[Daniel's week] April 18, 2026
Daniel Stenberg
daniel at haxx.se
Sat Apr 18 23:28:55 CEST 2026
Hello,
Once again I send this on a Saturday. Had another packed week...
## Security
The avalanche keeps on going and this Friday afternoon I initially first
confirmed the 7th(!) vulnerability queued up for publication in sync with the
pending curl release before I retracted that, instead went with “this is just
a bug” and we are back at six pending advisories - for now. It seems likely to
assume that we might get time for a few more before we need to shut the door
for this release.
This week I published a few graphs on Mastodon and LinkedIn that show with
brutal clarity what we are experiencing right now: a high volume high quality
flood of security reports, primarily done with AI powered tooling. Lots of
other Open Source projects report the same observation.
My numbers, stats and graphs for this are being incorporated into my pending
talk at foss-north that is timely and on topic and I now use the title “Open
Source AI reality” for it. The time when we suffer from large amounts of AI
slop is gone. Now we instead suffer under a massive load of good reports. A
better load to suffer under, but a load it is...
As the frequency for new security reports against curl is now on average one
every 20 hours it is decently important to handle them asap when they arrive
so that we can avoid building up too much backlog.
It is not too hard to guess that we probably will publish more curl
vulnerabilities in 2026 than we have done in many years, maybe ever. The trend
certainly points to that.
## Talks
I have a few more coming talks confirmed - my public talks list[2] is
up-to-date.
## roadmap 2026
I did the curl roadmap 2026 webinar[3] where I listed a bunch of things we are
going to work on this year and I mentioned a few other things that we might
do. As always we don’t set firm plans long ahead but will adapt and adjust as
we go. We always depend a lot on contributions from others to help us decide
what we do next and 2026 is not going to be different in that aspect.
## Doom
Someone made it possible to play Doom over curl in a terminal[4].
## My writing
Someone asked me where the best places are to follow my writing and this is
what I told them. I suppose most readers of this email already know.
0. chitchat in the #curl IRC channel on libera.chat (or Matrix if you insist)
1. Ramblings on Mastodon (https://mastodon.social/@bagder)
2. Blogs at https://daniel.haxx.se/blog/ (including RSS)
3. Weekly emails at https://lists.haxx.se/listinfo/daniel
4. Occasional repeats of the above on LinkedIn:
https://www.linkedin.com/in/danielstenberg
5. My mastodon posts are bridged to Bluesky:
https://bsky.app/profile/bagder.mastodon.social.ap.brid.gy
## Coming up
- Tuesday: having another journalist over for coffee and interview
- Tuesday: webinar panel discussion with Anchore: "The challenges of 3rd party software risk"[1]
- Wednesday: curl 8.20.0-rc3 ships
## Links
[1] = https://go.anchore.com/the-challenges-of-third-party-software.html
[2] = https://daniel.haxx.se/talks.html
[3] = https://youtu.be/DESGZXXKajY
[4] = https://github.com/xsawyerx/curl-doom
--
/ daniel.haxx.se
More information about the daniel
mailing list