@markuswerle @jakob @pluralistic This is how I interpret the situation: #GitHub offers open source programs free access to GitHub actions today exactly as it did in the past. This access is limited in CPU performance and parallelism. It always was. All free CI services do this.
The #curl project was bumped to a fancier account to give us more actions powers: more CPU and more parallelism.
That is them doing us a favor and them supporting us, not the other way around.
See discussion here: #14432GitHub
with this knowledge we are pondering what we can to do make things less annoying for #curl on Windows.
What now takes a few milliseconds on my Linux machine, takes several seconds on Windows. Not ideal.
When converting WebSocket flags such as CURLWS_TEXT | CURLWS_CONT to opcodes for sending fragmented frames, we want to exclude CURLWS_CONT from the lookup so AND it out. Alternatively, this tweak c...GitHub
what people have been using for years already will start working in #curl 8.10.0: -vv, -vvv and -vvvv for more verbose logging.
Up until now, adding more vs did not do anything different.
github.com/curl/curl/pull/1397…
PR by the awesome @icing
make mentioning -v on the curl command line increase the verbosity of the trace output related discussion #13810 add trace group names for components: network, protocol, proxy. Usable in --trace-co...GitHub
Problem AWS SigV4 signing requires headers to be lexicographically ordered by name. The current implementation uses strcmp on the full header, leading to incorrect ordering when header names have i...GitHub
To my understanding the functions are nghttp3 callbacks and should therefore return NGHTTP3_ERR_CALLBACK_FAILURE. However, this is not critical as the nghttp3 documentation states for all callbacks...GitHub
Today is exactly five years since we did the first HTTP/3 transfers with #curl
My blog post from back then:
daniel.haxx.se/blog/2019/08/05…
#curl's 265th command line option is called --skip-existing. Lets you completely skip a download if there is a local file present already.
github.com/curl/curl/pull/1399…
With this option, the entire download is skipped if the selected target filename already exists when the operation is about to begin. Also works fine with "globs". code documentation test cases...GitHub
Starting now, #curl shows extended help for a given command line option if you write it after --h. Like "curl -h --location" or "curl -h -O"
Shipping in the pending curl 8.10.0 in mid September.
github.com/curl/curl/pull/1399…
First shot. The extracting of the help texts is still a little crude: because we typically have 270KB of text zlib compressed into a single blob, we have to scan for the text to show. As of now, I ...GitHub
The IP address in the example is taken out of RFC 5737.GitHub
Watch @samueloph and the Debian curl maintainer team, discussing issues and the way forward at DebConf24:
Unpopular opinion: Damn cool kids with their HTTPs 3 and QUICs and whatevers. HTTP/1.1 was good enough for everyone!
They're adding all that fancy stuff into the new #cURL version, and it causes #Transmission to crash. How am I going to seed all these Linux images now?!
github.com/transmission/transm…
github.com/curl/curl/issues/14…
I did this After #14296, curl has started to leak SIGPIPE in some cases. I‘ve noticed this since the test suite I wrote for our in-house curl-wrapper now sometimes exits which SIGPIPE (I‘d say abou...GitHub
Bugfix rate in the #curl project is currently racing to an all-time high.
(yes, presumably this also means we insert more bugs as well as there need to be something to fix...)
The original #hackerone report for #curl's CVE-2024-7264: ASN.1 date parser overread is now published:
## Summary: When a specially-crafted certificate is passed to `Curl_extract_certinfo` to parse, it may read bytes beyond the end of the buffer in which the certificate is held. According to the...HackerOne
I added a section to everything #curl about what we do to mitigate backdoor attempts:
everything.curl.dev/project/se…
Did I forget anything obvious?
everything there is to know about curl, libcurl and the cURL projecteverything.curl.dev
This is a patch release done just seven days since 8.9.0. It fixes 28 bugs, and in particular a few annoying regressions and one CVE.YouTube
Welcome Joe Birr-Pixton as #curl commit author 1289: github.com/curl/curl/pull/1431…
(I deduped a few authors counted twice, so the count is a few less than previously)
The goal of this PR is to remove the rustls stanza in tests/data/DISABLED that skips some tests. That involves supporting CRLs -- we've had upstream support for a little while, but needs some plumb...GitHub
#curl 8.9.1 is here
28 bugfixes, including a low severity CVE - seven days since the previous release.
daniel.haxx.se/blog/2024/07/31…
See you at 08:00 UTC for the live-stream
I have this slide showing the 101(!) operating systems people have reported #curl to run on.
I now have a customer call scheduled about porting it to a 102nd...
In 2022 I became #curl's 1000th commit author and was congratulated as such until I had to confess to @bagder that I wasn't: I had used two distinct email addresses and was thus only the 999th.
The record (daniel.haxx.se/blog/2022/01/30…) doesn't reflect this, but it is my #sundayConfession
According to @bagder the stubborn way the #OpenSSL project is handling #QUIC implementation is directly responsible for delaying HTTP/3 adoption (1), and I tend to agree. When the project rejected the community QUIC patches and decided to go with their own design, it wasn't difficult to predict problems. This was proven right by the massive feature gaps (2) and performance issues (3) discovered by @icing when trying to marry OpenSSL QUIC to #curl. Even with API fixes released in version 3.3 the implementation is still inferior, and there is no good solution in sight.
1) lwn.net/Articles/983380/
2) github.com/openssl/openssl/dis…
3) github.com/icing/blog/blob/mai…
Contribute to icing/blog development by creating an account on GitHub.GitHub
Starting now, the #curl website offers changelog listings per-release. curl.se/ch/ always shows the latest release.
Old links still work of course and the old "all changes in a single page" will remain.
Daniel Stenberg goes over the changes done in curl 8.9.02 CVEs11 changes260 bugfixesYouTube
I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.Twitch
libcurl at commit [58772b0e082eda333e0a5fc8fb0bc7f17a3cd99c](https://github.com/curl/curl/tree/58772b0e082eda333e0a5fc8fb0bc7f17a3cd99c) contains a stack-buffer overread in...HackerOne
Libcurl at commit [04739054cdac5a0614fb94e3655e313c03399f35](https://github.com/curl/curl/tree/04739054cdac5a0614fb94e3655e313c03399f35) contains an invalid invocation of `free()` in the function...HackerOne
I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.Twitch
#curl 8.9.0 is out: daniel.haxx.se/blog/2024/07/24…
2 CVEs fixed
11 changes
260 bugfixes
by 80 contributors, out of which 47 authored commits
in 63 days since the previous release
A short story of a question turned into a new pending #curl feature:
github.com/curl/curl/discussio…
I naively tested to rate limit curl with --rate 5/10s but complained with following message: curl: unsupported --rate unit curl: conf:1: '--rate' is badly used here curl: cannot read config from 'c...GitHub
mbedtls_ssl_get_version_number() was added in mbedtls 3.2.0. Check for that version before using it.GitHub
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS…GitHub
