Notices by daniel:// stenberg:// (bagder@mastodon.social), page 5

Welcome Dominik Piątkowski as #curl commit author 1284: https://github.com/curl/curl/pull/14115

I don't understand it, but I approve of the attempt. #FoundOnFacebook #curl

Willy Tarreau's feedback on LTS (for #curl) could be the best comment my blog ever received: https://daniel.haxx.se/blog/2024/06/27/long-term-curl-versions/comment-page-1/#comment-27045

(Willy is known as the man behind haproxy)

Ranked number 4: curl/7.29.0

Released on February 6 2013, approaching 11.5 years ago. We have documented >8,000 bugfixes since then...

Top-5 #curl version distribution among requests done on haxproxy.org in June 2024:

curl/7.81.0 79.64%
curl/7.61.1 5.88%
curl/7.68.0 5.47%
curl/7.29.0 2.00%
curl/8.5.0 1.31%

https://mailarchive.ietf.org/arch/msg/quic/81Wa98MtpGt-idJTWClxQXVury8/

Here's a user in the wild who was bitten by the Apple "backdoor" in #curl:

https://github.com/curl/curl/discussions/14009

Daniel's weekly report June 21, 2024

https://lists.haxx.se/pipermail/daniel/2024-June/000069.html

survey, podcast, Steam, everything curl, hackerone, feature window, -vv, CPU vs accuracy

Expressed in the tone of a classic strip.

This is the same fun Windows feature biting PHP: https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/

closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.

Not a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.

one of them claimed the fact that you can run "curl http://¹²7.0.0.1" is a vulnerability.

I insist this is IDN working as designed. However crazy it may look like.You just cannot filter URLs like that and assume it will work.

closing hackerone reports as not applicable without mercy on a Saturday night

@nixCraft we ran our own CVS pserver instances!

💚

@a1ba clearly also some intruders!

On this day thirteen years ago, #rockbox was still a thing I worked on a lot and we did a new Rockbox tower record of 117cm (in London)

https://daniel.haxx.se/blog/2011/06/05/rockbox-bridge-and-tower/

This is still the standing Rockbox tower record I believe.

Yes, I always work on important stuff.

"maybe we need this in the future" is a bad idea for writing good code. If we need that flexibility in the future, other things will have changed as well. Better do it then, not complicating matters now.

Turning down needlessly flexible code like a boss.

Author density. Number of commit authors shown by git blame in product code per KLOC. In #curl. Over time.

Because I was reminded. Remember when PowerShell went Open Source eight years ago and I submitted a PR the next day proposing to remove the #curl alias?

There is always another windmill to fight!

https://daniel.haxx.se/blog/2016/08/19/removing-the-powershell-curl-alias/

if #curl was an evil empire, what would the flag look like?

Black and red and fists?