[Daniel's week] June 20, 2026

Sat Jun 20 22:23:44 CEST 2026

Hello friends!

In Sweden we had a national holiday yesterday celebrating midsummer. The week 
still delivered lots of things...

# summer of bliss

I announced our summer of bliss[4] this Monday and we have received almost 
unanimously positive reactions and responses. A few other Open Source projects 
even decided to follow suit, including libexpat, ImageMagick and OctoPrint.

I have clarified to existing support customers that they are not affected by 
this: all paid contracts will of course be kept and all such services will be 
delivered as promised.

I was also informed that the CNA (CVE Number Authority) rules state that we 
must respond within 72 hours in case there is a publicly disclosed curl 
vulnerability that needs a CVE, or else our root CVE will do it for us. I have 
said that the risk for this happening exactly in this period is super slim. It 
has never happened so far and it is almost three years since we last got a 
vulnerability reported with a severity higher than MEDIUM. But okay, should it 
still happen we either deal with it appropriately or we just let the root CNA 
do it. It’s not a big deal.

# pending release

We are getting ready for the new curl release next week. I put together the 
third and final release candidate this Wednesday and there was no particular 
regression reported.

Eighteen pending security advisories and another 250 bugfixes or so. This time 
around we have gotten help from a record amount of contributors - right now 98 
named individuals. No other release in curl history has had this many people 
to thank.

# HTTPS-RR for curl.se

I fell over the savearoundtrip.com[1] website, made by Max Inden, and it 
helped me get my act together and I added a HTTPS field for the curl.se 
domain. This way, browsers and clients that support this DNS record can figure 
out that the curl website supports HTTP/3 and HTTP/2 even before they connect 
to the site for the first time. That can in theory make their experience 
better.

# strftime in glibc

It was reported[3] that curl’s feature that outputs the current time with ‘-w 
%time{}’ had a time zone problem for %s. The code to use for outputting the 
number of seconds since Jan 1, 1970 in UTC. Turns out this is an ancient old 
bug in the strftime() implementation that curl uses for thos which applies a 
time zone offset to that result - contrary to what it is expected to. To my 
surprise it turns out this bug is even documented in the glibc man page. I 
could work around the bug by implementing our own support for %s and avoiding 
the strftime() for this. Fixed in the next curl release.

# QUERY

The HTTP method QUERY was finally published in an RFC when the 5-digit RFC 
10008 [2] went public this week.

There is nothing special we do in curl now to support this method, it is 
already done and supported. My work on the recent --follow[5] option a while 
back was largely motivated by this method, and methods like this, as users of 
these might want curl to follow redirects like that.

## Coming up

- Wednesday: curl 8.21.0 release
- Wednesday: the live-streamed curl 8.21.0 release video

## Links

[1] = https://savearoundtrip.com/
[2] = https://www.rfc-editor.org/info/rfc10008/
[3] = https://github.com/curl/curl/issues/22038
[4] = https://daniel.haxx.se/blog/2026/06/15/curl-summer-of-bliss/
[5] = https://curl.se/docs/manpage.html#--follow

-- 

  / daniel.haxx.se