The migration to the strparse API introduced regressions in Digest authentication parsing where Optional Whitespace (OWS) after commas was not skipped, and escaped quotes in values were not correct...
Some time ago I mentioned that we went through the curl source code and eventually got rid of all strncpy() calls. strncpy() is a weird function with a crappy API. It might not null terminate the destination and it pads the target buffer with zeroes.
Probably old news but my mind is always blown by all the stuff #curl can do. I had zero idea that curl has a —form argument that lets you simulate filling out a form, complete with a file upload. Let me automate a super annoying task for a friend with a dead simple bash script.
Microsoft: „1 engineer, 1 month, 1 million lines of code“
That would mean @bagder rewriting 5 #curl projects into Rust in a month.
Microsoft revising the „rewrite over a weekend“ meme to it actually taking them 6 days. For a person they have not hired yet. With tools they still have to invent.
If you are a MS customer, you‘d better start putting more money into Copilot right away!
Let's take a look back and remember some of what this year brought. commits At more than 3,400 commits we did 40% more commits in curl this year than any single previous year! Since at some point during 2025, all the other authors in the project have…
1. User complains to #hackerone that I named his *previous* name when he renamed himself to a silly name after I banned them in a #curl report filed back in October.
2. Hackerone asks me to respond on their support forum, on which I have no account. Grrr. I refuse to.
3. Replying to the hackerone email about this instead, I get a bounce saying they don't accept emails on support@hackerone ...
Joshua Rogers on his bug bounty experiences in 2025.
Positive for #curl, kafka-esque for all others mentioned. ‚BugCrowd‘ seems to a typical level-1 support company living on denials.
(Joshua also reported on Apache and pbly other projects where he could talk to the maintainers. I take #curl here as an example for FOSS projects interested in actually securing things.)
I added a sentence to the #curl hackerone submission page:
"Please present your case briefly and to the point. Do not use an AI to help you blab hundreds of lines that will exhaust us to death instead of making us understand your claim."
This is not working. The number of #hackerone report submissions for #curl in 2025 is going through the roof, while the quality is going through the floor.
If you've been wanting to speak securely to your garage door or whatever MQTTS capable devices you want to control with your #curl command lines, look no further:
(this is planned to merge in time for the March 2026 release)
