From daniel at haxx.se  Fri Oct  3 17:34:23 2025
From: daniel at haxx.se (Daniel Stenberg)
Date: Fri, 3 Oct 2025 17:34:23 +0200 (CEST)
Subject: [Daniel's week] October 3, 2025
Message-ID: <o7378n7n-993n-01sr-q2s1-7o427o7n6nsn@unkk.fr>

Hello!

Another week has already passed and yeah, I managed to write many words about 
this one as well. Enjoy!

## Zagreb

I arrived in Zagreb on Saturday and spent the afternoon exploring the quite
lovely capital of Croatia.

Having the first talking slot on a Sunday morning when the conference
(EuroBSDCon [5]) had their social event the night before, with an open bar
that did not close until 4am, is perhaps not ideal.

I arrived a while before 9 (I even spent extra time circling the building
until I found the entrance) as my talk was scheduled to start 09:30. I met
friends, said hello, got a coffee and relaxed a bit before I entered room D1
to just double-check that my laptop would agree with the projector.

Inserted the projector HDMI cable. Get a pop-up on my screen and it clearly
detects the second screen. Nothing appears there. Fiddling with forcing the
projector resolution set to 1920x1080 at 30 Hz as per instruction - but
nothing. How about a reboot? Nope. Still nothing.

Oh, it's not actually the projector cable, it's the cable from the middle
video box sitting between my laptop and the projector. We then skipped the
middle box and tried the projector directly to make sure that worked: nope. It
did not. Now finally there was an explanation! According to the organizers
they had problems with it already yesterday and it had an impressive layer of
repair tape rolled around it to prove it. Luckily the venue had a separate
backup cable to the projector we then untangled, unrolled and... wait, it
doesn't fit the connector in the laptop? A closer inspection of the backup
cable revealed that the HDMI plug was damaged, like if someone had placed
something very heavy on it once. For a brief moment there were thoughts on
what could be done to roll out and insert a third, new, cable to the projector
in the ceiling but it was determined too dangerous and difficult - no ladder
in sight either. Now there was less than 10 minutes left until my talk would
start and an excecutive decision was quickly made: let's move to room D2 for
my keynote. It wouldn't solve the problem but it would give the organizers
some extra time to fix this problem for the talks coming later.

In room D2 maybe a hundred people or so in the audience sat down and yeah, the
image from my laptop showed up with no problems on that big screen and I could
start my presentation pretty much on time.

After my talk I spent a few more hours talking to people, handing out curl
stickers and doing the occastional selfies with friends and fans.

## AI

As the world moves in unpredictable ways, this week Hacker News [1] suddently
picked up and reacted on one of my Mastodon posts from a few weeks ago [3]
about Joshua's set of issues in curl that he found using AI powered tools. As
a direct result of that, Tom Claburn on the Register found out about it and
after I replied a short comment to him he posted about the same thing on their
site [2].

We have kept in touch and Joshua mentioned that he plans on rerunning his set
of tools now after we merged so many fixes based on his initial report set.

It is of course going to be interesting, and I'm curious about how this will
work as with everything AI reproducibility is a challenge so I wonder how
easy/hard those tools are going to have to silence false positives or other
issues that we decide are not interesting/worth addressing.

After all, we have stopped using static analyzers in the past simply because
of their inability to silence issues.

Someone else also contacted me after having done similar work and has offered
sending me "10-100" issues that could possibly identify nits and problems.
I've agreed to this, so let's see where this takes us/me. I will of course
report on any progress in future emails.

## HackerOne

We have only received two security submissions on HackerOne [4] this week,
both deemed to not be security problems. Both have also been disclosed.

## release notes

I always have a rather large set of blog post embryos pending publication.
Ideas and concepts that could be made into a real post at some future point
and this week I picked up, dusted off and publised this text about how I
maintain release notes for curl [6].

## Deprecating

We got a bug reported on the OpenSSL-QUIC backend this week and once fixed we
had a brief discussion about its use and future, which made me ask for fans of
this backend on the mailing list [13]. As not a single person spoke up or
showed interest in keeping or using this backend, we decided we should move
towards removing this instead [14]. Nowdays we can do QUIC with vanilla OpenSSL
using ngtcp2 instead, which is a better and more reliable solution.

When on the topic of removing code, we also decided to move up our removal
date for OpenSSL 1.1.1 to happen already in December 2025 instead of the later
date we previously communicated [15]. This makes the removals of OpenSSL 1.0.2
and 1.1.1 support happen at the same date. The decision to move the date is
partly motivated because exactly none of the commercial users of these
sponsors us to keep the support and there are no "free users" of these
versions anymore. So we decided to make our lives a little bit easier.

## Apple OS native CA

Since we dropped support for the native Apple TLS library Secure Transport a
few versions ago [9] people have been asking for a way to use the native CA
store on Apple operating systems (macOS, iOS, etc) - and this week we merged
this new PR [8] written by Stefan Eissing that brings exactly this ability to
the OpenSSL and GnuTLS backends. Stefan wrote about this change on his blog
[18].

I'm looking forward to hearing from people how this works out in real life.

## man page links

Someone pointed out that the web version of the curl man page [16] mentioned a
few libcurl man pages without linking to them. This took me into the weeds of
roffit, the script we use to convert nroff to HTML, so that we can tell it to
detect libcurl man pages and add the proper link to those in the output [17].

Once roffit was poked at and the new version was deployed on the web server, I
could fix the rendering and voila, now the man page on the website properly
links all mentions of libcurl man pages! This version is now live on the site.

When I looked through the curl man page for all references to libcurl man
pages I also realized that some of the references were rather unhelpful, as
users don't really want to chase around for the information so I worked a
little on moving more information into the man page to avoid referencing
elsewhere.

## podcast

Daniel Stenberg, Swedish Internet protocol expert and founder and lead
developer of the Curl project, speaks with SE Radio host Gavin Henry about
removing Rust from Curl. They discuss why Hyper was removed from curl, why the
last five percent of making it a success was difficult, what the project
gained from the 5-year attempt to tackle bringing Rust into a C project,
lessons learned for next time, why user support is critical, and the positive
long-lasting impact this attempt had.

Podcast episode [7].

## progress meter

Someone reported a possible integer overflow in the curl progress meter code
for parallel transfers: if the total amount of data is more than what fits in
a curl_off_t type (a signed 64-bit variable) it would potentially show crazy
numbers.

As I fixed this flaw, it got me thinking about downloading very large files
with curl and if people might actually reach this maximum limit at some point
in a not too distant future. The maximum size this progress meter can handle
right now is 8192 petabytes. I think that may suffice on a per-file basis for
the forseeable future, but when curl does parallel downloads it shows the
total amount for all downloads and as you could easily do thousands of large
file downloads then, the maximum limit seems less remote. I got me thinking
about doing 128-bit math, at least for the parallel progress meter output.

That line of thinking made realize I should improve the code to make it
possible to better expand beyond 64-bit [10]. As I was then already focused on
progress meters I also took a look at the "regular" progress meter showed on a
per-single-file-transfer basis, done by libcurl and realized it could use the
same kind of improvement. But also: I noticed that the progress meter
currently "wastes" space in the line by doing two spaces after each size
output! We can't have that - also at the same time realizing that it has been
done like this ever since curl was born. So I decided to take this opportunity
to improve the function and at the same time increase the amount of size data
shown, from five characters to six, for each displayed size on the line [11].

## credits

Today is the nine year anniversary for my collection of "screenshotted curl
credits" [12] and at the very bottom of that overly large page you can find
today's additions: Sonic Racing: CrossWorlds and Saints Row: IV. As so often
with the recent additions to that page, those are two games.

## Coming up

- the final and third week the curl feature window is open

## Links

[1] = https://news.ycombinator.com/item?id=45449348
[2] = https://www.theregister.com/2025/10/02/curl_project_swamped_with_ai/
[3] = https://mastodon.social/@bagder/115241241075258997
[4] = https://hackerone.com/curl
[5] = https://2025.eurobsdcon.org/
[6] = https://daniel.haxx.se/blog/2025/10/01/how-i-maintain-release-notes-for-curl/
[7] = https://se-radio.net/2025/10/se-radio-688-daniel-stenberg-on-removing-rust-from-curl/
[8] = https://github.com/curl/curl/pull/18703
[9] = https://daniel.haxx.se/blog/2025/01/14/secure-transport-support-in-curl-is-on-its-way-out/
[10] = https://github.com/curl/curl/pull/18807
[11] = https://github.com/curl/curl/pull/18828
[12] = https://daniel.haxx.se/blog/2016/10/03/screenshotted-curl-credits/
[13] = https://curl.se/mail/lib-2025-10/0000.html
[14] = https://github.com/curl/curl/pull/18820
[15] = https://github.com/curl/curl/pull/18822
[16] = https://curl.se/docs/manpage.html
[17] = https://github.com/bagder/roffit/pull/51
[18] = https://eissing.org/icing/posts/curl-apple-sectrust/

-- 

  / daniel.haxx.se

From daniel at haxx.se  Fri Oct 10 17:10:17 2025
From: daniel at haxx.se (Daniel Stenberg)
Date: Fri, 10 Oct 2025 17:10:17 +0200 (CEST)
Subject: [Daniel's week] October 10, 2025
Message-ID: <3sq38p19-or6o-nn5o-4s49-oqnrpp9opsr2@unkk.fr>

Hello friends.

Another busy week celebrates Friday and here's what happened in my life:

## hacktoberfest

October used to be "Hacktoberfest" for several years but I asked around this
week and the interest for this once popular concept seems to simply not exists
anymore. This matches my own view of things and the fact that we haven't had
anyone asking about it the last few years. Presumbably partly because nowdays
the only thing you get for participating is a weird digital badge.

We used this as a hint and removed the hacktoberfest-accepted tag and the
associated scripting logic we had to set it on PRs that were merged during
October.

## more issues

I was going to write up a long summary here of what we did this week as we got
updates from last week's adventures with issues from AI tooling, but I instead
wrote it as a 2000+ word blog post named "A new breed of analyzers" [1].
Shorter email, longer blog post! :-)

## notify callback

As one of the last fetures merged during the feature window in this feature
window, we introduce "curl notifications" [2] when using the multi interface -
authored by Stefan Eissing.

Simply put, this offers callback to the application to let it know when there
is activity that needs attention on one of the ongoing transfers. It
simplifies the event loop and is also typically helps for performance.

We start out with just two available notifications but we are open for
introducing more in the future should this turn out popular.

## --knownhosts

It was requested and as it made perfect sense to me, I added `--knownhosts` as
the 273rd command line option to curl to allow users to specify a custom known
hosts file when doing SSH based operations [3].

It will ship in the pending 8.17.0 release for the first time.

## activity

Due to all the defects we have gotten reported we are well on track to lang
more bugfixes in this release cycle than we ever have before. After half the
period, we have over 230 bugs fixed.

This week we also surpassed 2024 in total number of commits done this within a
calendar year.

## feature freeze

Tomorrow we enter feature freeze for curl until the coming release. We have
eleven changes logged that we managed to land this time.

Tomorrow we also release release candidate one and from now we work on only
fixing

## European Open Source Awards 2026

This week the nomination process [4] for the 2026 version of the European Open
Source Awards opened. I hope you help us out and highlight at least one
European Open Source hero you can think of. I say 'us' as I am the president
of this organization at it is going to be my honor to participate in this
process and find a worthy winner. The award is going to be handed out in
Brussels on the Thursday before FOSDEM, January 29th 2026.

## wcurl talks my Samuel

Samuel Henrique is one of the Debian curl maintainers and one in the team
maintaining wcurl [7]. This week he published two videos from DebConf earlier
this year.

In "wcurl - on year later" he sums up what happened to wcurl this last year
[5] and the second "curl maintainers BoF" [6] is a recording of a discussion
talking about a lot of details with and around the curl package in Debian.
What needs to be done, how and what's next.

All good stuff for curl and/or Debian interested persons.

## silly curl use

"curl ascii.live/forrest"

## Drop Heimdal

As I fixed a memory leak this week I added a new test case to properly verify
the fix and make sure the problem won't easily come back in the future, only
to notice that I detected a *second* leak.

The second leak was within the Heimdal GSS-API/kerberos library; one of the
three libraries we support for GSS-API operations. I did a quick poll [8] and
not a single person spoke up or objected, so soon thereafter we dropped
Heimdal support. The upstream project has not had a commit in six months, have
hundreds of open issues and pull request and their badges on GitHub claims it
fails to build on all platforms. It does not instill confidence at all and I
think we are better off redirecting users to the MIT kerberos library instead
that keeps getting new releases and that doesn't trigger memory leaks.

There are also strong indications that the third GSS-API library, GNU GSS,
soon might face the same destiny as we see memory leaks with that one as
well - in a project without a commit done for three years...

## Coming up

- feture freeze and 8.17.0-rc1 tomorrow
- there are still pending reported issues to work on
- Monday: snaxx-45 where I drink beers with Stockholm based friends

## Links

[1] = https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/
[2] = https://eissing.org/icing/posts/curl-notifications/
[3] = https://curl.se/docs/manpage.html#--knownhosts
[4] = https://europeanopensource.academy/open-call-nominations-european-open-source-awards-2026
[5] = https://www.youtube.com/watch?v=RvnDvic2eaw
[6] = https://www.youtube.com/watch?v=OhTjgU7LIO0
[7] = https://curl.se/wcurl/
[8] = https://curl.se/mail/lib-2025-10/0009.html

-- 

  / daniel.haxx.se

From daniel at haxx.se  Fri Oct 17 22:36:24 2025
From: daniel at haxx.se (Daniel Stenberg)
Date: Fri, 17 Oct 2025 22:36:24 +0200 (CEST)
Subject: [Daniel's week] October 17, 2025
Message-ID: <0008s0rn-03qq-85nq-s078-q48r228op103@unkk.fr>

Hello friends,

It is almost crazy how most weeks feel busy...

## AI reports

This week we eventually got through the entire list of reported potential
issues generated by ZeroPath and Aisle. In total 809 issues that resulted in
about 15% confirmed problems we have fixed.

We continue to work with both Joshua and Stanislav even after this first wave
to see how we can improve curl further and maybe get those tools into our
regular work process.

We got access to ZeroPath and it has run a few more scans on the curl source
code. The work is not done yet, even if I believe we have mostly done all the
easy fixes now and there is a diminishing return. We will just have to see how
this develops.

Joshua also guested Josh Bressers on his excellent podcast and talked about
his process [3].

Slashdot woke up this week and also wrote about this [4].

## bugfixes

While the AI reports are not the only issues we have worked on lately, they
have contributed a lot to the fact that we have merged way over 300 bugfixes
so far in this release cycle and we are already at an all-time record amount
of fixes with still nineteen days to go until release!

## CI stats

This week we celebrate twelve years since the first ever CI jobs were added in
curl and I extracted some stats from the last 30 days:

   Tests executed per day: 1400019.4
   Time spent running tests per day: 1087073 seconds/day (12.6 days/day)
   Total clock time spent running tests: 32612201 seconds (377 days)
   Average time spent running each test: 0.776 seconds/test
   Number of git commits tested: 306

## host chart

A while ago I tried to create a flow chart showing decisions in curl on how it
goes about to select which hostname and which protocol to use when given a
particular URL to work with, and this week I finally posted the blog post [2].

## CVSS

The old subject of CVSS scores was brought up again as The Register reached
out and eventually published this article " Vulnerability scores, huh, what
are they good for? Almost nothing" [1], in which I'm quoted and my old blog
post on the subject is linked.

## email

I received yet another strange email and it now became the 95th [5] in my
ever-growing collection.

If you check it out, I urge you to click the index link [6] and have a look at
some of the other gems. It can be fun.

## HTTP/3 performance

With Stefan Eissing's latest performance tweaks for HTTP/3 in curl, the
theoretical max transfer speed is now 1550 MB/s on my machine (at 100% CPU)
with h2 doing 2464 MB/s and h1 at 3303 MB/s. With the server (nghttpx + apache
httpd) also running on localhost.

Measured when downloading 100MB chunks 50 times in 50 parallel downloads.

I say theoretical because the server can't quite keep up with the client on
localhost for this particular test case. curl only uses 62% CPU when the
server (proxy really) hits 100%.

## 108

The updated list of Operating Systems on which we know curl has been run on
now contains 108 different ones [7].

## Coming up

- Tuesday: an announcement happens
- Friday: a big event for me, revealed on Tuesday

## Links

[1] = https://www.theregister.com/2025/10/16/cve_cvss_scores_not_useful/
[2] = https://daniel.haxx.se/blog/2025/10/16/chart-which-host-which-protocol/
[3] = https://opensourcesecurity.io/2025/2025-10-ai-joshua-rogers/
[4] = https://developers.slashdot.org/story/25/10/12/0619247/ai-slop-not-this-time-ai-tools-found-50-real-bugs-in-curl
[5] = https://daniel.haxx.se/email/2025-10-11.html
[6] = https://daniel.haxx.se/email/toc.html
[7] = https://mastodon.social/@bagder/115390472558591073

-- 

  / daniel.haxx.se

From daniel at haxx.se  Sat Oct 25 18:17:11 2025
From: daniel at haxx.se (Daniel Stenberg)
Date: Sat, 25 Oct 2025 18:17:11 +0200 (CEST)
Subject: [Daniel's week] October 25, 2025
Message-ID: <o04oonr3-no86-3300-s569-q3p031ns9so1@unkk.fr>

Hi friends!

This email might be a little shorter but man the week must be longer!

## OsProgramadores

An interview [1] with me done back in Separated was posted on the
OsProgramadores YouTube channel.

## OSS-fuzz

I've taken a closer look at some of our OSS-fuzz issues recently as I had let
them linger for a little too long.

It turned out that several of them were due to issues within OpenLDAP that I
reported upstream that should go away once we can switch to the next pending
OpenLDAP release.

One of the issues was us not setting a "max memory" option in OpenLDAP as it
turns out that by default that library will allocate any amount of (32-bit)
size memory the server asks it to. A bit surprising to me but apparently quit
the way they want it so we now set a low maximum instead. I figure we will
have to see if any curl users actually ever use really large LDAP blobs.

We also ran into an OpenSSL bug that turned out to be part OpenSSL part
libcurl, so while I reported it upstream and they immediately reacted and
fixed the problem, I also fixed it in our end as it turned out we passed in a
NULL pointer to an OpenSSL function when we should rather just fail before
doing that...

With these issues corrected, or waiting pending updates, we still have a few
issues left open but they are more mysterious timeout ones etc. Nothing seems
to be terribly pressing anyway.

## SADP

I was going to participate in a presentation at the "CVS CNA Workshop" this
week to most express some doubts about the "Supplier ADP" proposal.

The Authorized Data Publisher (ADP) is a role within the CVE system that
allows "someone else" to populate data fields about a specific CVE. Most
commonly used when CISA sets CVSS scores for CVEs that don't have them set
otherwise (for example all curl CVEs).

The SADP role is a new proposal for CNAs to be able to add meta information
about a CVE on how they are affect (or not) by that CVE. Microsoft can add a
blob to a curl CVE that explains how Microsoft's curl installation is or is
not affected by the CVE etc.

I've raised questions about the scale and more: there are literally thousands
and thousands of products using curl, should they all be able to add data to
curl CVEs? What about transient dependencies? Software that uses component X
that uses curl, should they also add data to both X and curl?

So I'm a skeptic.

Eventually, they changed the schedule in the last minute which made the
session run exactly when I had another meeting already scheduled since a while
back so I couldn't participate. Possibly just as well.

I don't know if there is going to be a pilot for SADP. I don't believe in the
concept.

## a medal

The Swedish Royal Academy of Engineering Science awards me a gold medal [3]
for my work on curl. This was publicly announced on Tuesday and on Friday I
brought my whole family to participate in the award ceremony [4] in the Blue
Hall in the Stockholm City Hall, perhaps somewhat known for where they host
the annual Nobel Prize banquet.

I don't think I can add much more here that I did not already write in those
two blog posts about this. What an honor!

## slop

We added two more entries to the AI slop collection [2] this week.

## Coming up

## Links

[1] = https://youtu.be/86RseR6E9Xs
[2] = https://daniel.haxx.se/ai-slop
[3] = https://daniel.haxx.se/blog/2025/10/21/a-royal-gold-medal/
[4] = https://daniel.haxx.se/blog/2025/10/25/a-gold-ceremony-to-remember/

-- 

  / daniel.haxx.se

From daniel at haxx.se  Fri Oct 31 16:35:38 2025
From: daniel at haxx.se (Daniel Stenberg)
Date: Fri, 31 Oct 2025 16:35:38 +0100 (CET)
Subject: [Daniel's week] October 31, 2025
Message-ID: <3835o14q-3n46-051n-s015-00psrr35pp80@unkk.fr>

Hi friends,

Another intense week reaches Friday and I offer you this little summary of 
things and activities from my point of view. Have a nice weekend!

## planets and medals

In the aftermath of the gold medal ceremony I participated in last week, I
could not resist but posted the medal vs planets graph on Mastodon [1]. The
data clearly indicates there will be curl on a third planet already in a few
years. :-)

I also followed up with a self-congratulatory video [9] where I show off most
of my awards I have received so far for Open Source (curl really) work.
Recorded from a live-stream of course, because I think that makes it more fun.

## LDAP test servers

In the last few weeks we have fixed LDAP related issues both because the AI
code analyzers have pointed out flaws but also because OSS-Fuzz has proven
that there were problems it could trigger. It actually even triggered problem
deep inside OpenLDAP that we have forwarded so I believe at least three
bugfixes in the pending next OpenLDAP release are flaws found via the curl
OSS-Fuzzing.

This has of course brought up the issue of the bad LDAP testing in the curl
test suite and I took the question about doing an LDAP server [2] for testing
to the mailing list. LDAP is a complicated protocol and doing a "tiny" version
for testing would be good but it looks a decent undertaking that no one has
signed up for so far...

I suppose partly also because LDAP is not a widely used protocol in curl land.

If this sounds like an interesting challenge to you, please speak up and let's
see what we can do to improve LDAP in curl and LDAP testing in curl!

## trurl on Windows

Viktor Szakats announced [3] that starting this week, there is a trurl
executable bundled in the curl for Windows [4] release zip files. This should
make the tool much more accessible to users on this platform.

## Hackerone

We received six (!) security reports on Hackerone this week, out of which
*three* were marked AI slop and we banned those reporters from our program [5]
(and the other three were marked "not applicable"). It feels ironic that while
we see how AI can be used for really good code analysis and detecting real
problems with accuracy, we simultaneously keep getting the worst kind of AI
slop.

Maybe the most special of the three slops this week is the person that insists
he did not use AI but that still has a strong AI smell making us not believe
their claim [6]. As always, we cannot be 100% sure.

## 41K mastodon

I'm not sure exactly when it happened but I realized that I surpassed 40K
followers on Mastodon and now 41K.

I keep using primarily Mastodon [10] as my daily goto chit chat with friends
and like-minded. Mostly posting about curl, open source and related things and
a lot of what I end up summarizing in my weekly email here has often at least
partly been mentioned - or tested - on Mastodon. The sense of camaraderie and
community is strong there.

I also post on LinkedIn [11] to a decent degree. The 17K followers I have
there seem to be a slightly different crowd and I get other feedback and
comments there.

My general idea is still to cover most of the week's actions in these emails,
so if you also read my Mastodon or LinkedIn feeds, there might be a little
overlap.

## 19 years of ABI

This week I was reminded (because I have such a feature enabled in my blog
admin page) that it was exactly nineteen since our last libcurl SONAME bump,
meaning that we have kept the same ABI since then. Just one year left until
the big two-oh.

Maintaining ABI compatibility is important to us. Even if I think sometimes
users don't quite fully understand and appreciate the value they get out of
it, I think it is a fundamental reason behind libcurl's success: everyone can
always just transparently and *easy* upgrade to the next version of libcurl
(and curl) without worries.

I blogged about it last year [12].

## zero issues

I believe for the first time since we moved curl over to GitHub in 2010 we
reached zero open issues this week [13]. No issues at all currently being
worked on! It feels a little surreal.

It should be noted that we only keep issues open that someone care about,
meaning that issues that grow old without attention will get closed and moved
to either the TODO [14] or the KNOWN_BUGS [15] documents.

Still, the explanation behind this achievement is above all else hard work and
dedication from the team as we all prioritize taking care of issues and user
problems, and we there is commonly a will to fix underlying structural things
rather than just fixing symptoms. We reduce issue frequency by adding more
tests, by documenting more and by doing more stable architectural designs.

## nominate to awards

Remember to nominate your favorite heroes to the European Open Source Awards
2026 [17]. The persons in the community you think stand out, who make the
projects work, who push on, who make a difference.

The awards ceremony itself is going to happen in Brussels in late January, the
Thursday before FOSDEM.

Disclaimer: I was a winner of the award this year [16], and I am now the
President of the European Open Source Academy, working with this award
among other things.

## "chained" AIs

This week we got the first successful results in an interesting "chained" AI
tooling use.

As we have been using ZeroPath for a few weeks, and we are somewhat struggling
with the flood of things it claims could potentially be wrong in curl, we have
gotten help by Artiphishell.

We provided Artiphishell with the plain English descriptions of a number of
issues from ZeroPath and they then unleashed their AI tooling on those
descriptions. Their tools managed to create reproducers for two of the issues,
proving that the ZeroPath findings were accurate and possible to trigger in
real life.

Of course, studying one of the reproducible cases then made us immediately
dismiss it as working as intended and it was an exaggeration by ZeroPath, but
the second one can potentially be a problem and we are now about to debug this
case and see where it leads us. We also sent over a few other findings to see
if Artiphishell can make more work for us.

In the meantime, Open AI announced Aardvark [18] which sounds like a tool
working in the same space as Aisle and ZeroPath. I have signed up for beta
access. After all, lots of the other tools are powered by Open AI.

## rc3

I put together and uploaded the third release candidate [19] for the pending
curl 8.17.0 release; featuring more than 400 bugfixes and 11 changes since the
last release.

It seems to have been received mostly in silence without any specific reports
or complaints, which of course can either be a good sign or perhaps people
have just not tested it. I suppose we will get to know next week when the
actual release ships.

## TIOBE TICS

Someone pointed out this thing to me. The TIOBE TICS Quality Index scans the
curl source code [20] and provides grades about it in several different
subcategories as well as one total grade. It gives curl a D on an A-F scale
where A is the best.

Looking closer at this thing, you soon realize it is beyond silly and I cannot
fathom who can find this useful or that anyone at TIOBE believes this is a
good thing.

A subset of remarks I could find:

  - it claims to know a code coverage percentage (how?)
  - it warns on use of reserved identifiers when we ifdef on __symbols
  - it thinks 'continue' is a bad thing in code
  - it insists using relative paths for #include is bad code
  - it yells because the source headers have the wrong copyright(?)
  - it claims countless made up compiler warnings
  - it dislikes expressions without braces, like for if()

Of course, this tool saying this has absolutely no relevance or importance for
us. It's more like seeing a car crash; it fascinates me. And I bet someone out
there actually thinks this tool works.

## CSAF

It was brought to my attention that there is a recent JSON format called
Common Security Advisory Framework (CSAF) [8] and I casually asked on Mastodon
[7] if this is a format we should care about for curl and generated CVE data
with.

My understanding from the responses is that it is a format used by (some) CVE
consumers but it is questionable if we actually gain anything at all by
offering it. Since a little over two years we already offer CVE data using the
OSV JSON schema and we get virtually no feedback on that, suggesting it is not
used widely.

Until I get some better indication on actual benefits for us, I'm going to
hold off providing the data in CSAF as well. It's of course all Open Source
already so it isn't difficult for someone else to implement this, should they
feel a strong desire to have it. I presume it would just be a variant of the
OSV generator code.

This is the script that generates the OSV JSON [24]

## sponsor

The absolutely best way to sponsor the curl project is to get your company to
pay for support [21]. This is fundamentally what makes me able to do curl full
time, and believe me it is shockingly few companies who actually contribute to
their own future by chipping in a little something to that effect.

If a support contract is too much, the second best is to become a monthly curl
sponsor on Open Collective [22] or GitHub sponsors [23].

No one in the curl project is getting rich on this, but we need funds to keep
the machine running, to keep curl state of the art, secure and the internet
transfer engine for the world that we want it to be.

## Coming up

- Tuesday: wcurl release
- Wednesday: curl 8.17.0 release
- Wednesday: curl release video live-stream (at 09:00 UTC)

## Links

[1] = https://mastodon.social/@bagder/115439930989819719
[2] = https://curl.se/mail/lib-2025-10/0045.html
[3] = https://github.com/curl/trurl/discussions/408
[4] = https://curl.se/windows/
[5] = https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd
[6] = https://hackerone.com/reports/3403880
[7] = https://mastodon.social/@bagder/115463901335261692
[8] = https://www.csaf.io/
[9] = https://youtu.be/GwG0-eO4ZsQ
[10] = https://mastodon.social/@bagder
[11] = https://www.linkedin.com/in/danielstenberg
[12] = https://daniel.haxx.se/blog/2024/10/30/eighteen-years-of-abi-stability/
[13] = https://mastodon.social/@bagder/115462201692786430
[14] = https://curl.se/docs/todo.html
[15] = https://curl.se/docs/knownbugs.html
[16] = https://daniel.haxx.se/blog/2025/02/03/european-open-source-achievement-award/
[17] = https://europeanopensource.academy/open-call-nominations-european-open-source-awards-2026
[18] = https://openai.com/index/introducing-aardvark/
[19] = https://curl.se/rc/
[20] = https://ticsdemo.tiobe.com/tiobeweb/DEMO/TqiDashboard.html#axes=Project(curl),Sub()&metric=tqi
[21] = https://curl.se/support.html
[22] = https://opencollective.com/curl
[23] = https://github.com/sponsors/curl
[24] = https://github.com/curl/curl-www/blob/master/docs/vuln2json.pl

-- 

  / daniel.haxx.se