[Daniel's week] March 20, 2026

Daniel Stenberg daniel at haxx.se
Fri Mar 20 17:16:13 CET 2026 

# March 20, 2026

Another week is having a serious case of Friday and here's my summary.

## AI tooling

Running a known and visible Open Source project sometimes has the benefit that 
companies and organizations offer us access to services and tooling that 
otherwise would be too expensive or just inaccessible.

This week I turned the knob up all the way to max possible "scan amount" with 
an AI code analyzer tool we use and as a result I came back with a list of 
almost one hundred issues to investigate. Some amount of false positives, 
sure, but over all maybe 80-90% accuracy. None of them *terrible*, but several 
of them are oopsies and gotchas we are happy to fix.

With such an extensive list it is going to take us a few days to go over 
everything. Probably a few weeks even.

## AI policy

Related to that (AI), a topic was brought up this week in curl's GitHub 
discussion forum: "I'm concerned about LLM code in curl and would like to 
suggest a code ban" [1].

I don't think this is a subject that we will act upon quickly or casually but 
we should instead give it lots of time and further discussions before we 
decide how to proceed. I have added it as a discussion item for curl up [2] in 
May. I hope more people chime in, and in particular I’m interested in hearing 
from curl contributors and curl users.

## Security

We received six security reports against curl this week on Hackerone. Two of 
them are still open as we assess and discuss the issues with the reporters 
while four of them were deemed not to be vulnerabilities.

Remember that you can always check out hackerone to see the stream of 
disclosed reports [3]. We make all of them available as soon as they are 
closed.

The amount of obvious AI slop remains at a lower frequency than before we 
ceased the bounty.

## foss-north

I finally produced and sent over an abstract for my talk that I am scheduled 
to do at foss-north 2026 at the end of April [4]. I view it a little like a 
follow-up to my FOSDEM presentation, with some repeats and overlaps. A part 
two if you will.

As I booked my travel to this event it struck me that I'm returning back home 
on April 28, which is the day before the curl 8.20.0 release day. Not ideal 
timing, but I suppose I just need to make sure that our ducks are in order in 
time.

## graphs

This week I spent more time than I care to admit on rewriting the main build 
scripts for the curl dashboard's graph collection. Previously all the images 
were generated by running a shell script. Now I converted everything over to a 
Makefile, with proper dependencies etc. This did not only make the entire 
build procedure nicer and cleaner, but it also now allows me to run 'make -j' 
and all of a sudden I can build many graphs in parallel. This greatly reduces 
the time it takes to generate the full set.

I blogged about reaching 100 graphs in the dashboard [5].

After that, I added three more graphs ("Top-20 oldest curl vulnerabilities", 
"commit size over time" and "time zones") and I also cleaned up some of the 
older ones.

## distro meeting

Get ready for the curl distro meeting 2026 [6] coming up next week! Tell the 
person taking care of curl in your distro to consider joining. Together we 
make curl better in distros!

## feature window

We have received reports about few regressions in the 8.19.0 release, but none 
of them we deem are critical enough to warrant a patch release. We are thus 
set to open the feature window tomorrow March 21, and then merge as many 
features as we possibly can in the coming two weeks.

curls' feature window is one week shorter this time around because the release 
cycle got wedged when I moved the previous release date.

## 28 years

Today, March 20, is the exact date on which I released curl 4.0 back in 1998 
[7]. That was the first release under this name, as before that it had been 
called urlget. The name we had changed to when httpget was not good enough 
anymore!

## Podcast

I had a sitdown with Mackenzie Jackson when I was in Oslo a few weeks ago, and 
that resulted in a podcast now available [8].

## Coming up

- Saturday: the curl feature window opens, we have over a dozen PRs awaiting merge
- Thursday: the curl + distro meeting

## Links

[1] = https://github.com/curl/curl/discussions/20972
[2] = https://github.com/curl/curl-up/wiki/2026
[3] = https://hackerone.com/curl/hacktivity
[4] = https://foss-north.se/2026/speakers-and-talks.html#dstenberg
[5] = https://daniel.haxx.se/blog/2026/03/15/one-hundred-curl-graphs/
[6] = https://github.com/curl/curl/wiki/curl-distro-discussion-2026
[7] = https://curl.se/ch/4.0.html
[8] = https://youtu.be/9CTwcMcvJ_o

-- 

  / daniel.haxx.se

More information about the daniel mailing list