From daniel at haxx.se  Sat Apr  4 23:48:25 2026
From: daniel at haxx.se (Daniel Stenberg)
Date: Sat, 4 Apr 2026 23:48:25 +0200 (CEST)
Subject: [Daniel's week] April 4, 2026
Message-ID: <3s0s0n4q-3q21-514o-0o42-o050rs399749@unkk.fr>

Hello!

## curl up registration

I sent out an email this week and I want to make it known that the 
registration for curl up 2026 is open[1]!

## Feature window

This time around the curl release cycle is a week shorter, which means the 
feature window has already closed again for this round. We got some nice stuff 
merged but we are also seeing lovely new works piling up as new PRs that now 
have a little extra time to prepare for when the window opens again!

## Thirty years of curl

My talk at NDC Security in Oslo in early March went online and can be watched 
on YouTube [2]. Not too much news to readers of this email I guess.

## Swedish interview

I did an interview and a photoshoot a few weeks ago in my house, and this week 
I got to be featured in several big name Swedish media outlets including 
Aftonbladet [3] and the print version of Svenska Dagbladet.

## Stefan?s curl name resolving series

Stefan Eissing has done an excellent series of blog posts detailing his recent 
work on improving curl?s name resolving. Part 1 [4], Part 2 [5], part 3 [6].

## Security

We seem to have two issues queued up now that are confirmed curl security 
vulnerabilities and that we will publish in sync with the pending release.

The frequency of vulnerability reports keeps being high. We received ten new 
reports last week.

## Graphs

I couldn?t help myself. I added a ?number of words? graph [7] with some 
comparison lines showing a few big literary works and the number of words they 
contain. I am not claiming it is a fair comparison and yes, those books use 
longer words.

We also got the release weekday heatmap graph added [8], created by Federico 
Hernandez, and once he laid out the foundation for doing heatmaps so nicely I 
followed up and made an author commit UTC week hour heatmap [9] as well.

Days per command line option [10] is also a new one, showing that we basically 
do one new option every 40 days on average.

The number of graphs [11] was also corrected and I found a bug in my plot 
division script that now makes several of the blabla per blabla graphs look 
nicer than they did before.

## website headers

Viktor Szakats and Dan Fandrich worked on tweaking some of the security 
related HTTP headers the curl.se site returns and as a result both 
securityheaders.com and Mozilla?s HTTP Observatory [12] rate the site even 
higher now. From A to A+ with the first checker and 105/100 to 120/100 with 
the second.

It?s such a broken system when we need to add a bunch of headers to increase 
security instead of the other way around...

## rc1

As we closed the feature window we also shipped curl 8.20.0-rc1 [13]. The 
first release candidate for the pending release. I hope people take it for a 
spin and let us know how it behaves.

## Coming up

- mostly likely a flood of new security reports

## Links

[1] = https://github.com/curl/curl-up/wiki/2026
[2] = https://youtu.be/_n2vN-Bgq4U
[3] = https://www.aftonbladet.se/nyheter/a/JOOGBJ/han-kan-slacka-halva-internet-vi-maste-skydda-oss
[4] = https://eissing.org/icing/posts/curl-dns-2026
[5] = https://eissing.org/icing/posts/curl-dns-options
[6] = https://eissing.org/icing/posts/curl-dns-async/
[7] = https://curl.se/dashboard1.html#number%20of%20words
[8] = https://curl.se/dashboard1.html#release%20weekdays%20heatmap
[9] = https://curl.se/dashboard1.html#commit%20hour%20heatmap
[10] = https://curl.se/dashboard1.html#days%20per%20new%20command%20line%20option
[11] = https://curl.se/dashboard1.html#graphs%20on%20the%20dashboard
[12] = https://developer.mozilla.org/en-US/observatory/analyze?host=curl.se
[13] = https://curl.se/rc/


-- 

  / daniel.haxx.se

From daniel at haxx.se  Sat Apr 11 17:43:03 2026
From: daniel at haxx.se (Daniel Stenberg)
Date: Sat, 11 Apr 2026 17:43:03 +0200 (CEST)
Subject: [Daniel's week] April 11, 2026
Message-ID: <33q8803p-5qs2-5q08-7842-330n0332rq1q@unkk.fr>

# April 11, 2026

Another intense week ends.

## Security

We received seven new security reports this week, out of which one was 
eventually confirmed to be accurate and is now queued for publication in sync 
with the pending curl release on April 29. This makes the third entry in this 
queue.

While the quality of the incoming reports remain high even though most of them 
are made with help from AI, they tend to still report issues we conclude are 
?just bugs? and in several recent cases: unclear documentation.

The rate of curl security reports so far in 2026 seems to be a little over 
double the frequency of 2025 and given the trend and even more AI powered 
tools I predict that the pace might go up even more going forward.

According to my totally unscientific poll on Mastodon I got clear confirmation 
from more than twenty Open Source projects in various contexts who all confirm 
this trend: a larger volume of decently highly quality security reports. 
Getting quality is of course good, but the overload risk and situation is 
still real and a challenge. Very few security reporters ever actually 
contribute a fix or help working on correcting the problem they report.

This trend seems to also have contributed to the Internet Bug Bounty pausing 
their payouts [1]. Clearly we were just slightly ahead of them in taking this 
decision.

All of this gives me material for my upcoming talk at the Foss-north 
conference in Gothenburg on April 28, which I will try to make as a follow-up 
to my FOSDEM talk, as things have changed quite a bit since.

## Graphs

Working on two new graphs to the collection that compares C mistake 
vulnerabilities vs not C mistake ones [2] (and [3]). C mistakes are those that 
are caused by what could have been avoided had we not been writing curl in C - 
determined entirely by human review of the actual flaw on a case by case 
basis.

## Space

I think it is confirmed that they use Windows 10/11 computers onboard the 
Artemis spacecraft, and then I think we can safely conclude that curl is on 
there.

## Media

I did several interviews again this week, with both Swedish and US based 
journalists. Primarily on topics related to AI and (Open Source) security. 
Results show on The Register [5], NPR [6] and in Swedish on 
Elektroniktidningen [7].

## RFC 9421

Also known as HTTP Message Signatures, is a feature that basically signs a set 
of headers and contents in the HTTP request so that the receiver knows they 
arrive unaltered in the other end. A pull request was submitted this week [7] 
for curl to offer this feature. It looks like a great start and it is a 
feature I agree fits curl.

## Coming up

- Monday: curl 8.20.0-rc2 ships

- Thursday: curl roadmap 2026 webinar. I?ll bring up some ideas of what we 
could do this year. Open for your suggestions!

## Links

[1] = https://www.infoworld.com/article/4154210/internet-bug-bounty-program-hits-pause-on-payouts.html
[2] = https://curl.se/dashboard1.html#vulnerability-C-mistakes
[3] = https://curl.se/dashboard1.html#vulnerability-C-mistakes-introduced
[4] = https://www.theregister.com/2026/04/10/project_glasswing/
[5] = https://www.npr.org/2026/04/11/nx-s1-5778508/anthropic-project-glasswing-ai-cybersecurity-mythos-preview
[6] = https://etn.se/index.php/nyheter/73061-svenska-projektet-far-anvanda-fobjudna-llm-en.html
[7] = https://github.com/curl/curl/pull/21239


-- 

  / daniel.haxx.se