[Daniel's week] February 27, 2026

Daniel Stenberg daniel at haxx.se
Fri Feb 27 17:50:22 CET 2026 

# February 27, 2026

Hi friends. I'm back.

## vacation

I had a week off in a southern place where I got to experience some light, sun
and warmth while taking it easy. Now I'm back.

## security

We tried GitHub for a while but it did not last a full month even and now we
are back on Hackerone [1] for curl security reporting.

The immediate thing that happen with the switch was that we got new reports
coming in, what felt like just waiting for our Hackerone inbox to open up
again. During month we did security reporting on GitHub, only 8 reports were
submitted to us. One of them is a confirmed problem that will result in a CVE
getting published in sync with the pending curl release.

## distro meeting

Still a month left until the curl distro meeting 2026 [2], but people have
added themselves as planning to come and it looks like we are gathering a good
bunch of people. Help us spread the word to those that should hear it!

## curl up

We set the date and location for curl up 2026 [3], May 23-24 in Prague, and we
are now starting to work on the agenda. To fill it up with talks and topics
that we want to discuss during this the most awesomest weekend of the year.

I will of course also bring a sufficient amount of curl stickers with me in
case I run into someone who wants some.

I have purchased equipment to be able to better stream and record the sessions
this year. I just need to spend some time to test drive the setup in good time
before the even. I intend to capture HDMI directly from the presenter laptop
and combine it with a webcam + microphone directed on the speaker. Good thing
I have a new powerful laptop now [x] that should be able to do this.

## NDC Security

The reason this curl release cycle is extended by a week is the fact that I am
speaking [4] at the NDC Security conference in Oslo Norway next week and thus
the release date has been pushed to the week after. "Three decades of curl" is
the title of my talk and I'm looking forward to doing it. I have talked about
curl many times of course over the years, but I always refresh my material
before each new talk and this time is no exception.

## release candidates

Because of the extended cycle, the release candidate scheduling has been a
little different. The final and third release candidate for curl 8.19.0 was
released today [5]; twelve days before the release date.

The previous two candidate both triggered reports, which reminds us that the
release candidate concept is certainly working. Let's see if rc3 lands
smoother.

I also today poked at the script that generates the web page holding the
release candidates so that it now also lists the rc tag names correctly, as
they might be helpful.

## the game is lagging

Not a lot more to say than... Wat? [6]

## rock-solid curl

I have put together a rock-solid curl release called 8.18.1 [7], the Long Term
Support release of curl for paying customers only. This baby also has support
for OpenSSL v1, which is otherwise dropped from the "normal" curl version.

We offer support for rock-solid curl releases up to five years by default. Get
in touch if this is something for you.

## decomplexification

As a status update about the ongoing decomplexification [12] work of curl I
wrote up a blog post with some fresh graphs showing the progress we have done
since last year. Mostly just an excuse for posting some new graphs.

## netstack

I was a guest on the netstack podcast (again) [11] where we talked about the
European Open Source Academy, my FOSDEM 2026 talk about Open Source and AI and
of course lots of curl.

## user survey

After last year's curl user survey I decided that I would finally address its
frequent criticism: to stop hosting the survey with Google, and ideally try to
avoid all the tech giants instead of just replacing one with another. When I
started that work, I converted all the survey questions that previous existed
in a Google forms "documented" into plain markdown in a git repository hosted
on GitHub [10]. Each question is now presented by a markdown file that holds
the question and lists all the corresponding options. The README file lists
all the questions - in the correct order.

This repository perfectly enables collaboration on the questions, how to
phrase them, what to ask and exactly what options to offer. This should help
us ask better questions and thus draw better conclusions. I have tried to also
reduce the amount and have removed a lot of the questions that did not provide
enough value. After all, every single question adds a burden to the respondent
so we should not ask more than we think we need.

Today I wrote a script that generates a single JSON file out of the entire
survey, and that JSON can now quite conveniently be *imported* straight into
cryptpad [9] and get hosted there. Not a single human edit needed! I looked
around a little for something pre-existing of this sort but to my surprise I
could not find much. I figure this should be an interesting use case to more
Open Source projects who want to cooperate widely on the creation (and
running) of surveys.

We typically run the curl user survey around early May so there is still time
to do trial runs and perfect the script to make sure that it works as smooth
as possible. Next I also need to check how the results are produced to see how
we can streamline that, as I also scripted most of the survey analysis [8]
last year as well. Well, the graph generation at least.

It would be cool to complete the survey and have the analysis done before curl
up this year!

## foss-north

I had my talk proposal "something something AI and OSS" accepted for the
foss-north [13] conference. I suppose that means I should now come up with a
more serious title and an actual abstract.

## Coming up

- Tuesday: doing an interview with a reporter coming over for coffee
- Thursday: speaking at NDC Security in Olso [4]
- Thursday: doing a podcast recording while in Oslo

## Links

[1] = https://daniel.haxx.se/blog/2026/02/25/curl-security-moves-again/
[2] = https://daniel.haxx.se/blog/2026/01/28/curl-distro-meeting-2026/
[3] = https://daniel.haxx.se/blog/2026/02/26/curl-up-2026/
[4] = https://ndcsecurity.com/agenda/three-decades-of-curl-0ugm/0m55j1o34kp
[5] = https://curl.se/rc/
[6] = https://daniel.haxx.se/email/2026-02-26.html
[7] = https://rock-solid.curl.dev/
[8] = https://github.com/curl/survey-analysis
[9] = https://cryptpad.fr/
[10] = https://github.com/curl/user-survey
[11] = https://netstack.fm/#episode-27
[12] = https://daniel.haxx.se/blog/2026/02/24/decomplexification-continued/
[13] = https://foss-north.se/2026/
[14] = https://daniel.haxx.se/blog/2025/07/28/hello-sprout/

-- 

  / daniel.haxx.se

More information about the daniel mailing list