Search

Items tagged with: cURL

I checked the latest stats. The median time a #curl CVE lingers in code before getting reported: 2163 days (almost 6 years). The average is 2893 days (almost 8 years)
#curl

does my late night habits make me commit #curl security problems at strange hours?

Not obviously.

The hour of the day with most #curl security problem commits is 14!

The top-5 bad commit hours of the day:

14:00 21 vulns
22:00 17
23:00 11
15:00 11
11:00 10

Hard to make fun graph out of...

#curl

Vulnerability distribution present in #curl code

For every moment in time, how many vulnerabilities of different severity were present in code. We know now because these vulnerabilities have been reported and fixed since then.

The peak is at 7.41.0 on 2015-02-25 with 85 vulnerabilities present!

A graph showing a multi color "mountain" of vulnerabilities
#curl

Working on a new graph.

Total severity distribution in #curl vulnerability reports

Graph showing the share of high/critical security reports in curl starting at 100% of the reports until 2006, then shrinking gradually down to 20% in 2025
#curl

I feel honored that #curl depends on my multipart library (at least the curl test suite) but does it? I can find the dependency but not that it is used. I wonder how that happened :rubberduck:
#curl

I'm introducing limits per test case in #curl test suite to make sure we don't unintentionally accidentally suddenly use many more allocations or much more concurrent memory than we can allow.

github.com/curl/curl/pull/1782…


runtests: verify maximum memory-use per test by bagder · Pull Request #17821 · curl/curl

The idea here is to set limits per test how many allocations and maximum amount of memory it is allowed to use. This is a means to make sure the number and total size of allocations are kept in che...
GitHub
#curl

Found in the pending release notes for the coming #curl 8.15.0 release:

Public curl releases: 269

Command line options: 269

Prime time.

#curl

#curl

Does #curl have a graph of how often the team is offered pancakes?
#curl

#curl

"I've never once needed to do something with it that it couldn't"

Top-notch comment in the #curl user #survey

#survey #curl

Every 6th respondent says they used #curl for 18 or more years!

#survey

#survey #curl

Another glimpse from the #curl user survey 2025

users score our security handling performance high

a bar graph that shows 85% of respondents giving us 5/5
#curl

#curl user survey 2025 respondents like Mastodon:
a graph showing Mastodon the most favored "communication channel" the curl project should use (more)
#curl

dear big-CDN-employee,

asking #curl API questions in private emails to me is NOT an acceptable way to get a quick response unless you also pay for said private support

/ Daniel

#curl

#curl @icing

that's in particular important to keep in mind when looking at a graph like this, showing the number of known vulnerabilities per 1,000 lines of code in #curl over time:
a plotted line that shrinks over time. At 1.2/1.4 back in the early 2000s, it shrinks pretty linearly towards zero at current date
#curl

One of my fav graphs of #curl improvement in recent years, is the one showing vulnerabilities reported separated between low/medium and high/critical.

The report frequency has gone up, but they are less critical these days.

as described
#curl

#curl survey 2025 respondents are not fans of #GitHub, but also not terribly against it...

(piece of the full analysis that I'm working on)

pie chart showing 21.6% yes, 20.8% no and the rest are indifferent or "I don't know"
#github #curl

#curl

#curl

#curl

#curl

#opensource #django #curl @daniel:// stenberg:// @Django

#curl

16.6% of all #curl users (1/6) have used curl for 18+ years
#curl

In 2025, 0.4% of #curl users say they run it on HPUX, 0.2% uses it on IRIX but both are beaten by VMS at 0.5% ...
#curl

I decided to make this year's analysis of the #curl user survey different. I'm going to write it all in markdown and generate all the graphs with gnuplot.
#curl

#curl

Today I added the following paragraph to #curl's hackerone page informing about our bug-bounty program:

Reports are made public

All security reports that are submitted to the curl project are subject for disclosure once they have been dealt with and they are deemed "insensitive". We are an Open Source project for which transparency is important, which then includes showing the world all our security reports as well.

(See hackerone.com/curl )


curl - Bug Bounty Program | HackerOne

The curl Bug Bounty Program enlists the help of the hacker community at HackerOne to make curl more secure.
HackerOne
#curl

Showing up at a conference as a #curl maintainer may cause a lot of positive feedback and sentiments getting expressed. Just saying. Can even become almost overwhelming!

This will keep me going for another while for sure. Thanks everyone at #joyofcoding.

#curl #joyofcoding

#curl

#curl #joyofcoding #joyofcoding2025 @daniel:// stenberg://

#curl #joyofcoding @daniel:// stenberg://

#curl maintainer on the road
Daniel selfie on a local train wearing sunglasses and a green thsirt with a white curl logo.
#curl

#curl

@cr I don't have a lot of experience to compare with. Fastly sponsors this for us (making it entirely gratis for us, the #curl project) and their service has been just flawless so I have nothing but praise to give.
#curl @Chris 🏃 🐧

#curl

#curl

In July we remove support for one of the HTTP/3 backends for #curl (msh3) and once that is done, the updated backend maps look like this.
A visual showing the design for the three different HTTP/3 and QUIC backend choices for curl
A visual showing the design curl using five different kinds of backends, protocol handler and the public API.
#curl