Older blog entries for bagder (starting at number 850)

27 Oct 2014 »

daniel.haxx.se episode 8

Today I hesitated to make my new weekly video episode. I looked at the viewers number and how they basically have dwindled the last few weeks. I’m not making this video series interesting enough for a very large crowd of people. I’m re-evaluating if I should do them at all, or if I can do something to spice them up…

… or perhaps just not look at the viewers numbers at all and just do what think is fun?

I decided I’ll go with the latter for now. After all, I enjoy making these and they usually give me some interesting feedback and discussions even if the numbers are really low. What good is a number anyway?

This week’s episode:

Personal

Firefox

reverting strict HTTP 1.1 frame requirements (bug 1088850)
cache flush fix in Aurora
b2g emulator cppunit test woes
mac patch

Fun

TCP on port 0

HTTP/2

TALKS

I’m offering two talks for FOSDEM

curl

release next Wednesday
bug fixing period
security advisory is pending

wget

released 1.16 today

</p><p class="syndicated"><a href="https://web.archive.org/web/20170630145749/http://daniel.haxx.se/blog/2014/10/27/daniel-haxx-se-episode-8/">Syndicated 2014-10-27 16:17:26 from daniel.haxx.se</a></p></div> </div> <div class="node bagder"> <div class="blogdate"><a name="849"><b>26 Oct 2014</b></a> <a href="/web/20170630145749/http://www.advogato.org/person/bagder/diary/849.html" style="text-decoration: none">»</a></div><div class="content"> <p><b>Stricter HTTP 1.1 framing good bye</b></p> <p>I worked on a <a href="https://web.archive.org/web/20170630145749/http://daniel.haxx.se/blog/2014/06/16/firefox-and-partial-content/">patch for Firefox bug 237623</a> to make sure Firefox would use a stricter check for “HTTP 1.1 framing”, checking that Content-Length is correct and that there’s no broken chunked encoding pieces. I was happy to close an over 10 years old bug when the fix landed in June 2014.</p> <p>The fix landed and has not caused any grief all the way since June through to the actual live release (Nightlies, Aurora, Beta etc). This change finally shipped in Firefox 33 and I had more or less already started to forget about it, and now things went south really fast.</p> <p>The amount of broken servers ended up too massive for us and we had to backpedal. The largest amount of problems can be split up in these two categories:</p> <ol><li>Servers that deliver gzipped content and sends a Content-Length: for the uncompressed data. This seems to be commonly done with old mod_deflate and mod_fastcgi versions on Apache, but we also saw people using IIS reporting this symptom.</li> <li>Servers that deliver chunked-encoding but who skip the final zero-size chunk so that the stream actually never really ends.</li> </ol><p>We recognize that not everyone can have the servers fixed – even if all these servers <em>should</em> still be fixed! We now <a href="https://web.archive.org/web/20170630145749/https://bugzilla.mozilla.org/show_bug.cgi?id=1088850">make these HTTP 1.1 framing problems get detected</a> but only cause a problem if a certain pref variable is set (network.http.enforce-framing.http1), and since that is disabled by default they will be silently ignored much like before. The Internet is a more broken and more sad place than I want to accept at times.</p> <p>We haven’t fully worked out how to also make the download manager (ie the thing that downloads things directly to disk, without showing it in the browser) happy, which was the original reason for bug 237623…</p> <p>Although the code may now no longer alert anything about HTTP 1.1 framing problems, it will now at least mark the connection not due for re-use which will be a big boost compared to before since these broken framing cases really hurt persistent connections use. The partial transfer return codes for broken SPDY and HTTP/2 transfers remain though and I hope to be able to remain stricter with these newer protocols.</p> <p>This partial reversion will land ASAP and get merged into patch releases of Firefox 33 and later.</p> <p>Finally, to top this off. Here’s a picture of an old HTTP 1.1 frame so that you know what we’re talking about.</p> <p style="text-align: center;"> <img class="size-full wp-image-6674 aligncenter" title="An old http1.1 frame" src="https://web.archive.org/web/20170630145749im_/http://daniel.haxx.se/blog/wp-content/uploads/2014/10/http1.1-old-frame.jpg" alt="An old http1.1 frame" width="450" height="377"/></p><p class="syndicated"><a href="https://web.archive.org/web/20170630145749/http://daniel.haxx.se/blog/2014/10/26/stricter-http-1-1-framing-good-bye/">Syndicated 2014-10-26 21:44:56 from daniel.haxx.se</a></p></div> </div> <div class="node bagder"> <div class="blogdate"><a name="848"><b>25 Oct 2014</b></a> <a href="/web/20170630145749/http://www.advogato.org/person/bagder/diary/848.html" style="text-decoration: none">»</a></div><div class="content"> <p><b>Pretending port zero is a normal one</b></p> <p>Speaking the TCP protocol, we communicate between “ports” in the local and remote ends. Each of these port fields are 16 bits in the protocol header so they can hold values between 0 – 65535. (IPv4 or IPv6 are the same here.) We usually do HTTP on port 80 and we do HTTPS on port 443 and so on. We can even play around and use them on various other custom ports when we feel like it.</p> <p>But what about port 0 (zero) ? Sure, IANA lists the port as “<a href="https://web.archive.org/web/20170630145749/http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml">reserved</a>” for TCP and UDP but that’s just a rule in a list of ports, not actually a filter implemented by anyone.</p> <p>In the actual TCP protocol port 0 is nothing special but just another number. Several people have told me “it is not supposed to be used” or that it is otherwise somehow considered bad to use this port over the internet. I don’t really know where this notion comes from more than that IANA listing.</p> <p>Frank Gevaerts helped me perform some experiments with TCP port zero on Linux.</p> <p>In the Berkeley sockets API widely used for doing TCP communications, port zero has a bit of a harder situation. Most of the functions and structs treat zero as just another number so there’s virtually no problem as a client to connect to this port using for example <a href="https://web.archive.org/web/20170630145749/http://curl.haxx.se/">curl</a>. See below for a printout from a test shot.</p> <p>Running a TCP server on port 0 however, is tricky since the <a href="https://web.archive.org/web/20170630145749/http://linux.die.net/man/2/bind">bind()</a> function uses a zero in the port number to mean “pick a random one” (I can only assume this was a mistake done eons ago that can’t be changed). For this test, a little <a href="https://web.archive.org/web/20170630145749/http://en.wikipedia.org/wiki/Iptables">iptables</a> trickery was run so that incoming traffic on TCP port 0 would be redirected to port 80 on the server machine, so that we didn’t have to patch any server code.</p> <p>Entering a URL with port number zero to Firefox gets this message displayed:</p> <blockquote> <p> <em>This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection.</em> </p> </blockquote> <p>… but Chrome accepts it and tries to use it as given.</p> <p>The only little nit that remains when using curl against port 0 is that it seems glibc’s <a href="https://web.archive.org/web/20170630145749/http://man7.org/linux/man-pages/man2/getpeername.2.html">getpeername()</a> assumes this is an illegal port number and refuses to work. I marked that line in curl’s output in red below just to highlight it for you. The actual source code with this check is <a href="https://web.archive.org/web/20170630145749/http://lxr.free-electrons.com/source/net/ipv4/af_inet.c#L706">here</a>. This failure is not lethal for libcurl, it will just have slightly less info but will still continue to work. I claim this is a glibc bug.</p> <p> <code>$ curl -v http://10.0.0.1:0 -H "Host: 10.0.0.1"<br/> * Rebuilt URL to: http://10.0.0.1:0/<br/> * Hostname was NOT found in DNS cache<br/> * Trying 10.0.0.1...<br/><span style="color: #ff0000;"> * getpeername() failed with errno 107: Transport endpoint is not connected<br/></span>* Connected to 10.0.0.1 () port 0 (#0)<br/> > GET / HTTP/1.1<br/> > User-Agent: curl/7.38.1-DEV<br/> > Accept: */*<br/> > Host: 10.0.0.1<br/> ><br/> < HTTP/1.1 200 OK<br/> < Date: Fri, 24 Oct 2014 09:08:02 GMT<br/> < Server: Apache/2.4.10 (Debian)<br/> < Last-Modified: Fri, 24 Oct 2014 08:48:34 GMT<br/> < Content-Length: 22<br/> < Content-Type: text/html<br/></code> </p> <p> <code> </code> </p> <p> <code><html>testpage</html></code> </p> <p>Why doing this experiment? Just for fun to to see if it worked.</p><p class="syndicated"><a href="https://web.archive.org/web/20170630145749/http://daniel.haxx.se/blog/2014/10/25/pretending-port-zero-is-a-normal-one/">Syndicated 2014-10-25 14:42:27 from daniel.haxx.se</a></p></div> </div> <div class="node bagder"> <div class="blogdate"><a name="847"><b>17 Oct 2014</b></a> <a href="/web/20170630145749/http://www.advogato.org/person/bagder/diary/847.html" style="text-decoration: none">»</a></div><div class="content"> <p><b>curl is no POODLE</b></p> <p>Once again the internet flooded over with reports and alerts about a vulnerability using a funny name: <a href="https://web.archive.org/web/20170630145749/http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html">POODLE</a>. If you have even the slightest interest in this sort of stuff you’ve already grown tired and bored about everything that’s been written about this so why on earth do I have to pile on and add to the pain?</p> <p>This is my way of explaining how POODLE affects or doesn’t affect <a href="https://web.archive.org/web/20170630145749/http://curl.haxx.se/">curl</a>, libcurl and the huge amount of existing applications using libcurl.</p> <p> <strong>Is my application using HTTPS with libcurl or curl vulnerable to POODLE?</strong> </p> <p><strong>No</strong>. POODLE really is a browser-attack.</p> <h2>Motivation</h2> <p>The POODLE attack is a combination of several separate pieces that when combined allow attackers to exploit it. The individual pieces are not enough stand-alone.</p> <p><a href="https://web.archive.org/web/20170630145749/https://tools.ietf.org/html/rfc6101">SSLv3</a> is getting a lot of heat now since POODLE must be able to <em>downgrade</em> a connection to SSLv3 from TLS to work. Downgrade in a fairly crude way – in libcurl, only libcurl built to use NSS as its TLS backend supports this way of downgrading the protocol level.</p> <p>Then, if an attacker manages to downgrade to SSLv3 (both the client and server must thus allow this) and get to use the sensitive block cipher of that protocol, it must maintain a connection to the server and then retry many similar requests to the server in order to try to work out details of the request – to figure out secrets it shouldn’t be able to. This would typically be made using javascript in a browser and really only HTTPS allows this so no other SSL-using protocol can be exploited like this.</p> <p>For the typical curl user or a libcurl user, there’s A) no javascript and B) the application already knows the request it is doing and normally doesn’t inject random stuff from 3rd party sources that could be allowed to steal secrets. There’s really no room for any outsider here to steal secrets or cookies or whatever.</p> <h2>How will curl change</h2> <p>There’s no immediate need to do anything as <strong>curl and libcurl are not vulnerable to POODLE</strong>.</p> <p>Still, SSLv3 is long overdue and is not really a modern protocol (TLS 1.0, the successor, had its <a href="https://web.archive.org/web/20170630145749/https://tools.ietf.org/html/rfc2246">RFC published 1999</a>) so in order to really avoid the risk that it will be possible exploit this protocol one way or another now or later using curl/libcurl, we will disable SSLv3 by default in the next curl release. For all TLS backends.</p> <p>Why? Just to be extra super cautious and because this attack helped us remember that SSLv3 is old and should be let down to die.</p> <p>If possible, explicitly requesting SSLv3 should still be possible so that users can still work with their legacy systems in dire need of upgrade but placed in corners of the world that every sensible human has since long forgotten or just ignored.</p> <h2>In-depth explanations of POODLE</h2> <p>I especially like the ones provided by <a href="https://web.archive.org/web/20170630145749/https://polarssl.org/tech-updates/blog/sslv3-and-poodle-in-perspective">PolarSSL</a> and <a href="https://web.archive.org/web/20170630145749/http://nmav.gnutls.org/2014/10/what-about-poodle.html">GnuTLS</a>, possibly due to their clear “distance” from browsers.</p><p class="syndicated"><a href="https://web.archive.org/web/20170630145749/http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/">Syndicated 2014-10-17 08:28:08 from daniel.haxx.se</a></p></div> </div> <div class="node bagder"> <div class="blogdate"><a name="846"><b>16 Oct 2014</b></a> <a href="/web/20170630145749/http://www.advogato.org/person/bagder/diary/846.html" style="text-decoration: none">»</a></div><div class="content"> <p><b>FOSS them students</b></p> <p>On October 16th, I visited DSV at Stockholm University where I had the pleasure of holding a <a href="https://web.archive.org/web/20170630145749/http://barkod.se/">talk and discussion with students</a> (and a few teachers) under the topic <em>Contribute to Open Source</em>. Around 30 persons attended.</p> <p> Here are the slides I use, as usual possibly not perfectly telling stand-alone without the talk but there was no recording made and I talked in Swedish anyway…</p> <p><iframe src="//web.archive.org/web/20170630145749if_/http://www.slideshare.net/slideshow/embed_code/40370540" width="425" height="355" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen="">

Contribute to Open Source from Daniel Stenberg

Syndicated 2014-10-16 21:01:58 from daniel.haxx.se

12 Oct 2014 »

What a removed search from Google looks like

Back in the days when I participated in the starting of the Subversion project, I found the mailing list archive we had really dysfunctional and hard to use, so I set up a separate archive for the benefit of everyone who wanted an alternative way to find Subversion related posts.

This archive is still alive and it recently surpassed 370,000 archived emails, all related to Subversion, for seven different mailing lists.

Today I received a notice from Google (shown in its entirety below) that one of the mails received in 2009 is now apparently removed from a search using a name – if done within the European Union at least. It is hard to take this seriously when you look at the page in question, and as there aren’t that very many names involved in that page the possibilities of which name it is aren’t that many. As there are several different mail archives for Subversion mails I can only assume that the alternative search results also have been removed.

This is the first removal I’ve got for any of the sites and contents I host.

Notice of removal from Google Search

Hello,

Due to a request under data protection law in Europe, we are no longer able to show one or more pages from your site in our search results in response to some search queries for names or other personal identifiers. Only results on European versions of Google are affected. No action is required from you.

These pages have not been blocked entirely from our search results, and will continue to appear for queries other than those specified by individuals in the European data protection law requests we have honored. Unfortunately, due to individual privacy concerns, we are not able to disclose which queries have been affected.

Please note that in many cases, the affected queries do not relate to the name of any person mentioned prominently on the page. For example, in some cases, the name may appear only in a comment section.

If you believe Google should be aware of additional information regarding this content that might result in a reversal or other change to this removal action, you can use our form at https://www.google.com/webmasters/tools/eu-privacy-webmaster. Please note that we can’t guarantee responses to submissions to that form.

The following URLs have been affected by this action:

http://svn.haxx.se/users/archive-2009-08/0808.shtml

Regards,

The Google Team

Syndicated 2014-10-12 11:56:12 from daniel.haxx.se

10 Oct 2014 »

internal timers and timeouts of libcurl

Bear with me. It is time to take a deep dive into the libcurl internals and see how it handles timeouts and timers. This is meant as useful information to libcurl users but even more as insights for people who’d like to fiddle with libcurl internals and work on its source code and architecture.

socket activity or timeout

Everything internally in libcurl is using the multi, asynchronous, interface. We avoid blocking calls as far as we can. This means that libcurl always either waits for activity on a socket/file descriptor or for the time to come to do something. If there’s no socket activity and no timeout, there’s nothing to do and it just returns back out.

It is important to remember here that the API for libcurl doesn’t force the user to call it again within or at the specific time and it also allows users to call it again “too soon” if they like. Some users will even busy-loop like crazy and keep hammering the API like a machine-gun and we must deal with that. So, the timeouts are mostly to be considered advisory.

many timeouts

A single transfer can have multiple timeouts. For example one maximum time for the entire transfer, one for the connection phase and perhaps even more timers that handle for example speed caps (that makes libcurl not transfer data faster than a set limit) or detecting transfers speeds below a certain threshold within a given time period.

A single transfer is done with a single easy handle, which holds a list of all its timeouts in a sorted list. It allows libcurl to return a single time left until the nearest timeout expires without having to bother with the remainder of the timeouts (yet).

Curl_expire()

… is the internal function to set a timeout to expire a certain number of milliseconds into the future. It adds a timeout entry to the list of timeouts. Expiring a timeout just means that it’ll signal the application to call libcurl again. Internally we don’t have any identifiers to the timeouts, they’re just a time in the future we ask to be called again at. If the code needs that specific time to really have passed before doing something, the code needs to make sure the time has elapsed.

Curl_expire_latest()

A newcomer in the timeout team. I figured out we need this function since if we are in a state where we need to be called no later than a certain specific future time this is useful. It will not add a new timeout entry in the timeout list in case there’s a timeout that expires earlier than the specified time limit.

This function is useful for example when there’s a state in libcurl that varies over time but has no specific time limit to check for. Like transfer speed limits and the like. If Curl_expire() is used in this situation instead of Curl_expire_latest() it would mean adding a new timeout entry every time, and for the busy-loop API usage cases it could mean adding an excessive amount of timeout entries. (And there was a scary bug reported that got “tens of thousands of entries” which motivated this function to get added.)

timeout removals

We don’t remove timeouts from the list until they expire. Like for example if we have a condition that is timing dependent, then we set a timeout with Curl_expire() and we know we should be called again at the end of that time.

If we wouldn’t add the timeout and there’s no socket activity on the socket then we may not be called again – ever.

When an internal state transition into something else and we therefore don’t need a previously set timeout anymore, we have no handle or identifier to the timeout so it cannot be removed. It will instead lead to us getting called again when the timeout triggers even though we didn’t really need it any longer. As we’re having an API that allows this anyway, this is already handled by the logic and getting called an extra time is usually very cheap and is not considered a problem worth addressing.

Timeouts are removed automatically from the list of timers when they expire. Timeouts that are in passed time are removed from the list and the timers following will then get moved to the front of the queue and be used to calculate how long the single timeout should be next.

The only internal API to remove timeouts that we have removes all timeouts, used when cleaning up a handle.

many easy handles

I’ve mentioned how each easy handle treats their timeouts above. With the multi interface, we can have any amount of easy handles added to a single multi handle. This means one list of timeouts for each easy handle.

To handle many thousands of easy handles added to the same multi handle, all with their own timeout (as each easy handle only show their closest timeout), it builds a splay tree of easy handles sorted on the timeout time. It is a splay tree rather than a sorted list to allow really fast insertions and removals.

As soon as a timeout expires from one of the easy handles and it moves to the next timeout in its list, it means removing one node (easy handle) from the splay tree and inserting it again with the new timeout timer.

Syndicated 2014-10-10 06:29:38 from daniel.haxx.se

9 Oct 2014 »

Coverity scan defect density: 0.00

A couple of days ago I decided to stop slacking and grab this long dangling item in my TODO list: run the coverity scan on a recent curl build again.

Among the static analyzers, coverity does in fact stand out as the very best one I can use. We run clang-analyzer against curl every night and it hasn’t report any problems at all in a while. This time I got almost 50 new issues reported by Coverity.

To put it shortly, a little less than half of them were issues done on purpose: for example we got several reports on ignored return codes we really don’t care about and there were several reports on dead code for code that are conditionally built on other platforms than the one I used to do this with.

But there were a whole range of legitimate issues. Nothing really major popped up but a range of tiny flaws that were good to polish away and smooth out. Clearly this is an exercise worth repeating every now and then.

End result

21 new curl commits that mention Coverity. Coverity now says “defect density: 0.00” for curl and libcurl since it doesn’t report any more flaws. (That’s the number of flaws found per thousand lines of source code.)

Want to see?

I can’t seem to make all the issues publicly accessible, but if you do want to check them out in person just click over to the curl project page at coverity and “request more access” and I’ll grant you view access, no questions asked.

Syndicated 2014-10-09 07:14:13 from daniel.haxx.se

1 Oct 2014 »

Good bye Rockbox

I’m officially not taking part in anything related to Rockbox anymore. I’ve unsubscribed and I’m out.

In the fall of 2001, my friend Linus and my brother Björn had both bought the portable Archos Player, a harddrive based mp3 player and slightly underwhelmed by its firmware decided they would have a go at trying to improve it. All three of us had been working with embedded systems for many years already and I was immediately attracted to the idea of reverse engineering this kind of device and try to improve it. It sounded like a blast to me.

In December 2001 we had the first test program actually running on the device and flashing a led. The first little step of what would become a rather big effort. We wrote a GPLed mp3 player firmware replacement, entirely from scratch without re-using any original parts. A full home-grown tiny multitasking operating system with a UI.

Fast-forwarding through history: we managed to get a really good firmware done for the early Archos players and we managed to move on to follow-up mp3 players too. After a decade or so, we supported well over 60 different mp3 player models and we played every music format known to man, we usually had better battery life than the original firmwares. We could run doom and we had a video player, a plugin system and a system full of crazy things.

We gathered large amounts of skilled and intelligent hackers from all over the world who contributed to make this possible. We had yearly meetups, or developer conferences, and we hung out on IRC every day of the week. I still hang out on our off-topic IRC channel!

Over time, smart phones emerged as the preferred devices people would use to play music while on the go. We ported Rockbox over to Android as an app, but our pixel-based UI was never really suitable for the flexible Android world and I also think that most contributors were more interested in hacking devices than writing Android apps. The app never really attracted many users or developers so while functional it never “took off”.

mp3 players are now already a thing of the past and will soon fall into the cave of forgotten old things our children will never even know or care about.

Developers and users of Rockbox have mostly moved on to other ventures. I too stopped actually contributing to the project several years ago but I was running build clients for a long while and I’ve kept being subscribed to the development mailing list. Until now. I’m now finally cutting off the last rope. Good bye Rockbox, it was fun while it lasted. I had a massive amount of great fun and I learned a lot while in the project.

Syndicated 2014-10-01 08:53:48 from daniel.haxx.se

29 Sep 2014 »

A day in the curl project

I maintain curl and lead the development there. This is how I spend my time an ordinary day in the project. Maybe I don’t do all of these things every single day, but sometimes I do and sometimes I just do a subset of them. I just want to give you a look into what I do and why I don’t add new stuff more often or faster… I spend about one to three hours on the project every day. Let me also stress that curl is a tiny little project in comparison with many other open source projects. I’m certainly not saying otherwise.

the new bug

Someone submits a new bug in the bug tracker or on one of the mailing lists. Most initial bug reports lack sufficient details so the first thing I do is ask for more info and possibly ask the submitter to try a recent version as very often we get bug reported on very old versions. Many bug reports take several demands for more info before the necessary details have been provided. I don’t really start to investigate a problem until I feel I have a sufficient amount of details. We’re a very small core team that acts on other people’s bugs.

the question by a newbie in the project

A new person shows up with a question. The question is usually similar to a FAQ entry or an example but not exactly. It deserves a proper response. This kind of question can often be answered by anyone, but also most people involved in the project don’t feel the need or “familiarity” to respond to such questions and therefore remain quiet.

the old mail I haven’t responded to yet

I want every serious email that reaches the mailing lists to get a response, so all mails that neither I nor anyone else responds to I keep around in my inbox and when I have idle time over I go back and catch up on old mails. Some of them can then of course result in a new bug or patch or whatever. Occasionally I have to resort to simply saving away the old mail without responding in order to catch up, just to cut the list of outstanding things to do a little.

the TODO list for my own sake, things I’d like to get working on

There are always things I really want to see done in the project, and I work on them far too little really. But every once in a while I ignore everything else in my life for a couple of hours and spend them on adding a new feature or fixing something I’ve been missing. Actual development of new features is a very small fraction of all time I spend on this project.

the list of open bug reports

I regularly revisit this list to see what I can do to push the open ones forward. Follow-up questions, deep dives into source code and specifications or just the sad realization that a particular issue won’t be fixed within the nearest time (year?) so that I close it as “future” and add the problem to our KNOWN_BUGS document. I strive to keep the bug list clean and only keep relevant bugs open. Those issues that are not reproducible, are left without the proper attention from the reporter or otherwise stall will get closed. In general I feel quite lonely as responder in the bug tracker…

the mailing list threads that are sort of dying but I do want some progress or feedback on

In my primary email inbox I usually keep ongoing threads around. Lots of discussions just silently stop getting more posts and thus slowly wither away further up the list to become forgotten and ignored. With some interval I go back to see if the posters are still around, if there’s any more feedback or whatever in order to figure out how to proceed with the subject. Very often this makes me get nothing at all back and instead I just save away the entire conversation thread, forget about it and move on.

the blog post I want to do about a recent change or fix I did I’d like to highlight

I try to explain some changes to the world in blog posts. Not all changes but the ones that are somehow noteworthy as they perhaps change the way things have been or introduce new fun features perhaps not that easily spotted. Of course all features are always documented etc, but sometimes I feel I need to put some extra attention on focus on things in a more free-form style. Or I just write about meta stuff, like this very posting.

the reviewing and merging of patches

One of the most important tasks I have is to review patches. I’m basically the only person in the project who volunteers to review patches against any angle or corner of the project. When people have spent time and effort and gallantly send the results of their labor our way in the best possible format (a patch!), the submitter deserves a good review and proper feedback. Also, paving the road for more patches is one of the best way to scale the project. Helping newcomers become productive is important.

Patches are preferably posted on the mailing lists but there’s also some coming in via pull requests on github and while I strongly discourage that (due to them not getting the same attention and possible scrutiny on the list like the others) I sometimes let them through anyway just to be smooth.

When the patch looks good (or sometimes good enough and I just edit some minor detail), I merge it.

the non-disclosed discussions about a potential security problem

We’re a small project with a wide reach and security problems can potentially have grave impact on users. We take security seriously, and we very often have at least one non-public discussion going on about a problem in curl that may have security implications. We then often work on phrasing security advisories, working down exactly which versions that are vulnerable, producing patches for at least the most recent ones of those affected versions and so on.

tame stackoverflow

stackoverflow.com has become almost like a wikipedia for source code and programming related issues (although it isn’t wiki), and that site is one of the primary referrers to curl’s web site these days. I tend to glance over the curl and libcurl related questions and offer my answers at times. If nothing else, it is good to help keeping the amount of disinformation at low levels.

I strongly disapprove of people filing bug reports on such places or even very detailed (lib)curl core questions that should’ve been asked on the curl-library list.

there are idle times too

Yeah. Not very often, but sometimes I actually just need a day off all this. Sometimes I just don’t find motivation or energy enough to dig into that terrible seldom-happening bug on a platform I’ve never seen personally. A project like this never ends. The same day we release a new release, we just reset our clocks and we’re back on improving curl, fixing bugs and cleaning up things for the next release. Forever and ever until the end of time.

keep-calm-and-improve-curl

Syndicated 2014-09-29 20:59:05 from daniel.haxx.se

841 older entries...