[Daniel's week] January 23, 2026

Daniel Stenberg daniel at haxx.se
Sat Jan 24 00:32:04 CET 2026 

Hello!

Ok, technically it is now the 24th but it still *feels* like the 23rd...

## bug-bounty

The PR I made for stopping the curl bug-bounty program [1] has not been merged
yet but triggered a whirlwind of attention and media articles this past week.
I am not really used to having reporters and media do this before I publish my
own blog post on the topic. Quite ineffective too since now lots of people
contacted me and asked me questions I was planning on elaborating on in my
blog post.

I will of course still do the blog post and I believe it will better serve my
and our point of view in all of this. The PR will be merged and the post will
go live in the beginning of the coming week. The idea is then that we keep the
bug-bounty program open for the remainder of January 2026 and then we shut it
down.

## web3 scam offers

This week there is a new web3/crypto coin scam thing that appeared. They seem
to try to get open source personalities to sign up for a scheme that according
to them quite magically will just give me a lot of money. I published two of
the emails I got on Mastodon [9].

If someone wants to donate money to me or two the curl project, there already
exist such mechanisms and they work really well.

I did not respond to any of those offers. We have however seen some of those
scams taking off in the name of some other people without them given their
consent. I mean, when they run a scam it seems odd to ask for permission
anyway.

## MQTTS

As the feature window opened I merged support for MQTTS [6]. The 29th URL
scheme curl supports now.

## 20,000 commits

Another one of these arbitrary numbers that happened to reach a round and even
number this week: the number of commits I have done in the curl git repository
reached 20,000. I decided doing a blog post about it [7] is celebration
enough.

## memory use

I happened to spot a blog post I did exactly five years ago about memory use
by curl [10]. It inspired me to take a look at how it performs and behaves
today compared to back then [5]. Turns out we have been surprisingly
well-behaved and controlled. I created four new graphs for this purpose that
show that we have kept usage mostly the same over the last five years.

With these new graphs added to the dashboard [4] we are only two mere images
away from **one hundred**.

## splitting scheme and protocol

I refactored some libcurl internals this week so that information about URL
schemes got properly separated from the code actually implementing the
protocol parts for handling the schemes. Why that matters? Because previously
when you would build libcurl and it would support a number of protocols,
perhaps you disable a few and perhaps you don't use the backends to add
support for all of them, the URL API would then not know about those missing
protocols at all, and for example miss the default port for them etc. It would
make the URL API act and behave subtly different depending on what protocols
that are enabled/disabled.

This has been noticeable before in for example the trurl project [3], which
behaves a little different if you run it with a libcurl with different
protocols disabled. Starting with this change, the URL API should be more
stable and less dependent on build choices.

## rate limits

I have written about our ongoing rate limit work and "struggles" before in my
emails and Stefan Eissing has since continued to tweak and poke at it to make
it work the way everyone could agree with.

This week Stefan summed up his latest efforts in this excellent explainer how
the rate limiting in curl works now [2].

## Dropping OpenSSL-QUIC

We found little reason to keep the support around for OpenSSL's own QUIC
implementation in curl since OpenSSL started offering an API that allows other
QUIC implementations to use OpenSSL for crypto and TLS. This solution is the
one we called OpenSSL-QUIC in curl and we have now removed it from curl [8].

You can still use OpenSSL as TLS backend with curl, but now you need to use
ngtcp2 for the QUIC stack if you want HTTP/3 support. We also have
experimental support for quiche left, so down to two different backends now
down from four a year ago.

## the European Open Source Awards

The awards ceremony [11] takes place on Thursday in Brussels. As president of
the European Open Source Academy it falls upon me to be there and perform some
duties - in a suit. I will do "welcome remarks" representing the academy and
when the time comes to hand over the Prize for Excellence in Open Source to
this years worthy winner, I will intro the prize and the winner and hand over
the award. Then hopefully enjoy the rest of the evening and rub elbows with
some truly excellent people.

## Coming up

I might not send a weekly email next week as I will be busy socializing,
drinking beer and handing out awards and stickers.

- Monday: my curl bug-bounty blog post goes live
- Wednesday: I fly to Brussels
- Thursday: the European Open Source Awards in Brussels where I will hand over the
   award
- Friday: I participate in a panel at the "EU Open Source Policy Summit 2026"
- Saturday: I give away curl stickers at FOSDEM
- Sunday: I give away more stickers and I do the FOSDEM closing keynote: Open
   Source Security in spite of AI [1]

## Links

[1] = https://fosdem.org/2026/schedule/event/B7YKQ7-oss-in-spite-of-ai/
[2] = https://eissing.org/icing/posts/curl-rate-limits/
[3] = https://curl.se/trurl/
[4] = https://curl.se/dashboard.html
[5] = https://daniel.haxx.se/blog/2026/01/21/libcurl-memory-use-some-years-later/
[6] = https://daniel.haxx.se/blog/2026/01/19/now-with-mqtts/
[7] = https://daniel.haxx.se/blog/2026/01/17/my-first-20000-curl-commits/
[8] = https://daniel.haxx.se/blog/2026/01/17/more-http-3-focus-one-backend-less/
[9] = https://mastodon.social/@bagder/115929956932215253
[10] = https://daniel.haxx.se/blog/2021/01/21/more-on-less-curl-memory/
[11] = https://awards.europeanopensource.academy/

-- 

  / daniel.haxx.se

More information about the daniel mailing list