Daniel’s weekly report

June 23, 2022

Happened this week

national holiday

I’m doing my weekly report a day early this week because there’s a national holiday in Sweden tomorrow: midsummer’s eve, and I intend to spend it with my family away from keyboards.

websockets

I’ve been struggling with the API for WebSockets a bit more this week (I’ve bounced around ideas and discussions on the curl-library list) and worked on the server-side implementation for my test server. The result is that the API has been redesigned a little bit, but I have a good feeling about this new design. I will continue from here and write up some more complicated test cases and make sure the client side handles them correctly.

Corellium sponsors my WebSockets work.

release (oops)

Last weekend I spotted “something”. An oopsie. While I reveal the details of that “something” just yet, the consequences of it are that we decided to expedite the pending curl release. The new release date for curl 7.84.0 has been set to June 27th. I will of course tell you about the “something” when I can.

The new date made me get working on curl release activities this week, sooner than previously anticipated and planned, partly also because of me not wanting to do this work during this coming national holiday weekend as the release day is now set to happen immediately afterwards (on the following Monday).

Blog posts

none this week

Coming up

  • The curl 7.84.0 release
  • a podcast recording
  • continued work on WebSockets

Feedback

Comment here

June 17, 2022

Happened this week

websockets

The WebSockets work took off. Once I decided to not use a third party library I proceeded and implemented the first steps. It can already do some basic back and forth messages fine that I verified talking to a live test server.

In parallel with that start, I have to introduce CURLOPT_PROTOCOLS_STR as a replacement for CURLOPT_PROTOCOLS because when I add support for two new protocols to libcurl the existing 32 bit protocol bitmask gets overflown - so we need a new way to control which protocols to allow. A way that isn’t limited to 32 protocols.

Once some WebSockets basics worked, I started looking into the test server issue and quickly decided I will write my own server implementation as well and just extend the existing HTTP test server with it for maximum flexibility. I started and I have one very basic test case working. It also immediately stressed that my initial client side code is still too naive etc.

I’ve tried to update the WebSockets PR description with items that work and things that do not work yet. I will try to maintain that going forward, while also slowly extending the documentation that is part of the PR.

I brought two separate WebSockets design questions to the curl mailing lists:

  1. how should we make the curl command line tool deal with websockets in the ideal way?
  2. thoughts on the write callback for websockets

My plan is to take this gently and slowly forward, as I also have other things to work on at the same time. I believe I’ve managed to land some fundamental parts already that I will work on improving and gluing in properly going forward, supported by tests using my coming test server.

I’m also hoping for and assuming that I will get more guidance from users during this progress to make sure this becomes exactly as good as we want it to be. I’m aiming for a first implementation to land in the October 2022 release.

REUSE

I merged the PR that brought REUSE compliance to curl and now we have better control and information about licenses and copyright throughout the project. (see separate blog post)

Max Mehl did most of the work for this but I’m pretty satisfied with the follow-up cleanups I did as now we have scripts and decent infra to maintain this state as well going forward.

analysis

Putting together the user survey analysis always take quite some time and effort to put together, write up and generate the graphs for, but I managed to finally complete it this week. 36 pages for everyone to dig into. See blog post.

URLs

The subject of URLs vs URIs came up on the IETF HTTP Working group mailing list and I could help but to respond. Short and sweet but with no intention to go full rant on this again.

podcasts

I participated on one podcast on Monday and I had another preparation meeting on Thursday about a coming podcast participation. I’ll mention and link them in future weekly reports when they go public.

Blog posts

Coming up

  • WebSockets
  • issue with h2 over HTTPS proxy
  • OCSP?

Feedback

Comment here

June 10, 2022

Happened this week

prev week

I never sent a weekly report last week because I got crazily busy arranging my daughter’s graduation so I had to optimize away that part on the Friday. Then I got struck down by covid and decided to skip it completely for that week.

curl up

On Monday this week, we were supposed to have had the curl up conference in San Francisco, but we had to cancel. When I was about to fly out of Sweden on Saturday I had to do a mandatory last minute covid-19 test, and to my shoock it came back positive so I was effectively grounded and prevented from travel. Terribly unfortunate, but we aim at doing an all-virtual version instead in September. Stay tuned for the exact date.

A few Europeans of course had already taken off by the time I canceled the event, which was deeply unfortunate but the curl project will still reimburse them for their travel so at least not a direct financial hit for them. I apologize!

I am now almost entirely back on my feet again.

websockets

I have started taking the first baby steps on the journey to WebSockets support in curl. There is a dedicated sponsor behind this, but I will let them break the news about who they are when they feel ready.

I have already faced some disappointments and had to do some replanning as the library I planned to base this implementation on just does not seem to be suitable.

I might try to get some live-streamed hacking on websockets going in the coming weeks.

survey

The user survey ended mid last week but it has been a busy period and while I have slowely been crunching the data in the background, it is going to take me a while longer until I can present the results and analysis from the survey.

It is however yet again striking how similar people answer the questions year by year!

feature freeze

No more features will be accepted into curl before the pending next release. That is what feature freeze means and we typically have it frozen for the later half of the release cycle to keep us focused on bug-fixing and polish on the sprint towards release.

release date moved

I announced a slightly adjusted release date for curl 7.84.0: July 1st 2022. Due to me organizing some personal travels I decided it would work smoother to do the release a few days earlier than previously planned.

security

OpenSSF is sponsoring a curl security audit that we will run with the help of OSTIF. The work of finding a suitable auditor company/orgnization has kicked off and in a few weeks we will know who will get assigned the project.

In the mean time, security researcher extraordinaire Harry Sintonen submitted no less than four new security issues to the project that have been registered as CVEs and will be announced and revealed in assocation with the pending release. (Harry is now the name behind no less than 17 curl CVEs.)

I have assisted the Apache Security team, sharing my view and knowledge about some specific protocol related questions with a security angle.

Blog posts

Coming up

  • podcast participation on Monday
  • continued work on WebSockets
  • survey analysis
  • crossing my fingers for new port of tiny-curl
  • ocsp go ahead?

Older weekly reports