Daniel's weekly report April 26, 2024
https://lists.haxx.se/pipermail/daniel/2024-April/000061.html
CI breakage, curl up, docker, hobby, codesonar, feature freeze
This profile might be incomplete.
Open on mastodon.social daniel:// stenberg://
Wall 48 posts
daniel:// stenberg://
Daniel's weekly report April 26, 2024 https://lists.haxx.se/pipermail/daniel/2024-April/000061.html CI breakage, curl up, docker, hobby, codesonar, feature freeze
daniel:// stenberg://
Today we celebrate the five year anniversary of #curl's bug-bounty. It has resulted in 69 reported vulnerabilities and almost 80,000 USD payouts. Out of a total of 439 submissions. 86 of them were considered "informative", which mostly means they were handled as normal bugs. Submit your suspected curl securirty issue here: https://hackerone.com/curl
Show previous comments
Lori Olson
First up, thanks for your hard work on curl. Second, I’m going lean into PUT being at least as appropriate as POST on that ad. 😉
daniel:// stenberg://
Apparently San Francisco gets to enjoy #curl command lines in ads...
Show previous comments
Import Antigravity
@bagder Despite working in IT and cybersecurity for nearly 40 years is there still hope left for me that my first thought was "That's an odd way to apply for a Masters in Fine Art" a couple milliseconds BEFORE I thought "Multifactor Authentication"?
josh
@bagder@mastodon.social @traecer@techhub.social Nobody in San Francisco enjoys anything. They’re not happy unless they have something to complain about.
David Zaslavsky
@bagder I am no stranger to weird techy ads in Silicon Valley but that's a new one lol
daniel:// stenberg://
and in case you missed it: with the new addition of --ech, #curl now supports 259 command line options
Paul_IPv6
uh, congrats? :) this does bring to mind the internal Sun april fools memo detailing the formation of a new Sun division to support options to "ls"...
Show previous comments
daniel:// stenberg://
I posted this image on LinkedIn as well, and the stats there tells me that Cisco is in fact now the third most common employing company among the viewers... (only beaten by AWS and Microsoft) https://www.linkedin.com/posts/danielstenberg_curl-activity-7185597818894512130-kHFS
daniel:// stenberg://
Welcome Colin Leroy-Mira as #curl commit author 1257: https://github.com/curl/curl/pull/13137
daniel:// stenberg://
💚 Stay strong xz maintainer(s). We're with you.💚
Show previous comments
Sheogorath 🦊
@bagder Learning that this hit them in their holiday… It's the worst time ever. There will be no rest for him, just due to the situation. I hope he's well and manages to get over this chaos quickly.
Matthias Klumpp
@bagder Thank you! I can't imagine how bad this must feel for Lasse Collin, especially after reading[1].
daniel:// stenberg://
1. curl is not made by me alone. I lead the project, we are over a *thousand* authors in total
daniel:// stenberg://
Coming soon on the #curl website. All TLS related options and which TLS backends that work with them...
daniel:// stenberg://
I'll go with a darker green and put checkmarks there instead "yes". makes it a cleaner feel
Show previous comments
words_number
@bagder That screenshot is from a time when windows was actually a half-decent OS. Long gone.
SpaceLifeForm
So, if the machines can not auto-update to a newer curl that supports new cipher-suites, and the platform is 32-bit windows, what do you think will happen?
Jima :Compromise_bi_flag:
@bagder Hey Daniel! This reminds me of a photo I took in my car on Monday. (Pardon the dust.)
daniel:// stenberg://
"The issue was detected by our new AI-powered vulnerability scanner" ... AAAAAAA
Show previous comments
Moana Rijndael 🍍🍕
@bagder LangcChain (framework to build complex llm pipelines) has chatgpt powered bot, which tries to help in open issues by generating walls of "helpful" text It's smart enough to even quote some related code from repository, but... ...for me it results in not being able to read ANY FUCKING ISSUE. Because they're all are filled with walls of text. And knowing that, this text is very probably bullshit, my brain automatically infiltrates it :blobcatgooglyholdingitsheadinitshands:
daniel:// stenberg://
People have asked, and I aim to please. The collection of fun/weird/odd/threatening emails I received. Probably incomplete, but here it goes: https://github.com/bagder/emails Current count: 74
Show previous comments
iN8sWoRLd
@bagder
daniel:// stenberg://
Please don't make this a new trend. 😕 (issue closed by bot because the user filing the issue has not starred the repository...)
Show previous comments
daniel:// stenberg://
How the first gen ipod was reverse engineered to run #Rockbox: 1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer! 2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle. (continues...)
Show previous comments
Alex Markley :mbetv:
@bagder this is really awesome. I had Rockbox on one of the later-gen iPods and used it as my daily driver for YEARS.
daniel:// stenberg://
On this day, 27 years ago, httpget 0.1 was released. The tool I found and started playing with and soon was maintainer of. It started something. In 1998 that tool was renamed to curl. https://curl.se/docs/history.html
daniel:// stenberg://
the OpenSSL API is the gift that just keeps on giving And its like one of those gifts you get from an older relative that you rather wished they'd keep to themselves...
daniel:// stenberg://
curl has used OpenSSL since it was born in 1999 - and to this very day, we apparently still can't figure out how to init and cleanup the library properly. It might be because we have only stupid people in the project. Or the explanation could be elsewhere.
daniel:// stenberg://
We disclosed this #hackerone report against #curl when someone asked Bard to find a vulnerability, and it hallucinated together something:
Show previous comments
Patrick $8 :verified:
@bagder I suspect the reporter's last comment in that thread was also written by an LLM
Haelwenn /элвэн/ :triskell:
@bagder I could understand using some kind of AI to get something similar to a fuzzer but this is utterly ridiculous…
daniel:// stenberg://
How I made a heap overflow in #curl Let me talk CVE-2023-38545 a bit https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
Show previous comments
daniel:// stenberg://
"we are a monster-sized US tech firm with almost a trillion dollar market cap.We are a bureaucratic nightmare so please give us the info for free instead of us having to help your open source project financially and we can keep using it for free in all eternity. kthxbye"
Show previous comments
|
@bagder Is that design a Swedish folk motif?