Search

Items tagged with: curl

In #curl land, @vsz made a CI job that builds curl with fil-C and it runs the tests fine. Just slightly limited due to lack of dependencies as they all need to be built with fil-C as well.

github.com/curl/curl/pull/1939…


GHA/linux: add minimal Fil-C build with tests by vszakats · Pull Request #19391 · curl/curl

Requirements for Fil-C: not to accidentally pick up system headers. E.g. from /usr/include on Linux. It can happen when any dependency is auto-detected on this header path. This makes Fil-C find t...
GitHub
#curl @vsz

#curl

While on the topic of colorful #curl graphs. Complexity distribution in the source code over time. The recent effort to simplify code in curl has been done by multiple people through the last year or so. The graph's cyclomatic complexity is the score shown by the pmccabe tool.
Graph showing complexity distribution in curl source code over time. Showing recent code being all less than 70, with large portions of time having pieces > 200.
#curl

#curl #homebrew

More than half of #curl's source code lines have been changed within the last four years. 1,101 lines from before year 2000 still remain "untouched".
Graph showing curl's source code age over time
#curl

24 hours since a dot-zero #curl release with 400+ bugfixes and not a single annoying regression reported yet.

I'm not sure how to handle this.

#curl

1 open #curl issue for some Kerberos header file on IBM OS400 platforms…

I expected more from you…🦧

#curl

#curl

#curl

#curl #trurl

#curl

#curl

yes of course there is a graph of all #curl releases ever done. This includes the releases done using the previous names (httpget and urlget) as well
Y axis: number of release, X axies is time. 270 release done until yesterday
#curl

this is the 3rd #curl release ever done on November 5, as I trust you remember 7.19.0 and 7.39.0 back in 2008 and 2014
#curl

The #curl release on GitHub is now marked as "immutable" and there's even something they call "release attestation" there now.

Just remember that the curl canonical releases are the signed tarballs uploaded by me. Reproducible, so you can verify them at will to not contain bad things. Signed to prove I did them.

Made with love and care, I promise.

#curl

#curl

As per tradition, I will do a live-streamed #curl release presentation tomorrow 10:00 CET (my local time) over at twitch.tv/curlhacker

curlhacker - Twitch

I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
Twitch
#curl

#curl

curl.se, the domain itself, celebrates five years as home of #curl today.

I told the story back then:

daniel.haxx.se/blog/2020/11/04…


The journey to a curl domain

Good things come to those who wait? When I created and started hosting the first websites for curl I didn't care about the URL or domain names used for them, but after a few years I started to think that maybe it would be cool to register a curl doma…
daniel.haxx.se
#curl

Educational moment on the #curl wikipedia page 😎
screenshot showing wikipedia (mistakenly) explaining the SMBS protocol as "super mario bros" instead of "Server Message Block" or SMB over TLS.
#curl

#curl

yeah, in the #curl case I hope and wish that the people making the curl packages for distros (or build curl for other purposes) do the reproducible check - so that they know for sure that the one doing the curl releases didn't smuggle anything in. It also usually also requires that a few people do it and can trigger the alarm if they would find something odd.

At least we make it possible.

#curl

one thing we finally made real in #curl as a direct consequence of the xz attack was reproducible builds. Since the xz release added things into the release that did not come from autotools nor git, verifying reproducible builds would have caught that. Having that in place forces attackers to land their backdoor in git to be able to ship it, which should increase the bar significantly.
#curl

#curl

#curl humility is among the greatest is the world
#curl

The coming #curl release picture is of the slightly less humble kind
curl 8.17.0 said in wooden tiles with two gold medals in between
#curl

@bsi As a Federal Office it's not easy to do cherry-picking - even for system critical projects like #curl if the tools developed are not agnostic. A OSV-CSAF converter would be possible, but OSV is lacking Information mandatory for CSAF.
On a personal note: my last perl-programming was 1998 - therefore I won't make any promises what I might or might not be able to contribute in my spare time or how long it would take.
#curl @BSI

A semi regular reminder. These are #curl's best friends. The top sponsor of November 2025.
curl sponsors Nov 2025: Haxx. Fastly, wolfSSL, TeamViewer, GitHub, kirei, elastic, IBB
#curl

The number of lines of code in #curl has of course exploded over time, from 100 in late 1996 to almost 180,000 today, but interestingly our tests seem to generally keep up. Number of tests per KLOC is now over 12. (and yes, a single test can be very simple or very complex, it's not a very precise measurement)
A graph showing number of test cases per kloc of code in curl over time. Starting at 1 in 2001, and more than 12 in late 2025.
#curl

in 48 hours, we'll unleash at least 436 bugfixes and 11 changes in the pending #curl 8.17.0 release...
#curl

strncpy has been banned completely from #curl since a while back, for the same reasons
graph showing strncpy density in curl code over time, zero since late 2024
#curl

One way we work on making #curl code safer (with fewer mistakes) is by using more helper functions and fewer direct calls to *alloc() and mem/strcpy().

Since reported vulnerabilities generally are really old, we can't know yet for several years if it actually has the desired effect.

I plot the memory call density to see how it goes.

Graph showing memory function call density in curl source code over time. Now at its lowest point since forever.
#curl

October 2025 stands out in the #curl stats. The graph show commits per month since 1999.
a graph showing commits per month in curl and October 2025 reaches almost 450, more than any other month since 1999
#curl

However, it's the classic chicken-egg problem: Why should I start? The answer is: #curl is a mature project and can lead the way.
We are happy to help you and others getting started. Feel free to reach out to our #CSAF team at csaf@bsi.bund.de.

(2/2)

#curl #CSAF

#curl

#curl

Unfortunately, the Chinese version of the Everything #curl book that launched five years ago is no longer available for purchase on Amazon.

daniel.haxx.se/blog/2020/10/29…


Everything curl in Chinese

The other day we celebrated everything curl turning 5 years old, and not too long after that I got myself this printed copy of the Chinese translation in my hands! This version of the book is available for sale on Amazon and the translation was done …
daniel.haxx.se
#curl

Seven days to the pending #curl release.

11 changes, over 400 bugfixes. One CVE.

#curl

The other day we had our first ever chained AI tool success on the #curl factory floor:

- tool A found a possible flaw in code and reported it.

- using the plain English description from tool A, tool B could create a reproducible by itself that verified the finding

The sense of magic is strong in this.

Now us poor humans need to fix it. The AIs are still really lousy at writing patches.

#curl

#curl