Daniel’s weekly report
April 29, 2022
Happened this week
At 21,600 words now. It is time to “announce” it soon to see what feedback I can get.
I worked rather intensely on the release all the way until Wednesday when it was made public together with the four new vulnerabilities. Mid-through my release video live-stream I had my computer crash so I had to start over the beginning.
This time, life was ruthless on me/us and within 36 hours from the release had been announced we had already received three new security vulnerability reports that turned out genuine. Faced this, we could not do much else than break our regular schedule and plan for an “emergency” patch release within a few weeks. We have not yet set the date but I think we will go with two weeks from 7.83.0 => May 11.
The four CVEs we announced with the 7.83.0 release were all rewarded money from our bug bounty, two of them got 2,400 USD which also is the new record amounts for curl reports.
I have started to draft the agenda for curl up 2022, but there are still lots of gaps for additional talks. We also decided to do a speaker’s dinner on the Sunday before the event. Another reason to submit a talk proposal.
There are talks with some potential sponsors of the event, but none of them said okay just yet.
We are working on curl up swag for attendees.
I talked curl for developers at car company.
- Get a curl patch release ready
- add more talks to the curl up agenda
- get curl up sponsors confirmed
April 22, 2022
Happened this week
At 15,400 words.
Oh man, last week I was still in blissful ignorance of what would come. I was planning for a single CVE advisory and publication in association with the pending release coming up next week on April 27.
Then Harry Sintonen “happened” as he ruthlessly reported three additional problems to us, making most of my week getting spent on researching, debugging, patching, requesting CVEs, pre-alerting and writing security advisories. Let’s hope we have stopped on four for this time.
None of these new security problems are of the soul-crushing earth-ending kind but they are still bad enough to cause my brain to hurt. You will of course get to read all the details on Wednesday.
Cyber Safety Review Board
I participated in a meeting with the US Cyber Safety Review Board (I love saying that name) this week with two fellow Open Source maintainers from well-known projects and talked Open Source, development, security, slow upgrade cycles and helped explain how all this is done and works. I would like to believe that we contributed a little to educating influential people on this topic. I have no idea if it ultimately changes anything.
I rely on users and developers to tell me what you want to talk about or to listen to, and of course that you want to help sponsor the event.
curl up 2022 is going to be a full day with curl and curl-related presentations by yours truly and ideally a handful of knowledgeable curl developers and curl users.
This will also be the first time since 2016 that I will travel to the US again. If you want to meet up over a coffee or pick my brains for something while I’m there, you know where to find me.
- the 7.83.0 release, with a release video presentation as usual
- nail down some more curl up details and agenda items
- curl webinar on Thursday? Not sure I will manage that…
- a curl presentation for a well-known car company on Friday
April 15, 2022
Happened this week
I spent 4 days of this week away from the keyboard together with my family and it was great. Now there’s a four-day weekend following (national holidays on Friday and Monday).
My Uncurled book project is now at 11,900 words as I’ve added more content, but I have also thought of some more chapters to add so I imagine I will be able to add several thousand more words given a little more time. I will use a few more weeks on it before I announce for real and give away the URL in public.
As a little side-effect, as I added a CI job that runs a spellchecker on the content I also went through and added a spellcheck CI job to “everything curl”, which was quite tedious since it features soooo many words that do not exist in the existing word lists. Still, I did it and this shall hopefully make it easier for me to maintain better spelled books going forward.
I merged Nick Banks’ PR that brought msh3 support to curl. msh3 is another HTTP/3 library, which then makes curl support three different ones - all still in experimental mode.
We support many backends of protocol handlers like this to allow users to select which ones they want curl to use. “Let a thousand flowers bloom” etc and by allowing them to “compete” against each other we can either let them all remain supported if that is what the community wants or if, over time, one of them seems to become the leader or “the winner” we could maybe go with that in a future.
We also help the ecosystem of h3 libraries and h3 implementers to test more combinations.
- inform distros@openwall about the pending CVE announcement
- meeting about about open source supply chain security Thursday with ZZZZ
- start putting together the 7.83.0 release presentation
April 8, 2022
Happened this week
I have had a few pending blog posts about doing Open Source in draft state for a few years by now and this week I finally made up my mind: instead of making these blog posts, I am going to convert them and gather other notes, thoughts and documents of mine into a book about my experiences and lessons from a life (well, three decades at least) with Open Source. I’ve started the work without yet announcing where/how the work in progress can be seen, although lots of good people of course have found it and started to provide feedback and help me out. I am blessed with the best friends.
I am happy with what I have managed to blurt together already the first few days (at 8,500 words and counting), and there is still more to write and expand on. I really need to consider how to properly put it all together in a comprehensible way. To make the result approachable and decently readable. But I am not in hurry.
If you have ideas of what you would like to see me cover, let me know.
I asked for title suggestions on Twitter and I got a flood of good suggestions back. I have decided to go with:
Uncurled - everything I know and learned about running and maintaining Open Source projects for three decades.
Rate limit curl
I grabbed another old outstanding bullet point from the TODO document in
the curl repository and put together a new command line option proposal
for curl. Using this, tentatively called
--rate, option you can ask
curl to do transfers/requests no faster
than N transfers per M time
units when you ask curl to do multiple transfers in a serial manner.
Very early days still for it, but I’m open for your criticism and feedback on how it planned to work.
Deprecate RANDOM_FILE and EGDSOCKET
In one of my passes of the curl source code, it struck me that we have
two setopt options for libcurl that are not in effective use
CURLOPT_EGDSOCKET options were
only supported with older OpenSSL versions that mostly are extinct now.
I’m moving forward to deprecate them and their command line option companions.
I had a productive meeting with customer S and their somewhat strange
curl_multi_wakeup() on Android. We have some ideas on
further debugging, logging and analyzing strategies that should help us
continue to narrow down and understand when and why the problem appears…
Meanwhile, customer W had virtually no issues at all building and running a recent libcurl version for WinCE 5.0.
At our weekly curl meeting yesterday at wolfSSL we decided to move forward and try to organize something curl up - like in San Francisco. We are now investigating the venue situation. More details to follow soon if things just line up as we hope to.
I started to go over the questions in the annual curl user survey to freshen them up and also edit them based on feedback we got last year - add/remove answer alternatives, maybe remove some questions and see if we should add something. Right now, I aim at making the survey go live on Monday May 16th.
- no posts this week
- I will be off next week, going somewhere a few days in search of spring
April 1, 2022
Happened this week
New CVE coming
We’ve worked a little on a pending new CVE for curl that has been reported and confirmed. It is a security vulnerability and we have a patch done already. Left to do is to write up a thorough and complete advisory and soon to apply for a CVE id for it. This is going to be first security vulnerability in curl that is eligible for a reward via the Internet Bug Bounty, which curl is a part of since last year.
We will publish the CVE details in sync with the next release, planned to happen on April 27.
An separate issue filed as a suspected security vulnerability was the MQTT busy-loop I blogged about. It was one of those tricky problems that took me a few days to make up my mind about before I landed on not a security issue.
The reporter, Jenny Heino, wrote a blog post about the finding from her point of view.
You would like to believe that the HTTP/2 logic in libcurl would be fairly stable by now, but… there are always more polish to be done. We fixed several minor issues, in what are probably edge cases but still.
Generic TLS (ALPN) messaging
I did some tidying up among the TLS backends and have introduced common strings for some ALPN related verbose messages. The point would be to make curl output the same messages about TLS related things, independent of which backend that is used. I started doing this for ALPN related texts but I figured this is a good idea in general so hopefully I will get to making more strings identical this way.
On March 30 we closed the feature window for this cycle. Now we will only merge bug-fixes till the next release.
My podcast appearance on software engineering radio went up this week. An compact hour of me talking a lot about curl, development, releases, production, success and more.
The book grew over 700 lines this week and is now more than 90,000 words and 13,000 lines.
I added new pages about caches, alt-svc and the
curl_easy_option API etc.
I’ve cleaned up the language use on words like runtime, wildcard, “an HTTP” (as compared to “a HTTP”) and use of uppercase URL. Consistency is king.
- What curl expects from dependencies
- This busy-loop is not a security issue
- Talked curl on software engineering radio
- curl on Win CE for customer
- customer meeting talking deep libcurl debugging in mobile phone apps