[Daniel's week] September 26, 2025

[Daniel Stenberg]

Hello friends!

Another week ends.

## 400+ subscribers

I'm delighted to see and tell you that there are now more than four hundred
subscribers of this weekly email. Four hundred other like-minded peeps. Not
bad! I will try my very best to keep delivering.

## Barcelona

This week I started off with a meeting at the Barcelona Supercomputing Center
in Spain where we primarily welcomed new members into the European Open Source
Academy (EOSA). We had a full day of discussions and during lunch we got a fun
look at MareNostrum 5 [4], their super computer that once rated 11th of the
top-500, now apparently "only" number 14. This huge 4 megawatt installation
has a fair amount of blinking leds that satisfied tohe audience.

During lunch we had a mini-ceremony where the academy members present in the
room were given certificates stating our invidual memberships in the academy.
Slightly amusing for my own sake is that the certificates are signed by me,
which thus makes my certificate self-signed [5].

## Opinion

Lovely timed with me being in Barcelona, I got an "opinion piece" posted on
thenextweb [6] about "The EU’s €2T budget overlooks a key tech pillar: Open
source". I want to be honest and mention that while it only has my name in the
byline, it was a team effort and we were actually several people involved from
the EOSA in writing this. Probably explains why it is worded so nicely.

The gist of the article is basically the same that I have already blogged
about [7].

## Joshua's issues

We (primarily Stefan Eissing and myself) kept iterating through the huge list
of potential curl issues we got from Joshua Rogers last week. We received the
issues provided in five seprate "sarif" files. Sarif (Static Analysis Results
Interchange Format) is a somewhat new JSON file standard for static analysis
results but there is not a lot of tooling around for working with them
conveniently. For example, there is no way to import the set of issues to
GitHub which would've been an excellent way to collaborate. This, in spite of
the fact that most proponents and standard people involved in this are from
Microsoft. I instead ended up screenshotting selected items from a web based
sarif browser and pasting into a shared document.

I've also suitably poked my GitHub contacts about this feature request of
mine.

We have now at last gone through the entire list and as I write this, we have
given credit to Joshua's list of issues for no less than 49 commits/bugfixes
merged in curl's git repository! Of course, most of them were tiny mistakes
and nits in ordinary static code analyzer style, but they were still mistakes
that we are better off having addressed.

Several of the found issues were quite impressive findings.

Just 16 days since the previous curl release, we have already merged 133
bugfixes!

## HackerOne

We received four new HackerOne submissions this week with suspected curl
security problems, takig the total amount up to exactly 600 since the start of
our bug bounty program in 2019.

One of these new reports have been confirmed as a genuine problem for which we
have allocated a CVE and we will publish the details for in sync with the
pending next curl release on November 5. Severity low.

We disclose all the closed submissions as soon as possible [3].

## Podcast

A netstack.fm podcast episode I guested was published [8] on tuesday. "A
conversation with Daniel Stenberg, creator and maintainer of curl, one of the
most widely used networking tools on the internet. We talk about Daniel’s
journey through decades of protocol work, the story of curl, what keeps him
going, and how he balances open source with real life."

## Features

The curl feature window opened this week and some changes have been merged,
just nothing revolutionary so far [13].

## wolfSSH

We decided this week to drop support for wolfSSH [9]. There does not seem to
be any users of this backend and there are gaps in the curl code that makes it
a less good (or downright bad) alternative for SCP and SFTP transfers. I added
support for wolfSSH in early 2020 [10].

Of course, if someone really wants it to remain in there, it is just to step
up, raise a hand and sponsor the necessary work of filling in the gaps.

The recent removals of stuff in curl has now made a significant dent in the
top right corner of the lines-of-code graph [1].

## Anniversaries

This week we celebrated 24 years since curl was first bundled with macOS. On
September 25 2001 curl 7.7.2 was shipped as part of MacOS X 10.1.

On the same date, September 25 but in 2015, I started Everything curl [11].
Now at 115,00 words and frankly there is slowly growing a whole pile of things
backlogged that we have added to curl that I should write about in the book.

## CRA

I posted a short entry on my blog just reminding businesses that we of course
can help everyone with getting a CRA compliant curl [12].

## EuroBSDCon

I will go to EuroBSDCon[2] in Zagreb Croatia this weekend, and do a keynote
there on September 28. Come say hi and get some curl stickers from me.

I'm extending my stay an extra day and will return back home again on Tuesday.

## Coming up

- Saturday-Tuesday: travels
- merge new features

## Links

[1] = https://curl.se/dashboard1.html#source-code-lines
[2] = https://2025.eurobsdcon.org/
[3] = https://hackerone.com/curl/hacktivity
[4] = https://www.bsc.es/marenostrum/marenostrum-5
[5] = https://mastodon.social/@bagder/115253811949660348
[6] = https://thenextweb.com/news/eu-budget-open-source
[7] = https://daniel.haxx.se/blog/2025/07/23/eu-stf-for-funding-critical-open-source/
[8] = https://netstack.fm/#episode-6
[9] = https://www.wolfssl.com/products/wolfssh/
[10] = https://daniel.haxx.se/blog/2020/01/12/curl-even-more-wolfed/
[11] = https://everything.curl.dev/
[12] = https://daniel.haxx.se/blog/2025/09/22/cra-compliant-curl/
[13] = https://curl.se/dev/release-notes.html

-- 

  / daniel.haxx.se