Daniel’s weekly report
May 20, 2022
Happened this week
Finishing up some decisions on swag for the event while trying to get more speakers to fill out the agenda. I have no problem to talk myself but I figure there is some kind of maximum I should not go beyond…
I would like to see speakers on HTTP/3, someone using libcurl and ideally a libcurl binding author.
We got an awesome opportunity to deep dive into the rabbit hole of case insensitive string comparisons this week after the OpenSSL 3.0.3 crash landing on Windows 7. I got a chance to write it up in a blog post, we had the curl function slightly optimized and it seems OpenSSL is going to do their own function proper in the end.
curl user survey
I forgot to launch the survey on the day I had planned for it, but instead it went live two days later. It won’t matter too much as it will still be up the fourteen promised days. Answers have started to appear. Share the link with your friends!
We keep seeing a pretty high rate of quality security reports submitted to the project and we have at least two confirmed security vulnerabilities in the queue now already. To be worked on, fixed and announced in sync with the pending next curl release.
I have had a startup meeting with a customer who wants OCSP support in libcurl, and while there’s no contract for this signed yet the possibility of this happening seems bright. Once I get most technical details and requirements in place I will share the API and initial design plans publicly for broader comments and flames.
The curl feature window opened and we’ve merged a few changes already, making the next curl version to become 7.84.0 for sure. There are more pending that are likely to merge soon. Stay tuned. I hope to blog separately about the larger things.
I figured out that it was pretty easy to generate an epub version of Uncurled so now there is one, updated daily. It could certainly use some more polish, but at least this version can be read.
I spent time assisting two separate customers this week with fairly challenging build and run-time related issues on their respective (unusual) platforms. To keep me on my toes.
- fine-tune the OCSP design doc with customer
- another biggish customer project kick-off coming up
- work on (still private) security reports
May 13, 2022
Happened this week
After 14 intense days since the previous release I once again had to go through the release dance and upload another curl package with a new version. This time in association with 6 new security vulnerabilities, which of course burned in my ego.
The interesting and probably hardest part about getting security vulnerabilities reported in the project is to learn from them.
- Why did they happen?
- How come we did not find them sooner?
- Can we find other similar mistakes in the existing code?
- How are we going to make sure similar mistakes are not introduced in the future?
It is easy to see and say that clearly we did not have good enough tests, but that is not helping.
I do not have many answers for you on these questions today, but I am certain that I will continue to wrestle with them going forward. I am still convinced that curl and libcurl are very secure products and I will continue to work hard on improving the code all over. The iterative process never stops.
The dreaded trailing dots in host names were involved in at least three curl bugs fixed in the latest release, out which two ended up security problems. I explain those at some depth in a blog post dedicated to the subject.
Google and GitHub are two additional sponsors of curl up 2022. We are slowly adding more content to the agenda. Feel most welcome to help us with this!
I proposed we put an end to my over twenty years long period of paying for curl.se hosting and maintenance mostly out of my own pocket, and propose the project compensates me with a fixed amount of money per year.
I spent some time this week digging into the history of eleven older curl CVEs, all for which we had “7.1” set as first vulnerable version. In reality none of them were introduced then and I had only set that very lazily back in the day! Eight of them turned out older and three of them were newer and now the info on the website shows this correctly. Nowadays when I write up security advisories for curl, I always get to the bottom to exactly in which commit and version vulnerabilities were introduced. It takes time, but I think the service to the community makes it worth it.
I also recently updated the security problems page on the curl website to be more focused and narrower - by dropping the CWE name and the MITRE links from the main table. I don’t think they made much use there and now the table is much easier on the eye.
- The annual curl user survey!
- The curl feature window opens
- Two rather big customer requested new curl feature projects to discuss/kick off
May 6, 2022
Happened this week
After the 7.83.0 release we received what can only be described as an avalanche of security vulnerability reports. We immediately gave up the idea of opening the feature window and instead readjusted our aim on doing a patch release soon.
This week we have announced that the patch release will happen on May 11 and that we have at least six new vulnerabilities to announce in association with that release. This does not include the number of reports we worked on that we dismissed as not security related, but there are a whole bunch of those as well. Quite clearly several good and security oriented people decided to scrutinize curl at the same time.
Analyzing, discussing, testing, debugging, documenting and patching these issues have taken just about all my time since the previous release.
The agenda for June 6 is slowly getting populated, but there are still several gaps we want to fill with quality presentations. Let me know what subjects you can help out with!
We have two well-known sponsors lined up but not quite yet announced. Stay tuned.
Thanks to sponsors, we will provide lunch.
Daniel in the bay area
Tangentially related to curl up, but since I will fly over to San Francisco to attend and present at curl up on June 6th, I will be in the general SF Bay Area a few days following that event. I am in the process of nailing my agenda, but if you want to arrange a meetup or something, do hit me up and let’s see what we can do. Might as well maximize my time there.
Customer XYZ got libcurl and wolfssl to build and run on WinCE 5.0 and after a meeting with me Thursday, seem to be well on their way to get the combination to work as well and thus targeted to meet their very tough deadline.
- WebSockets is happening?
- curl 7.83.1 on Wednesday
- webinar: Why everyone is using curl and you should too (on Thursday)