reach this maximum limit at some point in a not too distant future. The maximum size this progress meter can handle right now is 8192 petabytes. I think that may suffice on a per-file basis for the forseeable future, but when curl does parallel downloads it shows the total amount for all downloads and as you could easily do thousands of large file downloads then, the maximum limit seems less remote. I got me thinking about doing 128-bit math, at least for the parallel progress meter output. That line of thinking made realize I should improve the code to make it possible to better expand beyond 64-bit [10]. As I was then already focused on progress meters I also took a look at the "regular" progress meter showed on a per-single-file-transfer basis, done by libcurl and realized it could use the same kind of improvement. But also: I noticed that the progress meter currently "wastes" space in the line by doing two spaces after each size output! We can't have that - also at the same time realizing that it has been done like this ever since curl was born. So I decided to take this opportunity to improve the function and at the same time increase the amount of size data shown, from five characters to six, for each displayed size on the line [11]. ## credits Today is the nine year anniversary for my collection of "screenshotted curl credits" [12] and at the very bottom of that overly large page you can find today's additions: Sonic Racing: CrossWorlds and Saints Row: IV. As so often with the recent additions to that page, those are two games. ## Coming up - the final and third week the curl feature window is open ## Links [1] = https://news.ycombinator.com/item?id=45449348 [2] = https://www.theregister.com/2025/10/02/curl_project_swamped_with_ai/ [3] = https://mastodon.social/@bagder/115241241075258997 [4] = https://hackerone.com/curl [5] = https://2025.eurobsdcon.org/ [6] = https://daniel.haxx.se/blog/2025/10/01/how-i-maintain-release-notes-for-curl/ [7] = https://se-radio.net/2025/10/se-radio-688-daniel-stenberg-on-removing-rust-from-curl/ [8] = https://github.com/curl/curl/pull/18703 [9] = https://daniel.haxx.se/blog/2025/01/14/secure-transport-support-in-curl-is-on-its-way-out/ [10] = https://github.com/curl/curl/pull/18807 [11] = https://github.com/curl/curl/pull/18828 [12] = https://daniel.haxx.se/blog/2016/10/03/screenshotted-curl-credits/ [13] = https://curl.se/mail/lib-2025-10/0000.html [14] = https://github.com/curl/curl/pull/18820 [15] = https://github.com/curl/curl/pull/18822 [16] = https://curl.se/docs/manpage.html [17] = https://github.com/bagder/roffit/pull/51 [18] = https://eissing.org/icing/posts/curl-apple-sectrust/ -- / daniel.haxx.se