[Daniel's week] September 5, 2025

Fri Sep 5 23:11:40 CEST 2025

Hello my friends.

Another work week ends and things happened.

## rc3

I put together, signed and uploaded curl 8.16.0-rc3 [1] and it has not 
triggered any noticable blow-back and that feels good. Full steam ahead 
towards the proper release next week.

## DANE

The question about adding support for DANE was (again) brought up on the
mailing list [2]. I continue to be somewhat positive to the idea, but it of
course requires a well thought-out API that is then supported by good code and
a suite of tests.

If you have thoughts about DANE in curl, please share them with us.

## HTTP/3 proxy

The HTTP/3 proxy PR [3] that was brought to us the other week seems to have
staled immediately. We had some quick thoughts and comments on the giant
patch, but the author has not commented on anything since the initial
submission...

## man page per option graph

When I showed off the graph of the curl.1 man page size growth [4], some
people immediately responded that of course the man page grows when we add
options to the really interesting graph would be how large the man page is
*per supported option*.

So I added such a graph [5] of course.

I also added a graph for lines of production source code / project life time
[6]. It shows that we by now have added about 17 lines of code per day, and
that we have added more than 14 lines per day since 2007 or so.

## IRC documentary

I watched the excellent IRC documentary [7] made by the YouTube channel The
Serial Port, in which I get a thank you in the ending credits for the info I
provided to them for that.

I do have an IRC history document [8] lying around that I initially wrote some
twenty or so years ago.

## Dancer 4.16

In a follow-up chat on Mastodon about IRC I of course had to mention by work
in the IRC bot project called Dancer that we started in the mid-90s. I then
noticed that the Dancer source code really wasn't easily accessible and I
figured I should put it up in a GitHub repository for the fun of it.

As I had downloaded the full CVS zip off Sourceforge, I did a quick look
around for the current best CVS-to-git converter only to learn that they seem
to mostly have gone by now. Not a single one in Debian and the top hit on
Google didn't resolve. Sure, I could dig deeper but I couldn't be bothered so
I instead did a slightly lamer take: I imported the last published Dancer
version, the 4.16, into a fresh git repo, published that [10] and then
archived that.

At least that now puts the Dancer code "out there" in case someone ever wants
to have a quick peak on the embarrassing state of code I co-wrote in the 1990s.

## summit photos

Linux Foundation posted a bunch of photos from the Open Source Summit Europe
[11] and yours truly was one eight or so of them. I believe the videos from
the presentations are presumed to become available next week.

## HackerOne

We received three security reports against curl this week. At least one of
them was a genuine bug that could lead to a crash, but in the end we concluded
that none of them were security vulnerabilities.

You can always check out our stream of disclosed reports [12] if you are
curious and want to check out all the details. We disclose all security
reports once they are closed. For maximum transparency.

## output all Location: headers

We got an interesting suggestion for the command line tool: add a way to show
*all* response headers of a specific name instead of just one [13]. The example
in the request is the set of `Location:` headers when you ask curl to follow
redirects.

A fair idea I think and libcurl already offers the API for it. We just need to
teach curl how to extract and present that data sensibly...

## license violation

It was reported that Digital Extremes, a Canadian video game developer, seems
to be violating the curl license when they ship games that use curl [14].

Let's presume good intentions, but there really is very little we can do when
things like this happen. Someone has contacted them about the omission so we
can now only hope that they will learn and adapt.

## EuroBSDCon

I will be in Zagreb Croatia, and keynote on September 28 at EuroBSDCon[15].
Come say hi and get some curl sticker from me.

## major incident handling

Back at the curl up 2025 meeting in Prague earlier this year, we did an
exercise and follow-up discussion around how curl should and could manage a
"major incident". The general conclusion was that we should try to get some
thoughts down on a plan if the worst possible level of incident ever occurs.

This week, Jim Fuller provided a PR [16] with this documentation. Or perhaps it
is just the beginning of one, but then again what is ever completed?

## Coming up

- Wednesday: curl 8.16.0 release
- Wednesday: live-streamed release presentation video
- Friday: award ceremony for "Developer of the year" - I'm one of three nominees

## Links

[1] = https://curl.se/rc/
[2] = https://curl.se/mail/lib-2025-09/0000.html
[3] = https://github.com/curl/curl/pull/18331
[4] = https://curl.se/dashboard1.html#curl-man-page-size
[5] = https://curl.se/dashboard1.html#curl-man-size-per-option
[6] = https://curl.se/dashboard1.html#source-code-lines-per-day
[7] = https://youtu.be/6UbKenFipjo?si=yAqKQmKw7Wra32ee
[9] = https://daniel.haxx.se/irchistory.html
[10] = https://github.com/bagder/dancer-416
[11] = https://www.flickr.com/photos/linuxfoundation/albums/72177720326763914/with/54745946515
[12] = https://hackerone.com/curl/hacktivity?type=team
[13] = https://github.com/curl/curl/discussions/18449
[14] = https://github.com/curl/curl/discussions/18474
[15] = https://2025.eurobsdcon.org/
[16] = https://github.com/curl/curl/pull/18483

-- 

  / daniel.haxx.se