[Daniel's week] October 10, 2025

Daniel Stenberg daniel at haxx.se
Fri Oct 10 17:10:17 CEST 2025 

Hello friends.

Another busy week celebrates Friday and here's what happened in my life:

## hacktoberfest

October used to be "Hacktoberfest" for several years but I asked around this
week and the interest for this once popular concept seems to simply not exists
anymore. This matches my own view of things and the fact that we haven't had
anyone asking about it the last few years. Presumbably partly because nowdays
the only thing you get for participating is a weird digital badge.

We used this as a hint and removed the hacktoberfest-accepted tag and the
associated scripting logic we had to set it on PRs that were merged during
October.

## more issues

I was going to write up a long summary here of what we did this week as we got
updates from last week's adventures with issues from AI tooling, but I instead
wrote it as a 2000+ word blog post named "A new breed of analyzers" [1].
Shorter email, longer blog post! :-)

## notify callback

As one of the last fetures merged during the feature window in this feature
window, we introduce "curl notifications" [2] when using the multi interface -
authored by Stefan Eissing.

Simply put, this offers callback to the application to let it know when there
is activity that needs attention on one of the ongoing transfers. It
simplifies the event loop and is also typically helps for performance.

We start out with just two available notifications but we are open for
introducing more in the future should this turn out popular.

## --knownhosts

It was requested and as it made perfect sense to me, I added `--knownhosts` as
the 273rd command line option to curl to allow users to specify a custom known
hosts file when doing SSH based operations [3].

It will ship in the pending 8.17.0 release for the first time.

## activity

Due to all the defects we have gotten reported we are well on track to lang
more bugfixes in this release cycle than we ever have before. After half the
period, we have over 230 bugs fixed.

This week we also surpassed 2024 in total number of commits done this within a
calendar year.

## feature freeze

Tomorrow we enter feature freeze for curl until the coming release. We have
eleven changes logged that we managed to land this time.

Tomorrow we also release release candidate one and from now we work on only
fixing

## European Open Source Awards 2026

This week the nomination process [4] for the 2026 version of the European Open
Source Awards opened. I hope you help us out and highlight at least one
European Open Source hero you can think of. I say 'us' as I am the president
of this organization at it is going to be my honor to participate in this
process and find a worthy winner. The award is going to be handed out in
Brussels on the Thursday before FOSDEM, January 29th 2026.

## wcurl talks my Samuel

Samuel Henrique is one of the Debian curl maintainers and one in the team
maintaining wcurl [7]. This week he published two videos from DebConf earlier
this year.

In "wcurl - on year later" he sums up what happened to wcurl this last year
[5] and the second "curl maintainers BoF" [6] is a recording of a discussion
talking about a lot of details with and around the curl package in Debian.
What needs to be done, how and what's next.

All good stuff for curl and/or Debian interested persons.

## silly curl use

"curl ascii.live/forrest"

## Drop Heimdal

As I fixed a memory leak this week I added a new test case to properly verify
the fix and make sure the problem won't easily come back in the future, only
to notice that I detected a *second* leak.

The second leak was within the Heimdal GSS-API/kerberos library; one of the
three libraries we support for GSS-API operations. I did a quick poll [8] and
not a single person spoke up or objected, so soon thereafter we dropped
Heimdal support. The upstream project has not had a commit in six months, have
hundreds of open issues and pull request and their badges on GitHub claims it
fails to build on all platforms. It does not instill confidence at all and I
think we are better off redirecting users to the MIT kerberos library instead
that keeps getting new releases and that doesn't trigger memory leaks.

There are also strong indications that the third GSS-API library, GNU GSS,
soon might face the same destiny as we see memory leaks with that one as
well - in a project without a commit done for three years...

## Coming up

- feture freeze and 8.17.0-rc1 tomorrow
- there are still pending reported issues to work on
- Monday: snaxx-45 where I drink beers with Stockholm based friends

## Links

[1] = https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/
[2] = https://eissing.org/icing/posts/curl-notifications/
[3] = https://curl.se/docs/manpage.html#--knownhosts
[4] = https://europeanopensource.academy/open-call-nominations-european-open-source-awards-2026
[5] = https://www.youtube.com/watch?v=RvnDvic2eaw
[6] = https://www.youtube.com/watch?v=OhTjgU7LIO0
[7] = https://curl.se/wcurl/
[8] = https://curl.se/mail/lib-2025-10/0009.html

-- 

  / daniel.haxx.se

More information about the daniel mailing list