Notices by daniel:// stenberg:// (bagder@mastodon.social)

I mean, Jack Dorsey speaking about "Infusing Open Source Culture into Company DNA" when not a single soul has ever heard of him in relation to Open Source before this talk title would have worked as a joke to me.

https://fosdem.org/2025/schedule/event/fosdem-2025-4507-infusing-open-source-culture-into-company-dna-a-conversation-with-jack-dorsey-and-manik-surtani-block-s-head-of-open-source/

I've decided to do a little live-streamed #curl presentation on twitch next week:

"curl from start to end". For free of course, no signup. Just show up.

https://daniel.haxx.se/blog/2025/01/16/presentation-curl-from-start-to-end/

The short summary of if it has been worth the hassle: yeah I think so. It is now easy and fast to get new CVE IDs. We have a seat at a table where I can complain loudly on the system and what I say actually might have a (small) impact.

We have yet to deny someone else's crazy CVE attempts against curl.

#curl has been a CNA for a year now https://daniel.haxx.se/blog/2024/01/16/curl-is-a-cna/

@jelu @icing we already have a HTTPS record parser (over DoH) since the first ECH support was brought in so we're good for that. That's what made this first step so quick and easy. The much more complicated step is to fetch HTTPS records "on the side", when resolving the name with getaddrinfo(). But that's not really DNS related, it's more internal architecture fiddling. I'll use c-ares for that, and it offers HTTPS functionality as well.

@jelu @icing there's simply no demand for that among our users. DNSSEC does not add much when we have TLS on top.

@jelu @icing I have no intentions of doing that now. Maybe in a distant future.

@jelu @icing curl does transfers. TLS makes sure those are not done from any DNS poisoned address

@jelu @icing I know that but that's irrelevant for the connection since it is proven with TLS. Now stop making a fool of yourself.

@jelu @icing I'm sorry, but it sounds like you need to read up on what TLS does for a connection. I know what DNSSEC does. No, I'm not going to the netnod meeting.

@jelu @icing and I repeatedly talk about *transfers* and *connections* "protected" with TLS - for which DNSSEC does not add a lot

With @icing's help, we made our first transfers with #curl respecting HTTPS RR records (RFC 9460) today. Kind of cool. Needs more work before it becomes truly useful, and in particular to use it without DoH, but hey. It's a step. There will be many more.

Turns out snprintf() in old Windows C runtimes is documented to have the buffer overflow that no other implementations do. 🤔

https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/snprintf-snprintf-snprintf-l-snwprintf-snwprintf-l?view=msvc-170#remarks

@slothrop I can't recall that has ever happened actually (yet). They seem to just downright rather threaten me, like in https://daniel.haxx.se/blog/2021/02/19/i-will-slaughter-you/

"I got all your fucking info either you turn yourself in or ill show it to the police"

Nine years ago today. Still weird.

https://daniel.haxx.se/blog/2016/01/11/tales-from-my-inbox-part/

@bsdphk I suppose I just don't get surprised or upset anymore when another proprietary vendor does something silly but we have to survive in their environment.

I think this is entirely a Microsoft problem, even if I fear that we might need to patch something ugly into curl to mitigate the worst risks.

Two years since my last blogged update on URL standards, the situation has not improved one bit:

https://daniel.haxx.se/blog/2022/01/10/dont-mix-url-parsers/

Congratulations all crowd strike users on macOS who now get warnings about the #libcurl version shipped by Apple. May you all enjoy your choices of software vendors.

It alerts about CVE-2024-9681. We said it is severity low. NVD says 6.5 medium.

Never a dull moment.

oops, I forgot the recent IDN addition. v2

The #libcurl backends image got a little less cluttered after we dropped hyper - no more HTTP/1 backends. The January 2025 edition.