Notices by daniel:// stenberg:// (bagder@mastodon.social)

@kaia they stilled helped out and took us forward. And they might still have "traces" left in other areas of the git repo. Every contributor is awesome!

amusing stat: in #curl 8.13.0 we have "surviving" code lines from 622 authors. (who has at least one production code line with their name in git blame)

That's 11 *fewer* than in the previous release.

In fact, we peaked at 636 unique authors in version 8.10.1 and it has gone down since.

No, I don't have any conclusion to make based on this. It's just variations over time.

@joshbressers @gregkh @TheNewStack @sjvn agreed.

We are proposing OSS projects to be able opt out of getting CVE records "improved" by CVSS.

We are also discussing how smaller OSS projects could get an existing CNA to deal with their CVEs (their scope really), as if they were a CNA.

This within the "OSS CNA group" that has been started featuring curl, kernel, perl, and lots of linux distros ppl etc.

Remember the #curl distro meeting 2025 next week! https://github.com/curl/curl/wiki/curl-distro-discussion-2025

To make #curl better in distros. To make distros ship better #curl. To make everyone happier and the world a little nicer.

I had not considered removing dotdot-sequences from URLs when the dots are URL encoded! There is always another level of "fun" with URLs.

https://github.com/curl/curl/pull/16870

During 27 years of shipping curl, we have *never* before fixed bugs at a higher rate than we have done these last seven weeks.

That's what having @icing and @vsz in your project can do.

We have at least 290(!) logged bugfixes queued up for the #curl release coming in four days. That's more than 6 bugs squashed per day on average during this release cycle.

Just imagine how many bugs we must be adding! 😉

What do you think are the primary challenges for Open Source the coming years?

Security? CRA? Financing? Maintainer burnout? Recruiting young developers? Adapting to a country-former-ally going nuts? AI slop? AI bot overload? Something else?

(I'd like some more food for thoughts for an upcoming talk)

You can help #curl by testing this final release candidate, rc3, before the real release happens next week:

https://curl.se/rc/

Remember that there is no single or homogeneous "Open Source community". It is an enormously huge, loosely coupled bunch of humans, each with their own goals, ideas and expectations. The few foundations we have don't cover more than just a small fraction of the Open Source done in the world made by millions of humans and some companies.

Don't expect the foundations to necessarily be on your side or view OSS like you do.

@skaverat three years ago we were at less than 20GB/month, but there is no clear cut-off date nor do I know exactly what amount of this traffic that is AI bots and not

I think users (like GitHub/MS and friends) have a responsibility to push back on the AI companies they lean so heavily on and demand they behave. But I have no expectation they will.

@gbraad we specifically don't have logs so I can't tell exactly where they come from, but I read others' analyses of the problem and from what I hear they are quite hard to block properly. We are fortunate to have Fastly that hosts the site and thus is the one that handles the onslaught

The AI bots that desperately need OSS for code training, are now slowly killing OSS by overloading every site.

The curl website is now at 77TB/month, or 8GB every five minutes.

https://arstechnica.com/ai/2025/03/devs-say-ai-crawlers-dominate-traffic-forcing-blocks-on-entire-countries/

This week #OSI helps us realize how quickly you can demolish trust in an organization.

Two years ago we introduced the #libcurl header API:

https://daniel.haxx.se/blog/2022/03/24/easier-header-picking-with-curl/

On this day twenty-seven years ago, I released the first #curl version. I called it 4.0 as I kept the versioning from the previous names.

The Matrix channel #curl:curl.se is now bridged to the #curl IRC channel for even more curl chatting

@dalias @astraleureka as mentioned elsewhere in this thread, it's my DNS that is "helpful"!

We got another "critical vulnerability" on #curl reported. I figured you might enjoy it.

"The authentication mechanism in cURL does not properly restrict the number of failed authentication attempts, allowing an attacker to brute-force credentials"

Yawn. Away, away you go.