strcpy density in #curl source code

@bagder Not sure, I know there was this one time when the employees got to vote for projects to sponsor and #curl was one of them.

#curl has a new sponsor. Thanks #github!

Number of hackerone reports on #curl doubled since last year

I spent many hours yesterday debunking another hackerone report against #curl.

It's such a good sigh of relief when the ultimate conclusion is that it is not a vulnerability. (disclosed soon of course)

GitHub is a top sponsor of #curl. They make a real difference. Can you say the same about whoever you work for?

Welcome to #curl 8.18.0-rc3, the third and final release candidate for the pending release:

https://curl.se/mail/lib-2025-12/0035.html

#curl has a new sponsor. Thanks #github!

Probably old news but my mind is always blown by all the stuff #curl can do. I had zero idea that curl has a —form argument that lets you simulate filling out a form, complete with a file upload. Let me automate a super annoying task for a friend with a dead simple bash script.

Probably old news but my mind is always blown by all the stuff #curl can do. I had zero idea that curl has a —form argument that lets you simulate filling out a form, complete with a file upload. Let me automate a super annoying task for a friend with a dead simple bash script.

We are thirteen days from next #curl release.

At 349 merged bugfixes and five(!) pending CVE announcements.

By 62 contributors out of which 30 are commit authors.

https://curl.se/dev/release-notes.html

@cpu @Bubu @kpcyrd Just confirming what @cpu said here. Rustls support in #curl is not going away and we‘ll remove the experimental once rustls declares it API stable.

(and if you want more rustls, there is also https://github.com/icing/mod_tls)

@cpu @Bubu @kpcyrd Just confirming what @cpu said here. Rustls support in #curl is not going away and we‘ll remove the experimental once rustls declares it API stable.

(and if you want more rustls, there is also https://github.com/icing/mod_tls)

I ordered 6,000 new #curl stickers.

I added a sentence to the #curl hackerone submission page:

"Please present your case briefly and to the point. Do not use an AI to help you blab hundreds of lines that will exhaust us to death instead of making us understand your claim."

There's also an curl-rustls Arch Linux package that dynamically links to rustls instead of openssl, however #curl still considers this experimental:

https://archlinux.org/packages/extra/x86_64/curl-rustls/

Joshua Rogers on his bug bounty experiences in 2025.

Positive for #curl, kafka-esque for all others mentioned. ‚BugCrowd‘ seems to a typical level-1 support company living on denials.

(Joshua also reported on Apache and pbly other projects where he could talk to the maintainers. I take #curl here as an example for FOSS projects interested in actually securing things.)

https://joshua.hu/2025-bug-bounty-stories-fail

If you have ideas for a new #curl sticker design, let me know. I'm about to order a new batch soon.

Logo images to play with: https://curl.se/logo/

Microsoft: „1 engineer, 1 month, 1 million lines of code“

That would mean @bagder
rewriting 5 #curl projects into Rust in a month.

Microsoft revising the „rewrite over a weekend“ meme to it actually taking them 6 days. For a person they have not hired yet. With tools they still have to invent.

If you are a MS customer, you‘d better start putting more money into Copilot right away!

https://www.theregister.com/2025/12/24/microsoft_rust_codebase_migration/