Even as #curl is soon 10000 days, here's a list of changes and features that we have queued up for the coming next release. And these are just things we think have a chance of getting merged. (But not all of them will manage, most likely.)
It can take the #HardenedBSD project a full month to rebuild its package repos. And since we've built this software monoculture against libcurl, this will be FUN!
It was recently updated in this doc to seven, but there were *two* numbers mentioned and only one of them was updated leaving the paragraph quite confusing. Follow-up to 83c90e50472f32b74e388f6e524d...
I have previously blogged about the relatively new trend of AI slop in vulnerability reports submitted to curl and how it hurts and exhausts us. This trend does not seem to slow down.
The #curl security ream consists of seven team members. I encourage the others to also chime in to back me up (so that we do right). Every report thus engages 3-4 persons. Perhaps for 30 minutes, sometimes up to an hour or three. Each.
I personally spend an insane amount of time on curl already, wasting three hours still leaves a lot of time for other things. My fellows are not full time on curl. They might only have three hours per week for curl.
I trust you all take the opportunity to enjoy the fun curl's --libcurl option brings after that security report debacle.
1. run any #curl command line 2. add "--libcurl template.c" to the command line and run it again 3. there, a fine source code embryo to start your libcurl using app from
A while ago I received an email with this question. I've been subscribed to your weekly newsletter for a while now, receiving your weekly updates every Friday. I'm writing because I admire your consistency, focus, and perseverance.
OpenSSL offers the following ML KEM hybrid algorithms.
P256_ML_KEM_768
P384_ML_KEM_1024
X25519_ML_KEM_768
These algorithms are already supported by WolfSSL, but are not available for use by Curl. T...
With the new EU legislation Cyber Resiliency Act (CRA), there are new responsibilities and requirements put on manufacturers of digital products and services in Europe.
This is an intersection of two of my obsessions: graphs and vulnerability data for the curl project. In order to track and follow every imaginable angle of development, progression and (possible) improvements in the curl project we track and log lots…
With the multi handle becoming the preferred way of operating curl for non-trivial applications, there are properties that an application is currently unable to observe and needs to deduce. The mos...
One of the harder things to look out for in a software project is slow or gradual decay over a long period of time. Like if we gradually make a library 1% slower or use 2% more memory every other month.
In these days of "vibe coding" and chatbots, users ask AIs for help with everything. Asked to find security problems in Open Source projects, AI bots tell users something that sounds right. Reporting these "findings" wastes everyone's time and causes much frustration and fatigue. Daniel shows how this looks, how it DDoS projects and how totally beyond crazy stupid this is. With examples and insights from the #curl project.
I think this is slightly better. Shows better how many really old #curl vulnerabilities we have had reported. Age of the flaw in number of the years on the y-axis, proper date of the report on the x-axis.
There is a de facto environment variable CI=true that is enabled on CI platforms like GitHub, GitLab and Jenkins. Tools such as pip and yarn listen to this and make their output less chatty. In man...
1.Download curl.se using #curl built to use OpenSSL (that is over HTTPS in case Mastodon hides the scheme for you) 2. count number of allocations made with heaptrack 3. pause for gasping 4. double-check that curl only does 134 allocs itself, independently of the downloaded size 5. check the heaptrack number again
It is a somewhat common question to me: how do we write C in curl to make it safe and secure for billions of installations? Some precautions we take and decisions we make. There is no silver bullet, just guidelines.
Per project policy, we make ALL reports public. (For practical reasons we have so far focused on getting everything submitted during 2025 disclosed. Hackerone has no method to disclose in bulk or automated, so it is a highly manual and tedious process involving a lot of clicks per single report)
C mistakes among the vulnerabilities present in #curl code
(C mistakes are vulnerabilities that were caused by a mistake that "probably would not have been possible" had we not been using C for curl. Manually assessed for each case.)
I checked the latest stats. The median time a #curl CVE lingers in code before getting reported: 2163 days (almost 6 years). The average is 2893 days (almost 8 years)
