[Daniel's week] September 19, 2025

Fri Sep 19 16:05:40 CEST 2025

Hello friends.

This particular edition of my weekly emails is sent to 389 receivers. I think 
it might even be a few lines longer than normally...

## security work

The security issues this week have been plentiful, ranging from the worst
kinds of AI slop with reproducible code that doesn't even use curl (twice!) to
multiple super accurate and detailed high quality reports. Most of the latter
kind from Joshua Rogers.

I have subsequently updated the AI slop list [1] and banned a few more
reporters from our HackerOne instance. Fortunately, most of the real reports
have turned out to be of the benign kinds resulting in a whole series of pull
requests. As I write this, we are still at no confirmed known security
problems in 8.16.0.

I did get a reply back from HackerOne the other day and I hope that our
ongoing (albeit very slow) discussion can lead to tweaks and adjustments that
will help us reduce the slop tsunami.

## dodged a security issue

One of the more serious reports this week was in the krb5-ftp code and we
basically had it confirmed when we also realized that another bug made the
entire thing not work!

I instead switched it around and decided we can yank the entire krb5-ftp
support [3]. Phew, that was close. Also, getting rid of almost 1,000 lines of
code is not bad.

## AI tooling

Joshua told me that his activity spike this week was powered by a set of AI
tools [16], clearly proving that we can get valuable help and data from such
things when in the hands of the correct people. His set of tools, when told to
dig through the curl source code, generated a huge set of potential problems
like any ordinary static code analyzer does. He generously sent over the
entire collection and I have now started to wade through it. It is curious
that we frequently run the curl code through at least three different static
code analyzers, but still here's a list of several hundred potential nits...

## how to make a CVE

I did an interview [7] over email this week with Help Net Security, and as I
then wrote up a rather lengthy explanation of the curl CVE process I figured I
would take the opportunity and reuse that text as a blog post as well [8]. The
version on my blog is based on a part of the interview but is modified a bit.

## regressions

We have received a set of confirmed regressions in the 8.16.0 release but
after careful deliberations we have concluded that at this point, none of them
have been serious or bad enough to warrant a patch release.

I mentioned two of the regressions on the curl-distros mailing list [5].

## pthread_cancel

One of the bigger disappointments in the 8.16.0 release is the realization
that `pthread_cancel()` is a hopeless function to use the way we wanted to. We
hope that this problem won't hurt too many users and have reverted that
decision in git now. Stefan wrote a blog post with the details [15].

## Feature window

The curl feature window opens tomorrow Saturday September 20 and will stay
open for the next three weeks. Let's merge good stuff.

## CA store defaults

Stefan Eissing kicked off a discussion around the details on what CA store
curl should use by default in certain conditions and environments [6] as he
works on introducing support for the "Apple SecTrust" store - the one that
Apple themselves ships and maintains for their operating systems.

Support for the native CA on Apple OS has been a requested feature since we
dropped support for Secure Transport in curl 8.15.0. Ideally we get this done
in time to ship in 8.17.0, but I think we rather get this done correctly than
quick.

## man page

I posted a public request on Mastodon: tell me if there is anything in any
curl documentation that you're missing [9].

One of the replies there mentioned that they wanted the web version of the man
page [12] to also offer anchors to the long versions of the options and not
just the short versions as it worked currently. Meaning that you could go
directly to `manpage.htmnl#-d` but not to `manpage.html#--data` even though
both are valid option names (for the same thing).

A fair request I thought, partly because I have had that thought myself in the
past and have mostly just deflected that to avoid the work. With someone else
asking for it I got to work on it:

I first improved roffit [10] to correctly add the anchors correctly in
generated HTML, and I felt I had to make a new release [11] of it while there
so that we can document that roffit 0.17 is required.

With the new roffit version installed on the server the anchors in the HTML
for long options started to work.

Then it struck me: we generate the curl.1 man page to always show options as
"short + long version" for the options that have both. A primary reason we did
it this way is because of that lack of long name anchors in the web version,
because otherwise they would not link correctly. So as the long names now work
to link to, I then made the man page generator script for curl stop showing
both short + long options in the output for all mentions of a specific option
and instead only use the long version [13].

This may sound complicated, but in reality it goes like this: previously when
the man page documentation would mention `--data` in text, the rendered man
page would show it as `-d, --data`. That could at times be a little eye soaring
and ugly. With my update, it now instead renders as just `--data`. I makes the
regular man page easier on the eye and the links on the web version still
works. Not too shabby.

The number of the week would probably be that the ASCII version of the curl
man page is now at 37,720 words!

## graph

I did not make any new graph this week, but one that might be worth noticing
this week is the number of commits per year one [14] as it now shows that we
have already done more commits during 2025 (2138) than in any other year
before except 2024 (2433).

## OpenSSL 1.1.1

Since not a single company has stepped up and offered to pay for support to
make us keep OpenSSL 1.1.1 support around, we might now instead drop it
already in December 2025 instead of next year as we previously planned. The
final decision on this new plan has not yet been said. Ideally a few sponsors
appear to make us change our minds.

## Barcelona

I will go to Barcelona on Monday afternoon to attend the European Open Source
Academy meetup there on Tuesday and fly back home again first thing early
Wednesday.

## cURL vs KI

When I attended FrOSCon in Bonn back in August I did an interview with Keywan
Tonekaboni for a German publication, and this week that was published in
print. The article is titled "cURL vs. KI" and is supposedly in the c't
magazine 20/25 on page 126. "KI" is how they write AI in German.

The article seems to exist online behind a paywall [4].

## EuroBSDCon

I will be in Zagreb Croatia, and keynote on September 28 at EuroBSDCon[2].
Come say hi and get some curl stickers from me.

## Coming up

- Saturday: the curl feature window opens
- Monday-Wednesday: ruined by travels
- merge new features

## Links

[1] = https://daniel.haxx.se/ai-slop
[2] = https://2025.eurobsdcon.org/
[3] = https://daniel.haxx.se/blog/2025/09/19/bye-bye-kerberos-ftp/
[4] = https://www.heise.de/select/ct/2025/20/2523710465191752041
[5] = https://curl.se/mail/distros-2025-09/0001.html
[6] = https://github.com/curl/curl/discussions/18567
[7] = https://www.helpnetsecurity.com/2025/09/18/daniel-stenberg-running-curl-project/
[8] = https://daniel.haxx.se/blog/2025/09/18/from-suspicion-to-published-curl-cve/
[9] = https://mastodon.social/@bagder/115214576351964839
[10] = https://daniel.haxx.se/projects/roffit/
[11] = https://github.com/bagder/roffit/releases/tag/0.17
[12] = https://curl.se/docs/manpage.html
[13] = https://github.com/curl/curl/pull/18580
[14] = https://curl.se/dashboard1.html#commits-per-year
[15] = https://eissing.org/icing/posts/rip_pthread_cancel/
[16] = https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters

-- 

  / daniel.haxx.se