TheThe statestate ofof curlcurl 20202020 GrowthGrowth andand sizesize @bagder QualityQuality andand testingtesting CommitsCommits NewcomersNewcomers andand oldiesoldies ReleasesReleases ActivityActivity VulnerabilitiesVulnerabilities Users'Users' viewview MoneyMoney TheThe lastlast 1212 monthsmonths LessLess GoodGood MyMy rolerole FutureFuture @bagder Growth and size @bagder @bagder Is 165K LOC a lot? HTTP FTP IMAP SMTP POP3 MQTT GOPHER protocols transfer 25 TELNET DICT RTSP RTMP TCP SM libcurl LDAP SSH SFTP SCP FTPS IMAPS SMTPS TLS POP3S RTMPS SM S LDAPS UDP HTTPS QUIC @bagder @bagder @bagder TFTP @bagder filesystem FILE HTTPS HTTP/3 c!!kies OpenSSL libressl libpsl b!ringssl /uic#e %SS $nuTLS c! pressi!n Secure Transp!rt party third dependencies 32 libz ng#ttp3 ngtcp2 1earSSL brotli Sc#annel w!l"SSL HTTP/2 bedTLS aut#enticati!n gskit ng#ttp2 Mesalink & iSSL HTTP HTTP/1 %a resol+ere %a winsspi URLparser libcurl I/O layer I/O c IM&P Heidal SMTP MIT kerber!s POP. SSH S'TP libss# winidn libss#2 S(P w!l"SSH L)&P OpenL)&P libidn2 c,ares *inL)&P RTMP @bagder @bagder @bagder @bagder librt p @bagder@bagder 72 operating systems libcurl 1lackberry Tablet OS Sailfish OS Uni2*are Illu !s &I6 Mac OS ; *ind!ws (7 +2*!rks %utt6 ipadOS S(O Uni2 Linu2 *ind!ws acOS 'ree1S) MS )OS z/OS *ebOS PlayStati!n P!rtable RIS( OS %et1S) OpenBS) 5MS Tru34 Haiku U%I(OS Tizen Mbed 'reeRTOS &ndr!id iOS 1lackberry 08 Integrity MI%I6 OS20 (ygwin ReactOS (#r! eOS (ell OS HP,U6 ucLinu2 IRI6 OS/2 MP7/i6 %(R MP,R&S SunOS Hurd OS/488 S!laris Symbian &migaOS %etware SI%I6,9 Syllable OS Lineage OS Plan ; Ultri2 TP' 1eOS eCOS :%6 %!nSt!p OS t+OS Nintend! )rag!nFly 1S) Hardened 1S) $ar in OS $enode Switc# 'uchsia Serenity Redo2 'ree)OS @bagder@bagder 20 CPU architectures libcurl 2=3 P!werP( &RM MIPS RIS(,5 SP&R( 3=k PO*ER OpenRIS( Cell s.;8 %i!s SH4 HP,P& &R( Itaniu &lp#a Micr!1la-e 5&6 Xtensa @bagder @bagder @bagder @bagder Quality and testing @bagder C! 7"<cient and portable> S! e security pr!ble s c!uld be a+!ided using s! ething else Lots !" “reac#@ w!uld then als! be a+!ided Mitigati!nsA readable c!deB re+iewsB testsB fu--ing, static c!de analy-ing @bagder Coverity on curl – fixed defects @bagder OSS-Fuzz 1asically flatlined t#e last year D nothing new is rep!rtedE CI,'uz- runs a little fu--ing on e+ery c! it / PR *e need !re entry p!ints t! get m!re out of fu--ers @bagder Test cases over time @bagder @bagder @bagder @bagder Test coverage $!!d t! know, hard t! measure. *eF+e gi+en up "!r now *as 72 , G=H !n Caky c!+erallsEi! '!r a single TLS D SSH D resol+er D c!n<g setup> S!me tests t!! sl!w "!r c!+erage runs in the cl!ud It!rtureJ S!me c!de paths still #ard t! test with e2isting test suite @bagder Commits, frequency and whom @bagder Daniel’s share of curl commits @bagder @bagder @bagder @bagder @bagder Newcomers and oldies @bagder @bagder @bagder @bagder @bagder Top-11 commit authors since 1 Jan 2017 Daniel Stenberg Marcel Raad Jay Satiro Steve Holme Daniel Gustafsson Patrick Monnerat Dan Fandrich Marc Hörsken Michael Kaufmann Johannes Schindelin Viktor Szakats 0 10 20 30 40 50 60 @bagder Releases @bagder @bagder @bagder Activity @bagder @bagder @bagder @bagder Vulnerabilities @bagder @bagder @bagder @bagder Bug bounty submissions @bagder Bug bounty stats T!tal Submissi!ns: 002 &+erage Response Time: an #!ur Reports Rewarded: 3 &+erage Triage Time: a day T!tal 1!unties: K0B488 &+erage 1!unty Time: 00 days &+erage 1!unty: $2.. &+erage Resoluti!n TimeA 0; days @bagder Lessons from past vulnerabilities Integer !+erC!ws are tricky thingsE Mitigati!nsA sa"ereall!cB li ited string lengt#sE M!reA dynbu" (PR LM.88J Flaws linger in the c!de a l!ng time until detected Fu--ing is king 'ixing the flaws is usually straight,"!rward Raising the b!unties @bagder The users’ view @bagder Annual user survey *hat is usedB what is ignored *hat is g!!dB what is bad *hat s#!uld be addedB what s#!uld be re !+ed H!w are we d!ing @bagder User survey 2020 Mid May time fra e 5ery much interested in feedback on w#ere t! take it and what t! ask "!r Received 7.2 resp!nses 2809 (up 9%J https://daniel.haxx.se/media/curl-user-poll-2019-analysis.pdf @bagder Web site traffic 2020 (April 19 to April 20) F!stly ma#es"$ur li%es"easier &'("milli$) requests+,!y"-u."/rom"('0"milli$)1 03'("T the l!st (2 mo)ths"-up 27%"/r$m 4('4"l!st peri$,1 F!st 5eb site,"close"t$"most users N$"l$7s6")$ tr!cki)76"%ery little st!ts Di,"I menti$)"F!stly is"7$$,8 @bagder Google trends 5-year span, worldwide *get OpenSSL curl Includes wget and OpenSSL t! pr!+ide references wit# si ilar pr!Nects @bagder Unchanged status CII Best Practices since last year https://bestpractices.coreinfrastructure.org/en/projects/63 088H passing ;3H Sil+er 26% Gold “SHOULD have a legal mechanism where all developers of non-trivial amounts of project software assert that they are legally authorized to make these contributions" @bagder Everyone uses curl &pps: O!utube, Instagra B Skype, Sp!tify, EEE OS: iOS, acOS, *ind!wsB Linu2, (hr! eOSB &OSPB EEE (ars: 22 t!p brands. MercedesB 1M*, T!y!taB %issan, 5!lkswagen, P Ga e c!nsoles: PS4B %intendo Switch, EEE Ga es: '!rtniteB Red )ead Rede pti!n 2B Spider ManB P 7stimate:7stimate: 0000 billi!nbilli!n installati!nsinstallati!ns @bagder Money @bagder Finances and sponsors curl is n!t a legal entity Open C!llecti+e holds our funds )aniel is empl!yed by w!l"SSL w!lfSSL o""ers c!mmericial curl services @bagder Expense sponsors Ser+er hosting: Ha22 Ser+er bandwidthA Fastly CI ser+icesA Tea viewerB TravisB A-ure Pipelines @bagder Gold sponsor @bagder Silver sponsors @bagder Major single-shot donors 2019-2020 U"<-zicl!ud: 0B.88 US) (!mcast: MB880 US) Indeed: 08B800 US) 1ackblaze: 0MB300 US) @bagder Many smaller donors #$% individuals and $& organi ations have contributed I&pril 2=B 2828J @bagder Balance 1alance as !f April 2=B 2028A $54,147.07 USD @bagder Expenses without direct sponsors 1ug b!unty D started carefullyB will increase curl up – wanted t! sp!ns!r tra+el/l!dging this year Stickers – getting and shipping erchandise M!re? @bagder Done the last 12 months @bagder 850 bug-fixes 25 changes three CVEs @bagder Deprecated Removed CURLOPTR)%SRUSER$LO1&LR(&CH7 HTTP Pipelining P!larSSL @bagder libcurl options (URLOPTRM&6&$7R(ON% (URLINFORRETROR&FTER (URLOPTRS&SL_&UTH9ID (URLMOPTRM&6R(O%(URRE%TRSTRE&MS (URLOPTRM&IL_R(PTR&LLLO*'&ILS (URLSSLOPTR%ORP&RTI&L(H&I% @bagder News in libcurl HTTP3 support with tw! backends curl_multi_poll: waits !re curl_multiRwakeup(): wake up libcurl 1earSSLA new TLS backend w!lfSSH: new SSH backend tiny,curl M:TT @bagder Improved in libcurl (URLUR%OR&UTHORITO all!ws empty aut#!rity/#ost part 6'7RIN'OFU%(TIO%: supports (URL_PRO$R7SSFU%(R(O%TINU7 non,blocking SO(SS c!nnects @bagder Command line tool parallel transfers wit# -9 ,,parallel,ma2 and -,parallel,immediate ,,n!,progress-meter ,,etag,compare and -,etag-sa+e ,,mail,rcpt,all!wfails HTNsonU in -,write,out @bagder Test suite better Wind!ws support SO(SS ser+er dynamic ser+er ports prepr!cessed test cases random skip for t!rture testing M!re and better CI @bagder Other news web site: Reporting documentation bugs in curl got easier, dashboardB curl/stats T#e hackerone bug bounty ?libcrurl@ - t#e $!!gle,ann!unced “competit!r@ in June 2009 (t#en abandoned againJ Mr Robot curls in Dec 280; @bagder Screens#ot fr! Mr Robot season 4B episode 8 @bagder Less good (compared with 2019) Flaky tests/CI stillstill Sl!w (I tests betterbetter 5ulnerabilities are still rep!rted uchuch betterbetter Still regressi!ns, but less frequentlyQ stillstill (!uld use !re pe!ple w#! stick ar!und alwaysalways @bagder Everything curl G0S w!rdsB 10K lines Only web + PDF n!w ?;ME.% c!mplete@ https://ec.haxx.se/ @bagder My (Daniel’s) role @bagder I’m having fun I l!+e being able t! w!rk "ull-ti e wit# ? y baby@ I intend t! c!ntinue dri+ing and pus#ing "!rward. I canFt pr! ise I’ll d! t#is "!re+erB but I can’t see e ?stepping d!wn@ anyti e s!!n I ai to keep doing curl "ull-ti e; eaning charging c! panies "!r supp!rtB "eatures, helpB anything D "!r w!l"SSL Me as an indi+idualB t#e !pen s!urce pr!Nect and the c! pany w!l"SLL D t#ree separate c! p!nents with I#!pefully) aligned g!alsE I trust s! eone will tell e i" I "ail t! keep t#ings apart appr!priatelyE @bagder What I think I do here I help keeping t#e +isi!n D w#at curl and libcurl should do I try t! in"!rm pr!Nect embers and ?the !utside w!rld@ ab!ut news and things we w!rk !n. T! dri+e interestB get "eedback and trick !re people int! #elping !ut I do curl de+el!pment and <2 pr!blems D "!r "un and "!r cust!mers I ai t! aster t#e pr!t!c!ls curl w!rks wit# I supp!rt users and de+el!pers e2periencing pr!blems !r bugsE I admin and #!st t#e web site, ailing list and random ser+ices I re+iew c!de and suggesti!ns I !"ten ser+e as a ?public "ace@ "!r the pr!Nect.