Welcome Karthik Dasari as #curl commit author 1390: https://github.com/curl/curl/pull/17864
GitHubcurl_osslq: fix missing include of url.h by devkdas · Pull Request #17864 · curl/curl
#curl
29 posts10 participants0 posts today
single-digit number of open #curl issues...
Replied to daniel:// stenberg://
@bagder reminds me that when I query an appropriately configured @iscdotorg BIND9 name server it divulges an (unmaintained) list of authors.
Does #curl have a secret option to do likewise? ;-)
Welcome Eshan Kelkar as #curl commit author 1389: https://github.com/curl/curl/pull/17856
GitHublibssh: Fixes related to readdir by galorithm · Pull Request #17856 · curl/curl
Keeping tabs on #curl's memory use
https://daniel.haxx.se/blog/2025/07/08/keeping-tabs-on-curls-memory-use/
daniel.haxx.se · keeping tabs on curl’s memory useOne of the harder things to look out for in a software project is slow or gradual decay over a long period of time. Like if we gradually make a library 1% slower or use 2% more memory every other month. Sometimes it is totally acceptable to make code slower and use more memory because … Continue reading keeping tabs on curl’s memory use →
Replied to daniel:// stenberg://
Continued thread
Abstract:
In these days of "vibe coding" and chatbots, users ask AIs for help with everything. Asked to find security problems in Open Source projects, AI bots tell users something that sounds right. Reporting these "findings" wastes everyone's time and causes much frustration and fatigue. Daniel shows how this looks, how it DDoS projects and how totally beyond crazy stupid this is. With examples and insights from the #curl project.
----
Good enough maybe?
I'm doing a keynote next month at an Open Source conference about AI (abuse) in #curl's security program etc. I could use your help:
1. Give me a clever title
2. What details would you like such a talk to contain?
Continued thread
I think this is slightly better. Shows better how many really old #curl vulnerabilities we have had reported. Age of the flaw in number of the years on the y-axis, proper date of the report on the x-axis.
python's built-in urllib module still doesn't support http2 (nor http3) in the year of 2025, luckily pycurl exists and supports modern standards
GitHubGitHub - pycurl/pycurl: PycURL - Python interface to libcurlPycURL - Python interface to libcurl. Contribute to pycurl/pycurl development by creating an account on GitHub.
I've polished the graph that shows #curl vulnerability age when they were fixed. With median and average ages added.
So far in 2025, we have received 52 vulnerability reports submitted to #curl. Two per week on average.
5 have been confirmed security problems (and have been published)
11 were tagged AI slop; all banned and reported to HackerOne
15 were considered "normal bugs"
21 were deemed "not applicable" (various reasons)
Adhere to CI=true environment variable to hide #curl's progress bar?
GitHubAdhere to CI=true environment variable to hide progress bar · curl curl · Discussion #17838There is a de facto environment variable CI=true that is enabled on CI platforms like GitHub, GitLab and Jenkins. Tools such as pip and yarn listen to this and make their output less chatty. In man...
1.Download https://curl.se using #curl built to use OpenSSL (that is over HTTPS in case Mastodon hides the scheme for you)
2. count number of allocations made with heaptrack
3. pause for gasping
4. double-check that curl only does 134 allocs itself, independently of the downloaded size
5. check the heaptrack number again
54,000
hm
curl.securl
I posted "writing C for #curl" just a short while ago, which is relevant to the recent "C mistake" graphs.
daniel.haxx.se · Writing C for curlIt is a somewhat common question to me: how do we write C in curl to make it safe and secure for billions of installations? Some precautions we take and decisions we make. There is no silver bullet, just guidelines. As I think you can see for yourself below they are also neither strange nor … Continue reading Writing C for curl →
You can follow along with the stream of security reports submitted to #curl by watching the ones we make public:
https://hackerone.com/curl/hacktivity
Per project policy, we make ALL reports public. (For practical reasons we have so far focused on getting everything submitted during 2025 disclosed. Hackerone has no method to disclose in bulk or automated, so it is a highly manual and tedious process involving a lot of clicks per single report)
HackerOneHackerOne
C mistakes among the vulnerabilities present in #curl code
(C mistakes are vulnerabilities that were caused by a mistake that "probably would not have been possible" had we not been using C for curl. Manually assessed for each case.)
Number of graphs in the #curl dashboard - as a graph.
I checked the latest stats. The median time a #curl CVE lingers in code before getting reported: 2163 days (almost 6 years). The average is 2893 days (almost 8 years)