Notices by daniel:// stenberg:// (bagder@mastodon.social)

891 persons have already responded to the #curl survey 2025. If you have not, please consider donating a few minutes of your time and help us out!

https://daniel.haxx.se/blog/2025/05/19/the-curl-user-survey-2025-is-up/

at 1082 responses now and I'm closing the survey tonight my time, less than six hours left to leave your opinions:

https://daniel.haxx.se/blog/2025/05/19/the-curl-user-survey-2025-is-up/

at 1,001 responses now!

There is apparently a #curl version you can install with winget on Windows.

But who makes it and who decides how to build it? I don't know. And it isn't easy to figure that out either.

https://github.com/curl/curl/issues/17504

Referring sites for visitors to #curl's GitHub repository over the last 14 days.

Interesting I think.

#curl 8.14.0 is here with new stuff, bugfixes and two security advisories.

Live-streamed presentation at 08:00 UTC today.

https://daniel.haxx.se/blog/2025/05/28/curl-8-14-0/

After every release there's this great sense of bliss and aaaaaah mixed with the anxiety that someone soon reports a horrible regression.

...but then I've only done this 267 times. It might get better over time.

The two #curl CVEs we publish today are both rated medium and affect QUIC connections when curl is built to use wolfSSL

Hiroki Kurosawa reported both and he is rewarded 2540 USD for each from the curl bug-bounty.

With these two, the total bug-bounty payout from #curl now exceeds 90,000 USD over the last few years.

https://curl.se/docs/bugbounty.html

(thanks to IBB for sponsoring our bug-bounty program!)

Hello [redacted],

I don't do private support for free. If you want curl help, either pay for support and we can continue the conversation privately, or take the discussion to a public mailinglist/github discussion.

/ Daniel

When #curl turns into an evil empire, we already have the flag done.

#curl 8.14.0 becomes release number 267 since the dawn of time.

It supports 269 command line options.

I talked AI slop with @joshbressers on Open Source Security:

https://opensourcesecurity.io/2025/2025-05-curl_vs_ai_with_daniel_stenberg/

CycloneDX cancels their bug-bounty program blaming AI slop:

"This caused a lot of extra work which is why we decided to abandon the program. Thanks AI."

https://github.com/CycloneDX/cyclonedx-rust-cargo/pull/786

0 days since the latest slop

User reports memory leak security problem. According to them, valgrind saying 0 bytes leak is wrong and their source analysis is instead correct.

I mean, it *can* theoretically happen, but what are the odds?

meh, I didn't read the report properly. The reporter did say he used an AI assistance for this.

Yay.

"thank you for your existence" - I do get lovely emails as well in my #inbox

https://daniel.haxx.se/email/2025-05-20.html

Allow us to block Copilot-generated issues (and PRs) from our own repositories on #github

https://github.com/orgs/community/discussions/159749

I ran a quick SFTP performance test with #curl built to use #libssh 0.11.1 vs one built that uses #libssh2 1.11.1 over a 400ms latency connection.

One of them managed to perform this at 1049K/sec, the other reached only 249K/sec.

And the winner is...

libssh2

Funny detail: I sped it up for this kind of use case **fifteen years ago** and blogged about it: https://daniel.haxx.se/blog/2010/12/08/making-sftp-transfers-fast/

The #curl user survey 2025 is up. Please donate a few minutes of your time and tell us about your view and use of curl.

https://daniel.haxx.se/blog/2025/05/19/the-curl-user-survey-2025-is-up/