[Daniel's week] May 8, 2026

Daniel Stenberg daniel at haxx.se
Fri May 8 17:25:19 CEST 2026 

# May 8, 2026

## missed week

I ended up skipping the email last week. It was just so busy and then we 
topped it off with a national holiday so I just did not get around to it. This 
edition will therefore attempt to cover both.

## foss-north

My three-hour train trip to the conference in Gothenburg was cancelled and I 
had to rebook for a later one which made me arrive eight hours late. As my 
planned talk was up on Tuesday morning, I could still deliver that as planned 
- I just did not get to meet with and talk to friends as much as I wanted as I 
travelled back home again at lunch-time. The video[1] from this talk is 
available, but the image quality is not top notch.

## Release

I did all the necessary steps for the release on Wednesday morning and then 
the associated release video. As I write this, we still have not seen any 
regression reports that would be a reason for us to do a patch release and the 
feature window is planned to open tomorrow Saturday. Prepare your 
pull-requests accordingly!

## Security

We keep getting security reports. The eight CVEs we published in sync with the 
8.20.0 release was the largest amount for a single release since the first 
security audit we did in 2016. There are indications that we will have a 
higher rate of vulnerabilities to publish this year. Because of how good the 
AIs and the AI powered tooling around code analyzing has become.

The avalanche of quality security reports that we have concluded can be seen 
in almost all Open Source projects has triggered interest and almost panic in 
many places, companies and organizations. Over the last week I have done 
multiple interviews and met with people curious to learn more about this. 
People who are thinking and planning for what the outcome and results of this 
significant bump of fixed and reported vulnerabilities will cause for 
infrastructure and society.

I stick to reporting what I see and experience rather than trying to tell the 
future or estimate outcomes.

I have been promised access to the “dangerous” Mythos, but the roll-out of 
that has stalled and there are delays so it has not happened yet. I can 
probably share some further details on this next week or so.

## Appreciation

Hussein Nasser posted a photo snapped from his book Root cause: Stories and 
lessons from two decades of Backend Engineering Bugs, and it felt so good I 
had to reblog it[2].

## Graphs

I created a graph that uses data we already have but visualizes it 
differently: the average and median time vulnerabilities have existed in the 
curl source code at the time they are made public. The trend is actually 
rather stable at an average eight years and a median 7 years.

I realized that the function length graph[5] was incorrect, and after fixing 
that I wanted some more details on function lengths. I created a new script 
for the curl repository called top-length that lists the 25 longest functions 
in the curl code. This now runs in CI as well and returns error if one of them 
is longer than 500 lines - there is only one function exempted from this rule 
still but I hope we can fix that over time.

I then created a new graph for average and median function lengths[6].

In a moment of inspiration, I decided to also make a more not-so-serious graph 
again and created one showing the number of curl installations world-wide over 
time[7]. This one is based entirely on my estimates and guesses a few times in 
history, and then “beziered” so it gets all smooth and seemingly scientific!

## Zero bugs

With the high pace of newly found security problems, people have been raising 
the idea and asking questions about how long this can go on and it made me 
think, check data and write a blog post about the possibility that we could be 
approaching zero bugs [8].

## Talks

I have recently agreed to some more talks and I keep my talks page[8] updated 
accordingly. Partly to make sure that the next conference that wants to invite 
me can double-check there for obvious collisions. Also, I’m not a machine. I 
need to keep the number of talks with sufficient gaps in between for recovery 
and for keeping my sanity.

I will talk about AI and detecting software vulnerabilities at KTH Stockholm 
on May 28, in Bsides Vilnius on June 4 and Bsides Ume on June 17.

## Coming up

- the curl feature window opens tomorrow Saturday and is going to be open for
   the next three weeks. May we merge many new features within this period!
- I will write some words on Mythos scanning curl code

## Links

[1] = https://youtu.be/VQ0kLuST800
[2] = https://daniel.haxx.se/blog/2026/04/30/inspired/
[3] = https://curl.se/dashboard1.html#vulnerability-average-age
[4] = https://daniel.haxx.se/blog/2026/04/30/approaching-zero-bugs/
[5] = https://curl.se/dashboard1.html#function-length-peaks
[6] = https://curl.se/dashboard1.html#function-length-on-average
[7] = https://curl.se/dashboard1.html#install-history
[8] = https://daniel.haxx.se/talks.html

-- 

  / daniel.haxx.se

More information about the daniel mailing list