For curl up 2022, Daniel summarizes the past year, what the curl project did, what it does and maybe what it will do next.

1. The state of curl 2022

2. Growth and size
Quality and testing
Commits
Newcomers and oldies
Releases
Activity
Vulnerabilities
Users' view
Money
The last 12 months
Less Good
My role
Future
@bagder

3. @bagder
Growth and size

4. @bagder
At 145K LOC and climbing
no change since last year

5. @bagder
@bagder
@bagder

6. @bagder
26 transfer protocols
no change since last year

7. transfer protocols
TCP
filesystem
UDP
TLS
SS
H
QUIC
HTTP
HTTPS
TFTP
FILE
FTP
IMAP
SMTP
POP3
GOPHER
TELNET
DICT
RTSP
RTMP
SMB
LDAP
SFTP
SCP
FTPS
IMAPS
SMTPS
POP3S
RTMPS
SMBS
LDAPS
@bagder
MQTT
GOPHERS

8. @bagder
36 third party dependencies
–1 +1 since last year

9. @bagder
@bagder
@bagder

10. third party world map June 2022
I/O layer
URL parser libidn2
winidn
HTTP
TLS
OpenSSL
gskit
mbedTLS
wolfSSL
Schannel
Secure
Transport
GnuTLS
NSS
boringssl
libressl
AmiSSL
SFTP SCP LDAP
WinLDAP
OpenLDAP
RTMP
librtmp
Name resolver c-ares
compression
libz brotli
cookies
libpsl
IMAP SMTP POP3
HTTP/2
nghttp2
authentication
winsspi Heimdal
MIT
kerberos
HTTP/3
quiche
ngtcp2
HTTP/1
SSH
wolfSSH
libssh2
libssh
@bagder
BearSSL
nghttp3
zstd
FTP
Hyper
FTPS IMAPS POP3S SMBS SMTPS
GOPHERS HTTPS LDAPS RTMPS
libgsasl
rustls
msh3

11. @bagder
86 operating systems
no change since last year

12. operating systems
@bagder
Syllable OS TPF
Tizen
Symbian Tru64
SunOS tvOS ucLinux
Genode Hurd iOS
Integrity
Illumos
HP-UX
HardenedBSD
Haiku
z/OS
Nintendo
Switch
NonStop OS
NetWare
MorphOS MPE/iX MS-DOS NCR MP-RAS NetBSD
RISC OS
Redox
ReactOS Sailfish OS SCO Unix Serenity SINIX-Z
Qubes OS
UnixWare WebOS
vxWorks
VMS Windows
UNICOS Windows CE
Wii System
Software
AmigaOS Blackberry 10
BeOS
Android
Blackberry
Tablet OS
AIX Cell OS
Aros
IRIX LineageOS Mbed Micrium
macOS
Mac OS 9
Linux Lua RTOS
eCOS FreeRTOS
FreeBSD
FreeDOS Fuchsia
DragonFly
BSD
Cygwin
Cisco IOS
OpenBSD OS/2 OS/400
Ultrix
ipadOS
NuttX
Solaris
Xbox
System
ChromeOS
MINIX
Garmin OS
QNX
PlayStation
Portable
Plan 9
OS21
OpenStep Orbis OS
z/TPF z/VM z/VSE
Operating systems known to have run curl
Atari FreeMiNT

13. @bagder
22 CPU architectures
no change since last year

14. CPU architectures
@bagder
x86
MIPS
ARM
PowerPC
SPARC POWER
m68k
s390 HP-PA
SH4
Nios
RISC-V
OpenRISC
ARC
Cell
Itanium VAX
MicroBlaze
Alpha Xtensa
x86-64
AVR32
CPU architectures known to have run curl

15. @bagder
2 planets
no change since last year

16. Planets
@bagder
Earth Mars
Planets known to have run curl

17. @bagder
13 TLS backends
-1 since last year

18. @bagder
@bagder
@bagder

19. @bagder
248 command line options
+6 since last year

20. @bagder
@bagder
@bagder

21. @bagder
295 curl_easy_setopt options
+7 since last year

22. @bagder
@bagder
@bagder

23. @bagder
Quality and testing

24. @bagder
C!
Efficient and portable!
Some security problems could be avoided using something
else
Lots of “reach” would also be avoided
Mitigations: readable code, reviews, tests, fuzzing, static
code analyzing

25. @bagder
OSS-Fuzz
Flatlined the last few years – nothing new is reported
CI-Fuzz runs a little fuzzing on every commit / PR
We need more entry points to get more out of fuzzers

26. @bagder
1509 test cases
+85 (5.9%) since last year

27. @bagder
@bagder
@bagder

28. @bagder
7857 bug-fixes
+1024 (+15.0%) since last year

29. @bagder
@bagder
@bagder

30. @bagder
107 CI jobs *
+13 (+13.8%) since last year

31. @bagder
@bagder
@bagder

32. @bagder
@bagder
@bagder

33. @bagder
@bagder

34. @bagder
Commits, frequency and whom

35. @bagder
@bagder
@bagder

36. @bagder
@bagder
@bagder

37. @bagder
@bagder
@bagder

38. @bagder
@bagder
@bagder

39. @bagder
@bagder
@bagder

40. @bagder
@bagder
@bagder

41. @bagder
@bagder
@bagder

42. @bagder
Top-20 curl commit authors last twelve months
840 Daniel Stenberg
64 Jay Satiro
51 Daniel Gustafsson
35 Marc Hoersken
29 Tatsuhiro Tsujikawa
27 Marcel Raad
20 Patrick Monnerat
19 Michał Antoniak
16 Josh Soref
14 Viktor Szakats
13 Fabian Keil
12 Gergely Nagy
11 Philip H
9 Harry Sintonen
8 Dan Fandrich
8 Henrik Holst
7 Gisle Vanem
6 Jacob Hoffman-Andrews
6 Jan Venekamp
6 Kevin Adler
@bagder

43. @bagder
Newcomers and oldies

44. @bagder
2639 contributors
+256 (+10.7%) since last year

45. @bagder
@bagder
@bagder

46. @bagder
1034 authors
+134 (+14.9%) since last year

47. @bagder
@bagder
@bagder

48. @bagder
@bagder
@bagder

49. @bagder
@bagder
@bagder

50. @bagder
Releases

51. @bagder
@bagder
@bagder

52. @bagder
@bagder
@bagder

53. @bagder
Activity

54. @bagder
@bagder
@bagder

55. @bagder
@bagder
@bagder

56. @bagder
@bagder
@bagder

57. @bagder
@bagder
@bagder

58. @bagder
@bagder
@bagder

59. @bagder
Vulnerabilities

60. @bagder
@bagder
@bagder

61. @bagder
34,660 USD bug-bounty in total
+25,660 (+385%) USD since last year

62. @bagder
@bagder
@bagder

63. @bagder
Lessons recent vulnerabilities
C mistake mitigations might have had an effect
Flaws linger in the code a very long time until detected
Fuzzing is king
Fixing the flaws is usually straight-forward
Raised bounties thanks to Internet Bug Bounty

64. @bagder
The users’ view

65. @bagder
Annual user survey
What is used, what is ignored
What is good, what is bad
What should be added, what should be removed
How are we doing

66. @bagder
User survey 2022
Just ran, not analyzed yet 😢

67. @bagder
curl.se web traffic June 2022
Fastly makes our lives easier
278 TB the last 12 months (up from 146 TB)
103.8 M requests/day on average (up from 11.4 M)
Fast web site, close to most users
No logs, no tracking, very little stats
Did I mention Fastly is good?

68. @bagder
Google trends 5-year span, worldwide
Includes wget and OpenSSL to provide references with similar projects
Wget OpenSSL curl
Snapshot from May 26 2022

69. @bagder
25,000 GitHub Stars

70. @bagder
https://bestpractices.coreinfrastructure.org/en/projects/63

71. @bagder
Everyone uses curl
Apps: Youtube, Google Photos, Skype, Spotify, ...
OS: iOS, Android, macOS, Windows, Linux, ChromeOS, AOSP, ...
Cars: 22 top brands. Mercedes, BMW, Toyota, Nissan, Volkswagen, …
Game consoles: PS5, PS4, Nintendo Switch, ...
Games: Fortnite, Red Dead Redemption 2, Spider Man, …
The Mars 2020 Helicopter project
Estimate: 10+ billion installations

72. @bagder
Money

73. @bagder
Finances and sponsors
curl is not a legal entity
Open Collective holds our funds
Daniel is employed by wolfSSL
wolfSSL offers commercial curl services
@bagder

74. @bagder
Main sponsors
@bagder

75. @bagder
Gold sponsor
@bagder

76. Silver sponsors June 2022
@bagder
@bagder

77. @bagder
Balance May 26, 2022
$123,459.06 USD
(+40,863 since last curl up)

78. @bagder
Expenses
curl.se hosting
curl up – travel and lodging
Stickers – getting and shipping merchandise
Bug bounties
More?

79. @bagder
Done the last 12 months

80. @bagder
1024 bug-fixes
29 changes
18 CVEs

81. @bagder
libcurl options
CURLOPT_MAXLIFETIME_CONN
CURLOPT_PREREQFUNCTION
CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256

82. @bagder
News in libcurl
msh3 as a new h3 backend
percent-escaping for multipart form field and file names
curl_url_strerror()
localhost is “fixed”
cookies over localhost considered secure
dropped metalink support
dropped mesalink support
Increased hyper support

83. @bagder
Command line tool
--no-clobber
--remove-on-error
--json
More --write-out magic:
%header{}
%{header_json}

84. @bagder
Test suite
unix socket support for http server
numerous more “testable features”

85. @bagder
Other news in and around the project

86. @bagder
Daniel - a GitHub star
Recognition
Channel for previews and communication

87. @bagder
Travis CI
No longer free to use for us
Added Zuul and Circle CI
Distributed old Travis jobs to other services
Then Zuul turned bad - in a different way

88. @bagder
everything curl
At 92,000 words
+19,000 words since last curl up

89. @bagder
Less good
Flaky tests/CI still
Slow CI tests sometimes
Vulnerabilities are still reported yes but...
Still regressions, but less frequently? happens
Could use more people who stick around always
@bagder

90. @bagder
My (Daniel’s) role

91. @bagder
What I do here
I help keeping the vision – what curl and
libcurl should do
I do curl development and fix problems – for
fun and for customers
I support users and developers experiencing
problems or bugs.
I review code and suggestions
I’m guiding the architecture of existing and
future features
I document how things work and should work
I inform project members and “the outside
world” about news and things we work on
I aim to master the protocols curl works with
I admin and host the web site, mailing list and
random services
I often serve as a “public face” for the project.
It is sometimes said to be “mine” (it isn’t)
I talk about and “market” the project in many
places and ways

92. curl for
business
curl for fun
Me, curl and wolfSSL
@bagder

93. Future
@bagder

94. Everything will be networked
If it isn’t powered now, it will be soon
If it is powered, it will be networked
If it is networked, it needs Internet access
If it needs Internet access, curl can help
@bagder
@bagder

95. March 20
2023
@bagder

96. @bagder
Coming up
OCSP
WebSockets
Hyper
HTTP/3
tiny-curl
QUERY?

97. @bagder
TODO?
I have a personal list of things I want to work on
I hope to do more curl work for hire
What do you want to see?

98. @bagder
Talk to us!
I’m @bagder on Twitter
We’re in #curl on libera.chat IRC
File bug reports:
https://github.com/curl/curl/issues
Submit pull-requests:
https://github.com/curl/curl/pulls
Security problems:
https://hackerone.com/curl
Mailing lists:
curl-users for command line tool
questions and support
curl-library for libcurl users,
development, debugging,
architecture, new stuff.
https://curl.se/mail/