[Daniel's week] July 3, 2026

Daniel Stenberg daniel at haxx.se
Fri Jul 3 16:13:36 CEST 2026


# July 3, 2026

No weekly emails from me over the next two weeks.

## post-release

We have seen a few minor regressions reported for curl 8.21.0 but none of them 
reached the level of criticality we feel we need in order to make a patch 
release. The pre-releases are really fulfilling their purpose and now it is 
over a year since we last did a patch release.

Based on this, we will open the feature window tomorrow. We keep the window 
open for two extra weeks this time because of the summer of bliss which 
coincides with this and during which several curl maintainers will be slower 
than usual. The bliss is also the reason for us pushing the release date 
forward in time by two weeks making this a ten week release cycle instead of 
the standard eight weeks.

## bliss

We received and confirmed one vulnerability report before the summer of bliss 
started, so there is already one severity low CVE in our queue, waiting to get 
published in sync with the 8.22.0 release.

As I write this, the bliss is only in its third day but it feels relaxing 
already. To not have that constant nagging feeling with incoming 
vulnerabilities waiting in the queue to get managed is awesome.I can already 
sense that this is going to be a really good thing for us. A proper vacation.

The original report with 35 findings after the Mythos curl scan back in May is 
now public in a GitHub gist [3]. I figure it might be somewhat interesting to 
those interested in how such a report can look like. As I said already before: 
I did not run the scan myself so I cannot share details about the actual 
process of running it, or which prompts to use etc. All the issues in the 
report have been addressed one way or another.

Just before the bliss started, I posted a blogpost about how to do good 
vulnerability reports [9]. Maybe it helps someone.

## graphs

Two years ago I created this graph that shows the number of known 
vulnerabilities in curl code per every 1,000 lines of code [4]. I like to call 
it the vulnerability density. This week I improved this graph so that instead 
of counting all vulnerabilities as equal, it now shows them separated into 
which severity levels they have. This way we can see that recent code has more 
low and medium vulnerabilities, while back in the early days they were more 
severe. Of course the slope of the curve going down to zero in the most recent 
release down right is more a result of how it takes time to find problems 
rather than implying that we are bugfree now. As we go forward into the 
future, reporters will find problems also in the release we shipped last week 
which right now has no public vulnerabilities.

When reporters find security problems in curl, they tend to be old at the time 
they are found. The average age of curl vulnerability is over eight years and 
the median age is over six years. To help illustrate this in the graph, I 
figured out how to add two arrows into the image that shows at what dates in 
the past that mark the average and median ages of vulnerabilities. It might 
indicate something.

I also created a new graph for the curl dashboard, the 114th, which shows how 
many authors in the git repository it takes to reach X% of the total commit 
share, accumulated over all time [5]. It shows an interesting peak in 2025, 
implying that the top authors have actually increased their activities 
compared to the rest since then. 23 developers authored 90% of all commits so 
far. 4 authors wrote 70% of all commits.

Also, I finally realized exactly how the xtics is supposed to be set with 
gnuplot to properly show the years on the x axis as I want them. The former 
approach I used was a little hacky and sometimes made the output render 
wrongly. “set xtics time 1 years” is the way.

## website

The curl.se website traffic volume reached 2.75 TB/day, which takes it above 
one petabyte per year rate for the first time ever. At the same time, over the 
last 28 days, curl.se links have appeared in 3.83 million google search 
results.

In a conversation with a customer the other day, I realized that the pages on 
the website that lists all the vulnerabilities a single curl release includes 
was missing some key details. For example this for 8.20.0 [6]. Starting now, 
this list also includes severity levels and CVE identifiers. Makes the list 
more similar to the one on the main CVE list page [7].

## NTLM removal

The Azure Devops blog posted an article related to the pending removal of NTLM 
support from libcurl and therefore also from git [1].

## wcurl is two years old

Exactly two years ago Samuel Henrique announced the first version wcurl 
version [8].

## Coming up

- The feature window opens tomorrow

- I will go on proper vacation next week, no weekly email for the next two weeks

- On July 14-16 I will attend the 7th HTTP workshop 2026 in Basel, Switzerland

## Links

[1] = https://devblogs.microsoft.com/devops/upcoming-change-ntlm-removal-in-git-libcurl-impact-to-azure-devops-server-customers/
[2] = https://daniel.haxx.se/blog/2024/07/03/wcurl-is-here/
[3] = https://gist.github.com/bagder/c9b83a19f30e82e41b11f6315465b17a
[4] = https://curl.se/dashboard1.html#vulnerabilities-per-kloc
[5] = https://curl.se/dashboard1.html#author-share-of-all-commits
[6] = https://curl.se/docs/vuln-8.20.0.html
[7] = https://curl.se/docs/security.html
[8] = https://daniel.haxx.se/blog/2024/07/03/wcurl-is-here/
[9] = https://daniel.haxx.se/blog/2026/06/29/do-excellent-vulnerability-reports/

-- 

  / daniel.haxx.se


More information about the daniel mailing list