[Daniel's week] October 31, 2025

Fri Oct 31 16:35:38 CET 2025

Hi friends,

Another intense week reaches Friday and I offer you this little summary of 
things and activities from my point of view. Have a nice weekend!

## planets and medals

In the aftermath of the gold medal ceremony I participated in last week, I
could not resist but posted the medal vs planets graph on Mastodon [1]. The
data clearly indicates there will be curl on a third planet already in a few
years. :-)

I also followed up with a self-congratulatory video [9] where I show off most
of my awards I have received so far for Open Source (curl really) work.
Recorded from a live-stream of course, because I think that makes it more fun.

## LDAP test servers

In the last few weeks we have fixed LDAP related issues both because the AI
code analyzers have pointed out flaws but also because OSS-Fuzz has proven
that there were problems it could trigger. It actually even triggered problem
deep inside OpenLDAP that we have forwarded so I believe at least three
bugfixes in the pending next OpenLDAP release are flaws found via the curl
OSS-Fuzzing.

This has of course brought up the issue of the bad LDAP testing in the curl
test suite and I took the question about doing an LDAP server [2] for testing
to the mailing list. LDAP is a complicated protocol and doing a "tiny" version
for testing would be good but it looks a decent undertaking that no one has
signed up for so far...

I suppose partly also because LDAP is not a widely used protocol in curl land.

If this sounds like an interesting challenge to you, please speak up and let's
see what we can do to improve LDAP in curl and LDAP testing in curl!

## trurl on Windows

Viktor Szakats announced [3] that starting this week, there is a trurl
executable bundled in the curl for Windows [4] release zip files. This should
make the tool much more accessible to users on this platform.

## Hackerone

We received six (!) security reports on Hackerone this week, out of which
*three* were marked AI slop and we banned those reporters from our program [5]
(and the other three were marked "not applicable"). It feels ironic that while
we see how AI can be used for really good code analysis and detecting real
problems with accuracy, we simultaneously keep getting the worst kind of AI
slop.

Maybe the most special of the three slops this week is the person that insists
he did not use AI but that still has a strong AI smell making us not believe
their claim [6]. As always, we cannot be 100% sure.

## 41K mastodon

I'm not sure exactly when it happened but I realized that I surpassed 40K
followers on Mastodon and now 41K.

I keep using primarily Mastodon [10] as my daily goto chit chat with friends
and like-minded. Mostly posting about curl, open source and related things and
a lot of what I end up summarizing in my weekly email here has often at least
partly been mentioned - or tested - on Mastodon. The sense of camaraderie and
community is strong there.

I also post on LinkedIn [11] to a decent degree. The 17K followers I have
there seem to be a slightly different crowd and I get other feedback and
comments there.

My general idea is still to cover most of the week's actions in these emails,
so if you also read my Mastodon or LinkedIn feeds, there might be a little
overlap.

## 19 years of ABI

This week I was reminded (because I have such a feature enabled in my blog
admin page) that it was exactly nineteen since our last libcurl SONAME bump,
meaning that we have kept the same ABI since then. Just one year left until
the big two-oh.

Maintaining ABI compatibility is important to us. Even if I think sometimes
users don't quite fully understand and appreciate the value they get out of
it, I think it is a fundamental reason behind libcurl's success: everyone can
always just transparently and *easy* upgrade to the next version of libcurl
(and curl) without worries.

I blogged about it last year [12].

## zero issues

I believe for the first time since we moved curl over to GitHub in 2010 we
reached zero open issues this week [13]. No issues at all currently being
worked on! It feels a little surreal.

It should be noted that we only keep issues open that someone care about,
meaning that issues that grow old without attention will get closed and moved
to either the TODO [14] or the KNOWN_BUGS [15] documents.

Still, the explanation behind this achievement is above all else hard work and
dedication from the team as we all prioritize taking care of issues and user
problems, and we there is commonly a will to fix underlying structural things
rather than just fixing symptoms. We reduce issue frequency by adding more
tests, by documenting more and by doing more stable architectural designs.

## nominate to awards

Remember to nominate your favorite heroes to the European Open Source Awards
2026 [17]. The persons in the community you think stand out, who make the
projects work, who push on, who make a difference.

The awards ceremony itself is going to happen in Brussels in late January, the
Thursday before FOSDEM.

Disclaimer: I was a winner of the award this year [16], and I am now the
President of the European Open Source Academy, working with this award
among other things.

## "chained" AIs

This week we got the first successful results in an interesting "chained" AI
tooling use.

As we have been using ZeroPath for a few weeks, and we are somewhat struggling
with the flood of things it claims could potentially be wrong in curl, we have
gotten help by Artiphishell.

We provided Artiphishell with the plain English descriptions of a number of
issues from ZeroPath and they then unleashed their AI tooling on those
descriptions. Their tools managed to create reproducers for two of the issues,
proving that the ZeroPath findings were accurate and possible to trigger in
real life.

Of course, studying one of the reproducible cases then made us immediately
dismiss it as working as intended and it was an exaggeration by ZeroPath, but
the second one can potentially be a problem and we are now about to debug this
case and see where it leads us. We also sent over a few other findings to see
if Artiphishell can make more work for us.

In the meantime, Open AI announced Aardvark [18] which sounds like a tool
working in the same space as Aisle and ZeroPath. I have signed up for beta
access. After all, lots of the other tools are powered by Open AI.

## rc3

I put together and uploaded the third release candidate [19] for the pending
curl 8.17.0 release; featuring more than 400 bugfixes and 11 changes since the
last release.

It seems to have been received mostly in silence without any specific reports
or complaints, which of course can either be a good sign or perhaps people
have just not tested it. I suppose we will get to know next week when the
actual release ships.

## TIOBE TICS

Someone pointed out this thing to me. The TIOBE TICS Quality Index scans the
curl source code [20] and provides grades about it in several different
subcategories as well as one total grade. It gives curl a D on an A-F scale
where A is the best.

Looking closer at this thing, you soon realize it is beyond silly and I cannot
fathom who can find this useful or that anyone at TIOBE believes this is a
good thing.

A subset of remarks I could find:

  - it claims to know a code coverage percentage (how?)
  - it warns on use of reserved identifiers when we ifdef on __symbols
  - it thinks 'continue' is a bad thing in code
  - it insists using relative paths for #include is bad code
  - it yells because the source headers have the wrong copyright(?)
  - it claims countless made up compiler warnings
  - it dislikes expressions without braces, like for if()

Of course, this tool saying this has absolutely no relevance or importance for
us. It's more like seeing a car crash; it fascinates me. And I bet someone out
there actually thinks this tool works.

## CSAF

It was brought to my attention that there is a recent JSON format called
Common Security Advisory Framework (CSAF) [8] and I casually asked on Mastodon
[7] if this is a format we should care about for curl and generated CVE data
with.

My understanding from the responses is that it is a format used by (some) CVE
consumers but it is questionable if we actually gain anything at all by
offering it. Since a little over two years we already offer CVE data using the
OSV JSON schema and we get virtually no feedback on that, suggesting it is not
used widely.

Until I get some better indication on actual benefits for us, I'm going to
hold off providing the data in CSAF as well. It's of course all Open Source
already so it isn't difficult for someone else to implement this, should they
feel a strong desire to have it. I presume it would just be a variant of the
OSV generator code.

This is the script that generates the OSV JSON [24]

## sponsor

The absolutely best way to sponsor the curl project is to get your company to
pay for support [21]. This is fundamentally what makes me able to do curl full
time, and believe me it is shockingly few companies who actually contribute to
their own future by chipping in a little something to that effect.

If a support contract is too much, the second best is to become a monthly curl
sponsor on Open Collective [22] or GitHub sponsors [23].

No one in the curl project is getting rich on this, but we need funds to keep
the machine running, to keep curl state of the art, secure and the internet
transfer engine for the world that we want it to be.

## Coming up

- Tuesday: wcurl release
- Wednesday: curl 8.17.0 release
- Wednesday: curl release video live-stream (at 09:00 UTC)

## Links

[1] = https://mastodon.social/@bagder/115439930989819719
[2] = https://curl.se/mail/lib-2025-10/0045.html
[3] = https://github.com/curl/trurl/discussions/408
[4] = https://curl.se/windows/
[5] = https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd
[6] = https://hackerone.com/reports/3403880
[7] = https://mastodon.social/@bagder/115463901335261692
[8] = https://www.csaf.io/
[9] = https://youtu.be/GwG0-eO4ZsQ
[10] = https://mastodon.social/@bagder
[11] = https://www.linkedin.com/in/danielstenberg
[12] = https://daniel.haxx.se/blog/2024/10/30/eighteen-years-of-abi-stability/
[13] = https://mastodon.social/@bagder/115462201692786430
[14] = https://curl.se/docs/todo.html
[15] = https://curl.se/docs/knownbugs.html
[16] = https://daniel.haxx.se/blog/2025/02/03/european-open-source-achievement-award/
[17] = https://europeanopensource.academy/open-call-nominations-european-open-source-awards-2026
[18] = https://openai.com/index/introducing-aardvark/
[19] = https://curl.se/rc/
[20] = https://ticsdemo.tiobe.com/tiobeweb/DEMO/TqiDashboard.html#axes=Project(curl),Sub()&metric=tqi
[21] = https://curl.se/support.html
[22] = https://opencollective.com/curl
[23] = https://github.com/sponsors/curl
[24] = https://github.com/curl/curl-www/blob/master/docs/vuln2json.pl

-- 

  / daniel.haxx.se