From daniel at haxx.se  Fri Feb  6 17:09:21 2026
From: daniel at haxx.se (Daniel Stenberg)
Date: Fri, 6 Feb 2026 17:09:21 +0100 (CET)
Subject: [Daniel's week] February 6, 2026
Message-ID: <qr847pon-645p-3847-4303-oo24n58220o4@unkk.fr>

Hey,

No email last week and a particularly intense two week period resulted in this 
longer than usual summary. Have a good weekend!

# February 6, 2026

## FOSDEM

The week leading up to FOSDEM has turned into "the EU Open Source Week" with
an associated number of related events being held the days before the big
conference. (No, I'm not sure "conference" is the right word to use for
describing FOSDEM but let's stick to it anyway.)

I'm a big fan of the fact that EU and related policy makers start to realize
the importance of Open Source not only for Europe but for digital
infrastructure in general. The world runs on Open Source.

I was invited to an event on Wednesday, but as I had already booked by flights
to arrive on Wednesday afternoon and maybe four long and activity filled days
is enough for me, I declined. I hear there were also events on the Tuesday...

While in Brussels, all my curl activities go down to almost zero.

### Thursday

I spent the Thursday with the European Open Source Academy [18]. We had
meetings over the day and I received a medal [3] for the award I received last
year. A retroactive medal so to speak. Nice and shiny. Then we went through
the planned process of the evening before we could go back to our respective
hotels to change into the fancy gala dress code and return. This gala is the
reason I nowadays need to check-in a bag when flying to Brussels: I bring a
suit. I could probably say "my suit" because I only have one, but bringing and
using a suit to celebrate Open Source excellence is actually just fun and a
pleasure!

The venue for the big award gala ceremony and following food and mingling was
the Solvay Library. A building from the early 1900s with lots of history
(google "solvay conference 1927" for example) that was abandoned in 1967, left
to decay until 1993 when it was again beautifully restored back to what at
least feels like its former glory. A venue worthy an award gala ceremony like
this.

In the library lobby I welcomed and shook hands with most of the 150 something
attendees as they arrived one by one. Many of them paused for a second to get
photographed on their way to the welcome drinks. I may have stood next to more
than just one person on such photos.

James Kanter, our Master of the Ceremony for the evening, started off saying
welcome and as president of the EUSA I welcomed the audience in a three minute
appearance.

The ceremony went on and four Special Recognition Awards were handed out in
the categories Business and Impact, Advocacy and Awareness Skills and
Education and Community Impact. The awards were handed out by fellow esteemed
EUSA members to Frank Karlitschek (Nextcloud), Jenny Molloy (University of
Cambridge), Mathew Benn (Tiny Tapeout) and finally to the duo Stefano
Zachiroli and Roberto Di Cosmo from the Software Heritage.

Blender CEO's, Francesco Siddi, talked about Open Source and their success and
man you can get jealous of a project that so clearly have lots of cool video
to show off that still is highly related to their project. (The academy award
winning movie "Flow" was made almost entirely with Blender, for example.)

I then got to enter the stage again and introduce the Prize for Excellence in
Open Source - the peak of the evening really - and direct everyone's attention
to a short video that celebrated this year's winner, including his kids and
Jim Zemlin (of Linux Foundation), before I got to hand over the award and
associated medal to Greg Kroah-Hartman himself [4].

As per tradition for doing events in the Solvay library we added a book to the
collection: Nadia Eghbal's working in public.

Then we mingled, had food and enjoyed more drinks into the night. What a grand
event.

And this was just the first day.

(I hope we can live-stream the awards ceremony next year.)

### Friday

After breakfast I walked over to the venue where "EU Open Source Policy
Summit" [17] full-day event was held. Were EU people meet policy people from
Open Source. I value the opportunity to help help "the real world" see and
understand the value of Open Source, and as president of EOSA I participated
in panel discussion on stage called "Europe as the World?s Home for Open
Source" [17] together with some giants of the community. Maybe not exactly my
"regular crowd", but I am happy to bring and share my own real-word pragmatic
view even at events like this. Maybe it has an ever so minor impact.

After lunch I left that event and walked over to the second event, the
AboutCode unconference [1]. I of course got their in the middle of their
full-day agenda but I was still immediately asked up on stage and got to
answer questions about AI in curl security reports. The discussion then
shifted a little bit as GregKH entered the room and the stage. Greg and me on
a stage again!

We then talked about CVEs and lots of the focus was on the Linux kernel's
average of publishing 13 CVEs per day but also all sorts of related questions
and thought around CVEs, Open Source and security. This also led to lots of
follow-up hallway discussions for the next few hours with several people
before I left that event to move on my next appointment.

At a restaurant I met up a bunch of my old Open Source friends; my guys. We
catch up at FOSDEM every year since over a dozen years as the only time over
the year we meet physically. Just awesome. This year however, this was just a
brief drink stop before I moved on to my next appointment.

At a rather fancy and most pleasant restaurant at the 30th floor some blocks
away, I had dinner with a small team of people with Open Source interest and
connections, but I could probably describe their associations primarily with
large tech companies. I had a good time.

On my way back to the hotel, I realized that "my guys" in the restaurant from
earlier in the evening had changed setup (some friends had left, new friends
had arrived) and I decided to pop in again for another drink and chat more
until I eventually actually headed to bed, exhausted. And this was just day
two.

I did not manage to send any weekly email that day...

### Saturday

My friends Bj?rn and Anders had admin duties in a devroom and they had to be
at the FOSDEM campus early to help setup things, and as they are my regular
"walking buddies" I decided to tag along even if it meant I had to get up a
little earlier in the morning than otherwise. Walking from our "usual" hotel
to ULB takes about an hour and I think it is an excellent way to kick off the
morning and the rest of the day. The city is usually quiet and calm at that
time and an hour of conversations combined with light exercise is like balm
for my soul.

I ended up walking back and forth both weekend days, collecting over 22,000
steps per day.

FOSDEM was its usual crowded and chaotic awesomeness. I had brought more than
3,000 curl stickers this time and I fought hard over the weekend to distribute
as many as possible to anyone and everyone who wanted some. The final count
says I managed to give away about 2,500 of them. According to some friends
FOSDEM was more packed than ever, while some others thought there were fewer
people this year compared to last...

I repeatedly restocked the wolfSSL stand with curl stickers, I talked to
countless people "are you the curl guy?", "can I take a selfie with you?" and
I did a number of autographs. I attended a few talks, but most of my day I
spent talking to friends in the cafeterias.

Walking back to the city center in the evening feeling rather drained from all
that socializing, I realized that at 17:00 the next day I should be keen and
have energy enough to deliver the closing keynote. I thus made an effort to
cut the evening a little short and I managed to fall asleep on "the right
side" of midnight.

I had survived day three.

### Sunday

Anders had another devroom to "nurse" this Sunday so we started our walk even
earlier this time. The Chez Theo cafeteria hadn't even opened when I arrived
there... I instead got to watch the first talks of the day on the main track.

The Sunday otherwise proceeded in the same style as the Saturday had went
down. Me handing out stickers like crazy. Me talking to people about AI
reports, security and listening to other people's experiences, thoughts and
conclusions. I did see some talks, but again most of my time was spent
socializing with new and old friends.

I headed over to Janson, the biggest room at FOSDEM, maybe half an hour before
my talk was scheduled to start. I wanted to be there in good time to make sure
the transition goes smoothly and to avoid technical issues. As you may recall,
I have had my share of tech snags at FOSDEM before and I rather avoid them
happening again.

As I entered the stage, just minutes before 5pm, the room quickly filled up.
Every seat in the 1500-seat room was occupied and later I learned that they
had to refuse a number of persons entry (because of fire safety regulations) -
so even though I had this last time slot of the conference when a lot of
people already had left, but perhaps thanks to this being the only talk going
on by then, it attracted a significant crowd.

In my talk "Open Source security in spite of AI" [6] I of course talked about
the onslaught of AI slop reports to the curl bug-bounty and what that does and
how it works, and I tried to emphasize that A) this is primarily a problem
caused by humans using AI like this and B) AI can also be used to good. AI
augments the users and the users can do good or bad with that extra power.

When the talk was done, I stepped into the hall next to the big room (to not
disturb the final thank you closing talk) and continued the conversation and
answered questions etc for well over another half hour with a decent amount of
people.

I walked back to the city and stepped right into a "social event" hosted by a
larger tech company (you know if you know). An event for Open Source
maintainers - so I got to continue chatting Open Source, curl, security, AI,
the future, the greying of Open Source, the newcomers to Open Source, how to
work with Open Source as a professional and a lot more until the place
closed...

At the end of the forth day I was seriously tired. I flew back home on Monday.
My voice needed a few days of recovery to get back to normal.

## FOSDEM repo

Just before FOSDEM I spotted a number of "good tips" for newcomers about
attending the conference as I too have tried to hand out a few of those to
others in the past, it struck me that it would probably be a good idea to try
to collect them somewhere.

I created a new GitHub repository [6], collected the tips I had and could find
and then invited everyone to start contributing their ideas and corrections.

It actually worked out well enough that several people I met at FOSDEM said
they had seen the repo and appreciated have gotten some help from it. Mission
accomplished I guess! Let's see what the future of this well be. I will keep
hosting it and be a custodian, but if the FOSDEM org wants to "take over",
host it themselves or similar at some point I will also just be glad to help
that happen.

## distro meeting 2026

We have a date! On March 26 at 17:00 UTC the 2026 edition of the curl distro
meeting [7] will take place.

The objective for these meetings is simply to make curl better in distros. To
make distros do better curl. To improve curl in all and every way we think we
can, together.

Anyone who feels this is a subject they care about is welcome to join. We aim
for the widest possible definition of distro and we don?t attempt to define
the term.

## bug-bounty

It's gone. It is interesting that just based on my pull-request and me posting
about that PR [9] on Mastodon [10], it triggered an avalanche of media
attention. Weeks before we actually merged the PR and change went into effect
and my final blog post [8] about it.

In the aftermath of the bug-bounty shutdown, having moved over to GitHub to
handle security reports we have come to realize that maybe, still just maybe,
GitHub is not the best home for us for this. I started on a "wishlist" [11] of
items for their system that we now miss having moved over from Hackerone. When
I write this, the list has 14 items in it. Both small and big issues.

Having just switched platforms it is of course still early days and we have
not taken any new decisions, but yeah, nothing in life is easy. I will keep
you posted.

## curl -J

Almost every little feature and function in curl has room for improvement if
you just look at it close enough and scratch a little on the surface. I don't
think this is surprising to most software developers but people on the outside
might sometimes not realize this.

This time someone brought my attention to a particular shortcoming in curl's
-J logic which triggered me to have a look and realize that fixing this
shouldn't be THAT hard. So I did [12].

## moving the release date

I realized that the pending release date happens on a date that is impractical
for me personally, as I am doing a talk at a conference that week. I decided
that simply moving the release date a week was the most convenient and
pragmatic fix, so now we will do it a week later than we previously planned:
on March 11 [13]. It gives us an additional week to do bugfixes.

## coffee with developers

I guested Chris Heilmann's podcast Coffee with developers [14] and we talked
curl, AI, bug-bounty and more.

## 40K stars

The curl repository [15] on GitHub surpassed 40,000 stars.

## Battleye

My collection of weird emails got an addition [2].

## thread pool

In news about curl internals, we started discussing introducing a "thread
pool" this week [19] for the purpose of name resolving and Stefan started
poking on code for it.

Right now, the default way to do name resolving in curl fire up a single-shot
helper-thread for the purpose of resolving the name asynchronously. One such
thread per concurrent transfer, which if you kick off hundreds of transfers at
once can cause a significant use of memory and file desrciptors for that brief
setup phase.

The new concept would instead keep N threads alive after use, to speed up
subsequent name resolves and cap the maximum amount of threads to M, to avoid
the worst memory and file descriptor tsunamis.

By extension, this could also help us do better happy eyeballs down the line.
We split up the resolving of IPv4 and IPv6 into separate threads and start
working with address data as soon as we get something back, instead of waiting
for all the data for both families to arrive before we start connecting.

## Coming up

- We close the curl feature window tomorrow
- I do several interviews and podcast guest recordings
- I'm off on a week's vacation starting Friday, so I might do next week's
   email a day early and then none at all the week after

## Links

[1] = https://workshop.aboutcode.org/
[2] = https://daniel.haxx.se/email/2026-01-25.html
[3] = https://daniel.haxx.se/blog/2026/02/02/a-third-medal/
[4] = https://daniel.haxx.se/blog/2026/01/30/gregkh-awarded-the-prize-for-excellence-in-open-source-2026/
[5] = https://daniel.haxx.se/blog/2026/02/03/open-source-security-in-spite-of-ai/
[6] = https://github.com/bagder/FOSDEM
[7] = https://daniel.haxx.se/blog/2026/01/28/curl-distro-meeting-2026/
[8] = https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/
[9] = https://github.com/curl/curl/pull/20312
[10] = https://mastodon.social/@bagder/115893028578930740
[11] = https://gist.github.com/bagder/ed3268e8745452a53a999d23b7fa1273
[12] = https://daniel.haxx.se/blog/2026/01/27/improving-curl-j/
[13] = https://curl.se/mail/lib-2026-01/0031.html
[14] = https://youtu.be/Vp8K12oLs6A?si=I98v2SdiQkAihtId
[15] = https://github.com/curl/curl
[16] = https://summit.openforumeurope.org/
[17] = https://youtu.be/rlRlvbXatb4?si=zvrBo_L6_W7F8Qoy
[18] = https://europeanopensource.academy/
[19] = https://chaos.social/@icing/116022860040734316

-- 

  / daniel.haxx.se