Mastering the curl command line with Daniel Stenberg
Follow
Click to Follow bagder
daniel:// stenberg://
@bagder
I do network code and protocols. I write curl. On team . I don't know anything. @bagder@mastodon.social
daniel:// stenberg://’s posts
This day 23 years ago, I uploaded the first ever curl release. Happy birthday to all of us who use and appreciate curl. I love you all.
daniel.haxx.se/blog/2021/03/2
If you are a multi billion dollar company and are concerned about log4j, why not just email OSS authors you never paid anything and demand a response for free within 24 hours with lots of info? (company name redacted for *my* peace of mind)
Replying to
I replied saying I'd be happy to answer all the questions as soon as we have a support contract.
"http://http://http://@http://http://?http://#http://"
is a legitimate URL
This company called runs this package manager called .
They host a curl package there, that was last updated in 2013 and now contains **68** documented vulnerabilities.
But there is apparently no way I can report this or make them act on this.
I keep getting emails from NASA where they request I inform them about curl. They can land on Mars, sure, but I think they have some other issues left to sort out...
Never forget: every base is base 10. daniel.haxx.se/blog/2021/05/0
One of the silicon valley multi-billion dollar companies started donating monthly to curl. 44 USD/month.
Imagine sitting in the meeting where they came to the conclusion that this amount seems about right.
Do NOT. I repeat. Do NOT remove curl.exe from your Windows System32 folder to silence a (stupid) security scanner. It will lead to tears and sorrows.
And if you do, please don't ask *me* for help when you've broken your Windows install. I can't fix that.
A trillion dollar company.
Quote
Replying to @spotmac
Thanks for contacting us. To get help with this issue, please reach out to Curl: curl.se/gethelp.html
This week's best email. I don't think I can add anything else to that.
curl is 24 years old, runs in some 10 billions installations world and now has a fair amount of sponsors.
I'm proposing I no longer have to pay with my own money for the server and instead spend some of our fund on it: curl.se/mail/lib-2022-
I'm trying out a new slide in my curl presentation slide set. You know; runs on 86 operating systems, 22 CPU architectures, and... 2 planets.
curl is 160,000 lines of code documented with 36,900 lines of man pages. Turns 21 years old this Wednesday. #curl21
I have this well established practice: when the entire household goes to bed, I do curl development for two more hours. Every day, for 23 years and counting. Sometimes a little more, sometimes a little less.
Whatever you do consistently for 23 years end up a lot.
Quote
15,000 spare time hours have been spent by Daniel on the curl project as it turns 23 years old #curl23
CVE-2020-19909 is everything that is wrong with CVEs
Another 9.8 CRITICAL curl problem. All made up.
daniel.haxx.se/blog/2023/08/2
“Memes” or other fun images involving curl. Please send or direct me to other ones you think belong in this collection! Kept here solely to boost my ego.
daniel.haxx.se/blog/2021/05/0
The 6 largest companies per market cap in the world right now are Apple, Microsoft, Amazon, Alphabet, Facebook and Tencent.
They all use curl/libcurl in products and services.
Just saying.
Twenty years of maintaining open source, and all I ever got...
You will love CVE-2021-22925. The most embarrassing security advisory in curl for a long time. Facepalm level: 10.
Goes public on Wednesday. I will probably hide.
Quote
Two days from next curl release. 82 contributors, 56 commit authors did over 150 bug-fixes and we'll announce *5* CVEs. Buckle up my friends!
"I could write curl in a 3 day weekend comfortably."
Clearly I should've asked the right reddit people for help.
curl -w certs daniel.haxx.se/blog/2022/12/2 - curl can now output the server certificates in PEM format
on this day, twenty-one years ago, we shipped curl 7.6, the first curl release with IPv6 support. Hooray!
"I think you could replace 99% of the uses of Curl ... with like 100 lines of Python or Rust or Go"
news.ycombinator.com/item?id=341849
"I will slaughter you" - some emails penetrate even my thick open source maintainer skin. Like this threat.
daniel.haxx.se/blog/2021/02/1
"Hi David,
Thank you for your reply. Are you saying that we are not a customer of your
organization?"
At 128 days without any response on my US visa application, a Department of Homeland Security IT guy emails me for private curl support... The irony is not lost of me.
Naming it "curl" was easy. Because you know, to be able to curl a URL you need a tool called curl and at the time when I started the project there was no such tool.
Going back home. To cry. To curse. To write code from home instead. Fricking miserable morning. No #sfallhands for me.
curl is 21 years, 8 months and 8 days old. Over the last three weeks alone we've merged code from 8 first-time authors. Now counting 751 authors.
Hooray for awesome people!
jo | curl --json | jq
In the future, you'll forget there ever was a time when you didn't use this trinity.
libcurl supports protocols. Work in progress slide for a curl presentation I'm working on. A protocol forest!
User on stackoverflow tells me I'm wrong on how curl works. Episode 417: stackoverflow.com/a/70063980/937
Will I ever rewrite curl in rust?
I don't believe in rewrites, no matter which language. I believe in replacing code and fixing components gradually over time. That *could* mean that we have a curl written mostly in rust in 10 years. Or in 20 years. Or not.
The best kind of bug report is when the reporter threatens to give up using your open source product if you don't hurry up to fix it. In your spare time. For their benefit. </sarcasm>
Let me show you a random slide from my presentation tomorrow... =)
I started working on the precursor to curl before I was 26. Today I turn half a century old.
curl URL decoding: 2.8 times faster: ✅
curl URL encoding: 7.8 times faster: ✅
A fine day in the curl factory: ✅
fun fact: git used curl before curl used git but both git's use of curl and curl's use of git have improved curl ... and I like to think that git's use of curl helps to make it a solid product.
On this day in 1998, I released urlget 3.12. The last ever release of urlget. I then renamed the tool and released it as "curl" six days later. The first step of an interesting journey.
Yet, somehow, I don't feel bad.
Backseat driving is easy.
Quote
“This is curl’s 249th command line option and...” Imma let you finish, but designing a program with 249 options is a terrible decision that you should feel bad about daniel.haxx.se/blog/2022/11/1
Today I removed 230 instances of the word "very" from curl documentation...
I'm getting questions if curl or libcurl are vulnerable to the log4j CVEs.
Clearly not even users and customers quite understand software stacks.
Maintaining an open source project is a lot more than just writing code.
Many current curl users were not even born when I started working on it.
I struggle to get that into my head.
Rerunning a favorite: "I could write curl in a 3 day weekend comfortably"
daniel.haxx.se/blog/2021/05/2
Do you think log4j saw how heartbleed was the kickstarter that took openssl to funding levels never previously seen in the project and wanted to try the same model? Hm, is there another widely used component we could try this with...?
This old guy has been "chosen to be a Star for 2022." 🌟(continuing from last year) stars.github.com/profiles/bagde
According to 's new rules, we're not legible for the open source free tier if anyone in the project gets paid to work on it...
Thanks a lot.
Windows 10 officially ships with curl now! blogs.technet.microsoft.com/virtualization
I think naming projects prefixed with your programming language of choice is silly. I would never name my project... oh wait.
Let’s Encrypt will offer wildcard certificates in 2018!
I can only contact the "owner", which seems like they might be dead/gone since years back.
I've reported it, but says they don't "support" individual packages. As if I asked for support.
137,00 downloads it says. Over 3,000 downloads the last six weeks.
I've been awarded the Google Open Source Peer Bonus award 2020! daniel.haxx.se/blog/2020/04/0 - Beer bonus!
This slide is from the FOSDEM keynote by Dr. Steve Crawford of NASA from a few hours ago.
The log4j case is not a showcase for bad OSS funding. It is a showcase for naive and cheap users not doing their due diligence, code review and testing before using components. Remember goto fail? Silly bugs are shipped even with the greatest funding.
I hope you celebrated the palindrome date stamp at 12:02 today: 202101101202
"This specification defines a new HTTP method, QUERY, as a safe, idempotent request method that can carry request content."
ietf.org/archive/id/dra
Replying to
I can't even report this as a vulnerability. They only accept such reports for Microsoft products. For other packages I need to contact the package owner....
"How can curl be that much code?" and "How can you keep doing so many bug-fixes after 23 years?" are two common questions that I think prove that we manage to keep an appearance of relative simplicity and consistency on the outside users see. A small win in itself I think.
friends at : we keep getting reports from users about your outdated curl version in Windows 10 and Windows 11. They are (rightfully) concerned that you don't fix known security problems. How about an upgrade?
this package keeps tricking users to download it. It's outdated, old, stale, vulnerable and should be removed.
But I cannot make them do this.
I love this new game of 2020. Indeed's fantastic 10K USD gift is no longer the largest single monetary donation to curl. Backblaze just entered the race at 15,600 USD.
Wow.
"Our /etc/hosts files are quite large (500k) " ...
People are weird.
if someone tells you HTTP is simple, you have my permission to give them "the stare"
I was offered to get a 99 USD product for free in exchange for tweeting favorably about it "2-3 times". I might not be rich, but man, if I would sell out my name and reputation I would at least request proper pay.
According to , I have a parcel coming my way that must contain a physics break-through and it tickles my imagination.
Oracle shipped nine security fixes to curl yesterday: linux.oracle.com/errata/ELSA-20 - fixes we announced in **2016**. We've announced several more problems after that for the version they ship...
curl's source code repo counts 866 unique commit authors so far. Out of which...
558 made a single commit
307 made two or more
113 made five or more
62 made ten or more
One committer has made 15433 commits
I wrote "HTTP/3 explained". It's been translated into seven more languages by awesome people. Today I got a print version of the Japanese translation (printed and sold in a one-time-only event in Japan). Such an awesome feeling. daniel.haxx.se/http3-explaine
This day, 4 years ago. I was handed the #polhemspriset gold medal by his majesty the king of Sweden - for my work on curl! daniel.haxx.se/blog/2017/10/2 - it will remain one of the best days of my life.
