[Daniel's week] October 17, 2025

Fri Oct 17 22:36:24 CEST 2025

Hello friends,

It is almost crazy how most weeks feel busy...

## AI reports

This week we eventually got through the entire list of reported potential
issues generated by ZeroPath and Aisle. In total 809 issues that resulted in
about 15% confirmed problems we have fixed.

We continue to work with both Joshua and Stanislav even after this first wave
to see how we can improve curl further and maybe get those tools into our
regular work process.

We got access to ZeroPath and it has run a few more scans on the curl source
code. The work is not done yet, even if I believe we have mostly done all the
easy fixes now and there is a diminishing return. We will just have to see how
this develops.

Joshua also guested Josh Bressers on his excellent podcast and talked about
his process [3].

Slashdot woke up this week and also wrote about this [4].

## bugfixes

While the AI reports are not the only issues we have worked on lately, they
have contributed a lot to the fact that we have merged way over 300 bugfixes
so far in this release cycle and we are already at an all-time record amount
of fixes with still nineteen days to go until release!

## CI stats

This week we celebrate twelve years since the first ever CI jobs were added in
curl and I extracted some stats from the last 30 days:

   Tests executed per day: 1400019.4
   Time spent running tests per day: 1087073 seconds/day (12.6 days/day)
   Total clock time spent running tests: 32612201 seconds (377 days)
   Average time spent running each test: 0.776 seconds/test
   Number of git commits tested: 306

## host chart

A while ago I tried to create a flow chart showing decisions in curl on how it
goes about to select which hostname and which protocol to use when given a
particular URL to work with, and this week I finally posted the blog post [2].

## CVSS

The old subject of CVSS scores was brought up again as The Register reached
out and eventually published this article " Vulnerability scores, huh, what
are they good for? Almost nothing" [1], in which I'm quoted and my old blog
post on the subject is linked.

## email

I received yet another strange email and it now became the 95th [5] in my
ever-growing collection.

If you check it out, I urge you to click the index link [6] and have a look at
some of the other gems. It can be fun.

## HTTP/3 performance

With Stefan Eissing's latest performance tweaks for HTTP/3 in curl, the
theoretical max transfer speed is now 1550 MB/s on my machine (at 100% CPU)
with h2 doing 2464 MB/s and h1 at 3303 MB/s. With the server (nghttpx + apache
httpd) also running on localhost.

Measured when downloading 100MB chunks 50 times in 50 parallel downloads.

I say theoretical because the server can't quite keep up with the client on
localhost for this particular test case. curl only uses 62% CPU when the
server (proxy really) hits 100%.

## 108

The updated list of Operating Systems on which we know curl has been run on
now contains 108 different ones [7].

## Coming up

- Tuesday: an announcement happens
- Friday: a big event for me, revealed on Tuesday

## Links

[1] = https://www.theregister.com/2025/10/16/cve_cvss_scores_not_useful/
[2] = https://daniel.haxx.se/blog/2025/10/16/chart-which-host-which-protocol/
[3] = https://opensourcesecurity.io/2025/2025-10-ai-joshua-rogers/
[4] = https://developers.slashdot.org/story/25/10/12/0619247/ai-slop-not-this-time-ai-tools-found-50-real-bugs-in-curl
[5] = https://daniel.haxx.se/email/2025-10-11.html
[6] = https://daniel.haxx.se/email/toc.html
[7] = https://mastodon.social/@bagder/115390472558591073

-- 

  / daniel.haxx.se