[Daniel's week] October 25, 2025

Sat Oct 25 18:17:11 CEST 2025

Hi friends!

This email might be a little shorter but man the week must be longer!

## OsProgramadores

An interview [1] with me done back in Separated was posted on the
OsProgramadores YouTube channel.

## OSS-fuzz

I've taken a closer look at some of our OSS-fuzz issues recently as I had let
them linger for a little too long.

It turned out that several of them were due to issues within OpenLDAP that I
reported upstream that should go away once we can switch to the next pending
OpenLDAP release.

One of the issues was us not setting a "max memory" option in OpenLDAP as it
turns out that by default that library will allocate any amount of (32-bit)
size memory the server asks it to. A bit surprising to me but apparently quit
the way they want it so we now set a low maximum instead. I figure we will
have to see if any curl users actually ever use really large LDAP blobs.

We also ran into an OpenSSL bug that turned out to be part OpenSSL part
libcurl, so while I reported it upstream and they immediately reacted and
fixed the problem, I also fixed it in our end as it turned out we passed in a
NULL pointer to an OpenSSL function when we should rather just fail before
doing that...

With these issues corrected, or waiting pending updates, we still have a few
issues left open but they are more mysterious timeout ones etc. Nothing seems
to be terribly pressing anyway.

## SADP

I was going to participate in a presentation at the "CVS CNA Workshop" this
week to most express some doubts about the "Supplier ADP" proposal.

The Authorized Data Publisher (ADP) is a role within the CVE system that
allows "someone else" to populate data fields about a specific CVE. Most
commonly used when CISA sets CVSS scores for CVEs that don't have them set
otherwise (for example all curl CVEs).

The SADP role is a new proposal for CNAs to be able to add meta information
about a CVE on how they are affect (or not) by that CVE. Microsoft can add a
blob to a curl CVE that explains how Microsoft's curl installation is or is
not affected by the CVE etc.

I've raised questions about the scale and more: there are literally thousands
and thousands of products using curl, should they all be able to add data to
curl CVEs? What about transient dependencies? Software that uses component X
that uses curl, should they also add data to both X and curl?

So I'm a skeptic.

Eventually, they changed the schedule in the last minute which made the
session run exactly when I had another meeting already scheduled since a while
back so I couldn't participate. Possibly just as well.

I don't know if there is going to be a pilot for SADP. I don't believe in the
concept.

## a medal

The Swedish Royal Academy of Engineering Science awards me a gold medal [3]
for my work on curl. This was publicly announced on Tuesday and on Friday I
brought my whole family to participate in the award ceremony [4] in the Blue
Hall in the Stockholm City Hall, perhaps somewhat known for where they host
the annual Nobel Prize banquet.

I don't think I can add much more here that I did not already write in those
two blog posts about this. What an honor!

## slop

We added two more entries to the AI slop collection [2] this week.

## Coming up

## Links

[1] = https://youtu.be/86RseR6E9Xs
[2] = https://daniel.haxx.se/ai-slop
[3] = https://daniel.haxx.se/blog/2025/10/21/a-royal-gold-medal/
[4] = https://daniel.haxx.se/blog/2025/10/25/a-gold-ceremony-to-remember/

-- 

  / daniel.haxx.se