curl and libcurl 7.18.0

cURL

I’m happy to announce the 103rd curl release: curl and libcurl 7.18.0.

No less than 35 persons beside myself contributed with info, reports and/or code to make the release as it turned out. We’ve added a bunch of new features and we’ve solved well over 30 different bugs. This is the news:

Changes:

Bugfixes:

  • curl-config –features and –protocols show the correct output when built with NSS, and also when SCP, SFTP and libz are not available
  • free problem in the curl tool for users with empty home dir
  • curl.h version 7.17.1 problem when building C++ apps with MSVC
  • SFTP and SCP use persistent connections
  • segfault on bad URL
  • variable wrapping when using absolutely huge send buffer sizes
  • variable wrapping when using debug callback and the HTTP request wasn’t sent in one go
  • SSL connections with NSS done with the multi-interface
  • setting a share no longer activates cookies
  • Negotiate now works on auth and proxy simultaneously
  • support HTTP Digest nonces up to 1023 letters
  • resumed ftp upload no longer requires the read callback to return full buffers
  • no longer default-appends ;type= on FTP URLs thru proxies
  • SSL session id caching
  • POST with callback over proxy requiring NTLM or Digest
  • Expect: 100-continue flaw on re-used connection with POSTs
  • build fix for MSVC 9.0 (VS2008)
  • Windows curl builds failed file truncation when retry downloading
  • SSL session ID cache memory leak
  • bad connection re-use check with environment variable-activated proxy use
  • –libcurl now generates a return statement as well
  • socklen_t is no longer used in the public includes
  • time zone offsets from -1400 to +1400 are now accepted by the date parser
  • allows more spaces in WWW/Proxy-Authenticate: headers
  • curl-config –libs skips /usr/lib64
  • range support for file:// transfers
  • libcurl hang with huge POST request and request-body read from callback
  • removed extra newlines from many error messages
  • improved pipelining
  • improved OOM handling for data url encoded HTTP POSTs when read from a file
  • test suite could pick wrong tool(s) if more than one existed in the PATH
  • curl_multi_fdset() failed to return socket while doing CONNECT over proxy
  • curl_multi_remove_handle() on a handle that is in used for a pipeline now break that pipeline
  • CURLOPT_COOKIELIST memory leaks
  • progress meter/callback during http proxy CONNECT requests
  • auth for http proxy when the proxy closes connection after first response

Tracking Swedish officials’ web use

I thought I’d just mention Patrik Wallström’s interesting project named Creeper. He basically offers a URL for an image to display on the site you run/admin, and then his server checks which IP addresses that gets the image and then cross-checks those addresses against a list of IP ranges of known swedish organizations, government agencies, political party headquarters and more.

An ingenious way to get some degree of knowledge about who looks at what and when. At least if a large enough amount of people display the Creeper icon: Creeper icon

HTML is all downhill from here

Ok, so we’re now officially over the hill. HTML4 was as good as we could make HTML, and the proof of this is the mighty insane and crazy mess W3C shows in their HTML 5 draft from January 22nd 2008.W3C logo

I mean, you can possibly (I mean if you hold on to your chair hard and really really try to extend your mind and be open) show sympathy and understanding for far-fetched stuff like “ping” and “prefetch” (or for that matter “author” and “contact”), but when they come to editing, drag-and-drop and how to deal with undo they certainly lost me. My favorite chapter in the draft is however this:

Broadcasting over Bluetooth

It takes a while just to suck up the concept of a HTML draft discussing broadcasting data. Over bluetooth. Man, these guys must have the best meetings!

My Antispam Measures

I get a fair share of spam. I have something like 10 working private email addresses, I’m listed as recipient in numerous email aliases and they all end up in the same physical mailbox where I read them. I’ve also had my existing emails for many years and I’ve shown and used them publicly on the internet all the time. I’m a major spam email target now. A good day I get just 2000 spams, but bad days I’ve been well over 13000 spam emails.A can with spam

My biggest friends in this combat are: spamassassin and procmail.

I’ll describe how I have things setup, not as much as to inspire others but more to be able to get feedback from you on how I can or perhaps should improve my setup to get an even better email life.

  • I consider all mails with spam points >= 3 to be spam. I’ve also tweaked my spamassassin user_prefs to be harsher on (pure) HTML mail and a few other rules, and I’ve added a couple of my own rules to catch spams that previously did slip through a little too easy.
  • First, I filter out mail from trusted mailing lists that have their own antispam measures.
  • I catch what appears to be bounces (I have a huge regex) and if it looks like a bounce to an address I don’t send email from I nuke it immediately (and those could be a true bounce are saved in a dedicated mbox)
  • I have a white-list system that marks all incoming mails from previously marked friends as coming from a friend.
  • Mails from non-friends are passed through spamassassin. Those with spam points higher than N are put in the ‘hispam’ folder – of course with the intention that these are very very very unlikely to every have any false positives and can almost surely be deleted without check. N is currently 10 but I ponder on lowering it somewhat. Spams with less points than N are put in the ‘spam’ folder, and I need to check that before I kill it because it happens that I get occasional false positives that end up there.
  • So, mails that aren’t from friends (or from a trusted mailing list) and aren’t marked as spam are then stored in the ‘suspicious’ mailbox
  • Mails from friends or from trusted lists go directly into my mailbox, or into a dedicated mailbox (for lists with somewhat high traffic volumes).
  • Oh, a little additional detail: I “mark” my own outgoing mails with an additional custom header with no point whatsoever but to be able to detect when someone/something sends me mail using my own address…

My weakest point in all this right now is the fact that I don’t spam-check white-listed mails at all, so spams that are sent to me using my friends’ email addresses go through and annoy me.

BTW, I did use bogofilter in the past and for a while I actually ran both in parallel (both trained with rougly the same spam/ham boxes for the Bayes stuff) but quite heavily testing I performed at that time (a few years ago) showed that spamassissin caught a lot more spams than bogofilter, while bogofilter only caught a few extra so I dropped it then.

curl with NSS and Fedora

Dave Jones blogged about his recent problems with curl on Fedora 8. It seems to be a problem somewhere in or related to the NSS library, that Fedora links curl to for SSL/TLS these days.cURL

What I find a bit annoying with this situation, is that I’m using Debian unstable and I’m dist-upgrading fairly frequently to be able to run on the bleeding edge and yet I don’t have the equivalent NSS version Fedora has and what’s perhaps worse is: I don’t even know how to get it and build my own local version! Is Fedora using their own patched version of this (rhetorical question as I’m quite sure they are)? Is it possible to get that version or patch so that I can build it and test on my non- Fedora development machine(s) ?

So, even though it really isn’t my problem or my issue to deal with, I couldn’t even try out his problem on my own!

uclinux is weird

I do a lot of work on various types of embedded systems. Professionally I’ve been working more or less exclusively with embedded development since 1996 (pSOS, VxWorks, OS9000, etc) and privately I hack a lot on Rockbox. The embedded work of mine has grown to become pure Linux-based since around the year 2000.

I’ve worked with (embedded) Linux on more than 10 different chip families, using cores such as x86, AMD64, ARM9, StrongARM, XScale, PPC, MIPS, SH4, m68k, MicroBlaze, Nios II etc.

And this is what I’ve learned: uClinux is weird.

I’ll of course admit that the fact that uclinux is currently more or less integrated into the regular kernel development is a good thing and all, and even though I haven’t done much uclinux hacking with older kernels I bet things were worse before.

The problem with uClinux that I think is the major obstacle is their build system. Oh wait, perhaps the problem is actually two: the first being that they ship as an entire distribution with kernel and tools and stuff all lumped together instead of doing it like all the other embedded (real) Linuxes do: assume that people fix their kernel in one go and the entire rest of the user-land universe in a separate tree.

Anyway, what’s the actual problem is the build system. There’s no scattered Kconfig files that you’d expect if you based a build on that concept, and it is really hard to figure out where to poke to change a build to do what you want. Then, there’s a top-level make that take ages and runs through all sorts of hoops even when there’s nothing at all changed. Not to mention that it alerts about make -j “sometimes not working”. In a recent project of mine I learned that I usually had to run make twice(!) in the uclinux-dist directory to be really sure that the output image was correctly made!

Unfortunately, I’ve not been able to dig into this issue properly to work on or suggest proper fixes but I hope that I will one day. Of course a factor in all this is that many people (like the entire embedded Linux universe) use very old versions of the packages so fixes can have been made in the recent years(!) without them having yet get absorbed at many companies.

So the truth is: I do recommend customers to go “full”, “real” Linux not only for the powers a real MMU gives but also for the more mature and nicer build environments.

When Worlds Collide

SanDisk Sansa ConnectReaders of my blog or my site or almost whatever on the internet where my name would appear should know that two of my primary open source involvements are in the curl and the Rockbox projects.

Therefore I felt great pleasure yesterday when both of these worlds collided!

While investigating the internals of the SanDisk Sansa Connect mp3 player for the Rockbox project, fellow Robert Keevil discovered that it actually includes… libcurl! (actually, he discovered this before but I only realized it yesterday)

Of course I updated the companies that use curl page with this news…

Slashdot pirate party propaganda

I bounced at reading the following quote at Slashdot today: “Moreover, the people of Sweden are decidedly on their side, with the Pirate Party, which is sympathetic to TPB’s cause, being one of the top ten political parties in the country.”.

Facts: In our last election 2006, roughly 34,000 Swedes voted for “Piratpartiet” which actually made it the 10th most voted-for party in Sweden. That is 0.63% of the votes.

Does this really make “the people of Sweden” on their side? Who would say something like that? Oh, look at who submitted the Slashdot post… Not even shy about it, the poster links to http://www.pirate-party.us/ …

But sure, it was one of the top ten Swedish parties in 2006 – the tenth to be exact. There’s unfortunately no newer numbers to be found anywhere since most polls tend to lump all the “little parties” together in a single number and november 2007 that number was 1.2% of the votes and Piratpartiet only one of many in there…