Daniel's weekly report
April 8, 2022
Happened this week
Uncurled
I have had a few pending blog posts about doing Open Source in draft state for a few years by now and this week I finally made up my mind: instead of making these blog posts, I am going to convert them and gather other notes, thoughts and documents of mine into a book about my experiences and lessons from a life (well, three decades at least) with Open Source. I've started the work without yet announcing where/how the work in progress can be seen, although lots of good people of course have found it and started to provide feedback and help me out. I am blessed with the best friends.
I am happy with what I have managed to blurt together already the first few days (at 8,500 words and counting), and there is still more to write and expand on. I really need to consider how to properly put it all together in a comprehensible way. To make the result approachable and decently readable. But I am not in hurry.
If you have ideas of what you would like to see me cover, let me know.
I asked for title suggestions on Twitter and I got a flood of good suggestions back. I have decided to go with:
Uncurled - everything I know and learned about running and maintaining Open Source projects for three decades.
Rate limit curl
I grabbed another old outstanding bullet point from the TODO document in
the curl repository and put together a new command line option proposal
for curl. Using this, tentatively called --rate, option you can ask
curl to do transfers/requests no faster
than N transfers per M time
units when you ask curl to do multiple transfers in a serial manner.
Very early days still for it, but I'm open for your criticism and feedback on how it planned to work.
Deprecate RANDOM_FILE and EGDSOCKET
In one of my passes of the curl source code, it struck me that we have
two setopt options for libcurl that are not in effective use
anymore. The CURLOPT_RANDOM_FILE and CURLOPT_EGDSOCKET options were
only supported with older OpenSSL versions that mostly are extinct now.
I'm moving forward to deprecate them and their command line option companions.
Android debugging
I had a productive meeting with customer S and their somewhat strange
problems with curl_multi_wakeup() on Android. We have some ideas on
further debugging, logging and analyzing strategies that should help us
continue to narrow down and understand when and why the problem appears...
WinCE
Meanwhile, customer W had virtually no issues at all building and running a recent libcurl version for WinCE 5.0.
curl up
At our weekly curl meeting yesterday at wolfSSL we decided to move forward and try to organize something curl up - like in San Francisco. We are now investigating the venue situation. More details to follow soon if things just line up as we hope to.
User survey
I started to go over the questions in the annual curl user survey to freshen them up and also edit them based on feedback we got last year - add/remove answer alternatives, maybe remove some questions and see if we should add something. Right now, I aim at making the survey go live on Monday May 16th.
Blog posts
- no posts this week
Coming up
- I will be off next week, going somewhere a few days in search of spring
Feedback
April 1, 2022
Happened this week
New CVE coming
We've worked a little on a pending new CVE for curl that has been reported and confirmed. It is a security vulnerability and we have a patch done already. Left to do is to write up a thorough and complete advisory and soon to apply for a CVE id for it. This is going to be first security vulnerability in curl that is eligible for a reward via the Internet Bug Bounty, which curl is a part of since last year.
We will publish the CVE details in sync with the next release, planned to happen on April 27.
busy-loop
An separate issue filed as a suspected security vulnerability was the MQTT busy-loop I blogged about. It was one of those tricky problems that took me a few days to make up my mind about before I landed on not a security issue.
The reporter, Jenny Heino, wrote a blog post about the finding from her point of view.
h2-bugs
You would like to believe that the HTTP/2 logic in libcurl would be fairly stable by now, but... there are always more polish to be done. We fixed several minor issues, in what are probably edge cases but still.
Generic TLS (ALPN) messaging
I did some tidying up among the TLS backends and have introduced common strings for some ALPN related verbose messages. The point would be to make curl output the same messages about TLS related things, independent of which backend that is used. I started doing this for ALPN related texts but I figured this is a good idea in general so hopefully I will get to making more strings identical this way.
Feature freeze
On March 30 we closed the feature window for this cycle. Now we will only merge bug-fixes till the next release.
Podcast
My podcast appearance on software engineering radio went up this week. An compact hour of me talking a lot about curl, development, releases, production, success and more.
Everything curl
The book grew over 700 lines this week and is now more than 90,000 words and 13,000 lines.
I added new pages about caches, alt-svc and the curl_easy_option API etc.
I've cleaned up the language use on words like runtime, wildcard, "an HTTP" (as compared to "a HTTP") and use of uppercase URL. Consistency is king.
Blog posts
- What curl expects from dependencies
- This busy-loop is not a security issue
- Talked curl on software engineering radio
Coming up
- curl on Win CE for customer
- customer meeting talking deep libcurl debugging in mobile phone apps
