[Daniel's week] October 3, 2025

Daniel Stenberg daniel at haxx.se
Fri Oct 3 17:34:23 CEST 2025


Hello!

Another week has already passed and yeah, I managed to write many words about 
this one as well. Enjoy!

## Zagreb

I arrived in Zagreb on Saturday and spent the afternoon exploring the quite
lovely capital of Croatia.

Having the first talking slot on a Sunday morning when the conference
(EuroBSDCon [5]) had their social event the night before, with an open bar
that did not close until 4am, is perhaps not ideal.

I arrived a while before 9 (I even spent extra time circling the building
until I found the entrance) as my talk was scheduled to start 09:30. I met
friends, said hello, got a coffee and relaxed a bit before I entered room D1
to just double-check that my laptop would agree with the projector.

Inserted the projector HDMI cable. Get a pop-up on my screen and it clearly
detects the second screen. Nothing appears there. Fiddling with forcing the
projector resolution set to 1920x1080 at 30 Hz as per instruction - but
nothing. How about a reboot? Nope. Still nothing.

Oh, it's not actually the projector cable, it's the cable from the middle
video box sitting between my laptop and the projector. We then skipped the
middle box and tried the projector directly to make sure that worked: nope. It
did not. Now finally there was an explanation! According to the organizers
they had problems with it already yesterday and it had an impressive layer of
repair tape rolled around it to prove it. Luckily the venue had a separate
backup cable to the projector we then untangled, unrolled and... wait, it
doesn't fit the connector in the laptop? A closer inspection of the backup
cable revealed that the HDMI plug was damaged, like if someone had placed
something very heavy on it once. For a brief moment there were thoughts on
what could be done to roll out and insert a third, new, cable to the projector
in the ceiling but it was determined too dangerous and difficult - no ladder
in sight either. Now there was less than 10 minutes left until my talk would
start and an excecutive decision was quickly made: let's move to room D2 for
my keynote. It wouldn't solve the problem but it would give the organizers
some extra time to fix this problem for the talks coming later.

In room D2 maybe a hundred people or so in the audience sat down and yeah, the
image from my laptop showed up with no problems on that big screen and I could
start my presentation pretty much on time.

After my talk I spent a few more hours talking to people, handing out curl
stickers and doing the occastional selfies with friends and fans.

## AI

As the world moves in unpredictable ways, this week Hacker News [1] suddently
picked up and reacted on one of my Mastodon posts from a few weeks ago [3]
about Joshua's set of issues in curl that he found using AI powered tools. As
a direct result of that, Tom Claburn on the Register found out about it and
after I replied a short comment to him he posted about the same thing on their
site [2].

We have kept in touch and Joshua mentioned that he plans on rerunning his set
of tools now after we merged so many fixes based on his initial report set.

It is of course going to be interesting, and I'm curious about how this will
work as with everything AI reproducibility is a challenge so I wonder how
easy/hard those tools are going to have to silence false positives or other
issues that we decide are not interesting/worth addressing.

After all, we have stopped using static analyzers in the past simply because
of their inability to silence issues.

Someone else also contacted me after having done similar work and has offered
sending me "10-100" issues that could possibly identify nits and problems.
I've agreed to this, so let's see where this takes us/me. I will of course
report on any progress in future emails.

## HackerOne

We have only received two security submissions on HackerOne [4] this week,
both deemed to not be security problems. Both have also been disclosed.

## release notes

I always have a rather large set of blog post embryos pending publication.
Ideas and concepts that could be made into a real post at some future point
and this week I picked up, dusted off and publised this text about how I
maintain release notes for curl [6].

## Deprecating

We got a bug reported on the OpenSSL-QUIC backend this week and once fixed we
had a brief discussion about its use and future, which made me ask for fans of
this backend on the mailing list [13]. As not a single person spoke up or
showed interest in keeping or using this backend, we decided we should move
towards removing this instead [14]. Nowdays we can do QUIC with vanilla OpenSSL
using ngtcp2 instead, which is a better and more reliable solution.

When on the topic of removing code, we also decided to move up our removal
date for OpenSSL 1.1.1 to happen already in December 2025 instead of the later
date we previously communicated [15]. This makes the removals of OpenSSL 1.0.2
and 1.1.1 support happen at the same date. The decision to move the date is
partly motivated because exactly none of the commercial users of these
sponsors us to keep the support and there are no "free users" of these
versions anymore. So we decided to make our lives a little bit easier.

## Apple OS native CA

Since we dropped support for the native Apple TLS library Secure Transport a
few versions ago [9] people have been asking for a way to use the native CA
store on Apple operating systems (macOS, iOS, etc) - and this week we merged
this new PR [8] written by Stefan Eissing that brings exactly this ability to
the OpenSSL and GnuTLS backends. Stefan wrote about this change on his blog
[18].

I'm looking forward to hearing from people how this works out in real life.

## man page links

Someone pointed out that the web version of the curl man page [16] mentioned a
few libcurl man pages without linking to them. This took me into the weeds of
roffit, the script we use to convert nroff to HTML, so that we can tell it to
detect libcurl man pages and add the proper link to those in the output [17].

Once roffit was poked at and the new version was deployed on the web server, I
could fix the rendering and voila, now the man page on the website properly
links all mentions of libcurl man pages! This version is now live on the site.

When I looked through the curl man page for all references to libcurl man
pages I also realized that some of the references were rather unhelpful, as
users don't really want to chase around for the information so I worked a
little on moving more information into the man page to avoid referencing
elsewhere.

## podcast

Daniel Stenberg, Swedish Internet protocol expert and founder and lead
developer of the Curl project, speaks with SE Radio host Gavin Henry about
removing Rust from Curl. They discuss why Hyper was removed from curl, why the
last five percent of making it a success was difficult, what the project
gained from the 5-year attempt to tackle bringing Rust into a C project,
lessons learned for next time, why user support is critical, and the positive
long-lasting impact this attempt had.

Podcast episode [7].

## progress meter

Someone reported a possible integer overflow in the curl progress meter code
for parallel transfers: if the total amount of data is more than what fits in
a curl_off_t type (a signed 64-bit variable) it would potentially show crazy
numbers.

As I fixed this flaw, it got me thinking about downloading very large files
with curl and if people might actually reach this maximum limit at some point
in a not too distant future. The maximum size this progress meter can handle
right now is 8192 petabytes. I think that may suffice on a per-file basis for
the forseeable future, but when curl does parallel downloads it shows the
total amount for all downloads and as you could easily do thousands of large
file downloads then, the maximum limit seems less remote. I got me thinking
about doing 128-bit math, at least for the parallel progress meter output.

That line of thinking made realize I should improve the code to make it
possible to better expand beyond 64-bit [10]. As I was then already focused on
progress meters I also took a look at the "regular" progress meter showed on a
per-single-file-transfer basis, done by libcurl and realized it could use the
same kind of improvement. But also: I noticed that the progress meter
currently "wastes" space in the line by doing two spaces after each size
output! We can't have that - also at the same time realizing that it has been
done like this ever since curl was born. So I decided to take this opportunity
to improve the function and at the same time increase the amount of size data
shown, from five characters to six, for each displayed size on the line [11].

## credits

Today is the nine year anniversary for my collection of "screenshotted curl
credits" [12] and at the very bottom of that overly large page you can find
today's additions: Sonic Racing: CrossWorlds and Saints Row: IV. As so often
with the recent additions to that page, those are two games.

## Coming up

- the final and third week the curl feature window is open

## Links

[1] = https://news.ycombinator.com/item?id=45449348
[2] = https://www.theregister.com/2025/10/02/curl_project_swamped_with_ai/
[3] = https://mastodon.social/@bagder/115241241075258997
[4] = https://hackerone.com/curl
[5] = https://2025.eurobsdcon.org/
[6] = https://daniel.haxx.se/blog/2025/10/01/how-i-maintain-release-notes-for-curl/
[7] = https://se-radio.net/2025/10/se-radio-688-daniel-stenberg-on-removing-rust-from-curl/
[8] = https://github.com/curl/curl/pull/18703
[9] = https://daniel.haxx.se/blog/2025/01/14/secure-transport-support-in-curl-is-on-its-way-out/
[10] = https://github.com/curl/curl/pull/18807
[11] = https://github.com/curl/curl/pull/18828
[12] = https://daniel.haxx.se/blog/2016/10/03/screenshotted-curl-credits/
[13] = https://curl.se/mail/lib-2025-10/0000.html
[14] = https://github.com/curl/curl/pull/18820
[15] = https://github.com/curl/curl/pull/18822
[16] = https://curl.se/docs/manpage.html
[17] = https://github.com/bagder/roffit/pull/51
[18] = https://eissing.org/icing/posts/curl-apple-sectrust/

-- 

  / daniel.haxx.se


More information about the daniel mailing list