From daniel at haxx.se Fri May 8 17:25:19 2026 From: daniel at haxx.se (Daniel Stenberg) Date: Fri, 8 May 2026 17:25:19 +0200 (CEST) Subject: [Daniel's week] May 8, 2026 Message-ID: # May 8, 2026 ## missed week I ended up skipping the email last week. It was just so busy and then we topped it off with a national holiday so I just did not get around to it. This edition will therefore attempt to cover both. ## foss-north My three-hour train trip to the conference in Gothenburg was cancelled and I had to rebook for a later one which made me arrive eight hours late. As my planned talk was up on Tuesday morning, I could still deliver that as planned - I just did not get to meet with and talk to friends as much as I wanted as I travelled back home again at lunch-time. The video[1] from this talk is available, but the image quality is not top notch. ## Release I did all the necessary steps for the release on Wednesday morning and then the associated release video. As I write this, we still have not seen any regression reports that would be a reason for us to do a patch release and the feature window is planned to open tomorrow Saturday. Prepare your pull-requests accordingly! ## Security We keep getting security reports. The eight CVEs we published in sync with the 8.20.0 release was the largest amount for a single release since the first security audit we did in 2016. There are indications that we will have a higher rate of vulnerabilities to publish this year. Because of how good the AIs and the AI powered tooling around code analyzing has become. The avalanche of quality security reports that we have concluded can be seen in almost all Open Source projects has triggered interest and almost panic in many places, companies and organizations. Over the last week I have done multiple interviews and met with people curious to learn more about this. People who are thinking and planning for what the outcome and results of this significant bump of fixed and reported vulnerabilities will cause for infrastructure and society. I stick to reporting what I see and experience rather than trying to tell the future or estimate outcomes. I have been promised access to the ?dangerous? Mythos, but the roll-out of that has stalled and there are delays so it has not happened yet. I can probably share some further details on this next week or so. ## Appreciation Hussein Nasser posted a photo snapped from his book Root cause: Stories and lessons from two decades of Backend Engineering Bugs, and it felt so good I had to reblog it[2]. ## Graphs I created a graph that uses data we already have but visualizes it differently: the average and median time vulnerabilities have existed in the curl source code at the time they are made public. The trend is actually rather stable at an average eight years and a median 7 years. I realized that the function length graph[5] was incorrect, and after fixing that I wanted some more details on function lengths. I created a new script for the curl repository called top-length that lists the 25 longest functions in the curl code. This now runs in CI as well and returns error if one of them is longer than 500 lines - there is only one function exempted from this rule still but I hope we can fix that over time. I then created a new graph for average and median function lengths[6]. In a moment of inspiration, I decided to also make a more not-so-serious graph again and created one showing the number of curl installations world-wide over time[7]. This one is based entirely on my estimates and guesses a few times in history, and then ?beziered? so it gets all smooth and seemingly scientific! ## Zero bugs With the high pace of newly found security problems, people have been raising the idea and asking questions about how long this can go on and it made me think, check data and write a blog post about the possibility that we could be approaching zero bugs [8]. ## Talks I have recently agreed to some more talks and I keep my talks page[8] updated accordingly. Partly to make sure that the next conference that wants to invite me can double-check there for obvious collisions. Also, I?m not a machine. I need to keep the number of talks with sufficient gaps in between for recovery and for keeping my sanity. I will talk about AI and detecting software vulnerabilities at KTH Stockholm on May 28, in Bsides Vilnius on June 4 and Bsides Ume on June 17. ## Coming up - the curl feature window opens tomorrow Saturday and is going to be open for the next three weeks. May we merge many new features within this period! - I will write some words on Mythos scanning curl code ## Links [1] = https://youtu.be/VQ0kLuST800 [2] = https://daniel.haxx.se/blog/2026/04/30/inspired/ [3] = https://curl.se/dashboard1.html#vulnerability-average-age [4] = https://daniel.haxx.se/blog/2026/04/30/approaching-zero-bugs/ [5] = https://curl.se/dashboard1.html#function-length-peaks [6] = https://curl.se/dashboard1.html#function-length-on-average [7] = https://curl.se/dashboard1.html#install-history [8] = https://daniel.haxx.se/talks.html -- / daniel.haxx.se