curl and/or libcurl related
I did my share of Java bashing just a short while ago, so it is a bit ironic that just days afterwards the topic of the java binding for libcurl resurfaced, and now it seems both Günter and Patrick (libcurl hacker dudes) are working to get it in shape to actually again end up in a useful state.
At the time I write this, you can get the most bleeding edge info here in this curl-library posting.
Dave Jones blogged about his recent problems with curl on Fedora 8. It seems to be a problem somewhere in or related to the NSS library, that Fedora links curl to for SSL/TLS these days.
What I find a bit annoying with this situation, is that I’m using Debian unstable and I’m dist-upgrading fairly frequently to be able to run on the bleeding edge and yet I don’t have the equivalent NSS version Fedora has and what’s perhaps worse is: I don’t even know how to get it and build my own local version! Is Fedora using their own patched version of this (rhetorical question as I’m quite sure they are)? Is it possible to get that version or patch so that I can build it and test on my non- Fedora development machine(s) ?
So, even though it really isn’t my problem or my issue to deal with, I couldn’t even try out his problem on my own!
Readers of my blog or my site or almost whatever on the internet where my name would appear should know that two of my primary open source involvements are in the curl and the Rockbox projects.
Therefore I felt great pleasure yesterday when both of these worlds collided!
While investigating the internals of the SanDisk Sansa Connect mp3 player for the Rockbox project, fellow Robert Keevil discovered that it actually includes… libcurl! (actually, he discovered this before but I only realized it yesterday)
Of course I updated the companies that use curl page with this news…
Apache’s Axis2/C project, said to be “the only complete SOAP engine” is considering to move over to use libcurl for HTTP transport by default. At least Axis2/C developer Dinesh Premalal thinks they should, and he lists multiple reasons in his blog and I can of course do nothing but agree.
One reason he failed to mention is that we all (Axis2/C users and libcurl users) benefit from them switching to libcurl since then we’ll have a larger combined potential developer base and we’ll get more eyes on the code, more testing done and thus in the end we will get a better transport library all over.
I’m slightly puzzled by Dinesh’s blog entry since this bug tracker entry submitted to Axis2/C mentions their failure to include curl’s copyright/license text in the distribution, which seems to imply that they already use (parts of) curl. Or?
I just mailed the curl-library list about us entering feature freeze for the upcoming 7.18.0 release. The plan is to have two weeks of bug fixing and time to allow people to find bugs, before we release it to the public. Please get a daily snapshot and give it a spin!
Here’s the changes that’ll be coming:
… and there are 26 bug fixes mentioned in the RELEASE-NOTES in progress so far!
On scan.coverity.com, the nice guys at Coverity run scans on open source projects to check for flaws in their source code. Their list currently includes 265 projects, and curl is one of them. I have only good words to say about their scanning, as they found no less than 27 flaws in curl 7.16.1 and only one of them was a false positive. All the others were valid and true flaws that we could fix. I don’t think anyone was any serious security risk, but still. 26 bugs detected in one go.
On January 8th 2008, Coverity announced their “rung 2” for eleven projects that had zero flaws left in rung 1 and the rung 2 projects get an upgraded analysis. curl was also at zero flaws left, but it isn’t clear to me what else we could to do to reach rung 2 or even how we can get them to do a follow-up scan on a newer release since 7.16.1 is quite old by now and with all the changes in the code over time there’s always the risk new nasty bugs have crept in… So we’re at rung 1 still with no recent release scanned.
There’s talk in the Debian camp about dropping libwww as it is over 5 years since its last release and over a year since the last CVS commit in that project. It is also abandoned by the W3C these days. It seems there are just about two remaining packages depending on it, Amaya and wmweather+.
Amaya seems to at least discuss moving over to libcurl. I don’t know about wmweather+, but looking at their code, I actually think switching to libcurl will improve their code… not really related, but still about curl, one post on the Amaya list mentioned this weird list of user-agents you should block from your site, as it claims they are “spam bots” and it explicitly mentions curl in there…
Darcs is however currently adding support for libwww since it apparently does pipelining better, where as libcurl still has some flaws in its support for that.
As I mentioned before, the curl site was a bit unstable for a while recently but now the hardware’s been replaced, the software updated and everything should now be back up and running fine.
If you see anything that still isn’t fine on the site, please let me know and I’ll make sure it gets fixed!
Now, I’ll really make an effort to get the TODO-RELEASE items done soon and get working on a new release!
During the last week or so, we’ve experienced major problems on some of the main servers at work, and I happen to host a bunch of services on them. Thus, I not only get problems to access my regular mail, but also the primary curl web site gets shaky!
Unfortunately, this is holiday season so most people that can fix these issues aren’t around so waiting for a reboot of the boxes can take a long time. Fortunately, we already have work in progress that is meant to replace the two main servers with two new ones on January second 2008, so things should at least settle after that operation.
So, remember that you can always find a suitable curl web mirror at curlm.haxx.se that has most of the contents you’ll need. Some stuff is only provided on the main site, but all downloads, docs and more are distributed on mirrors.
This info was also posted to the curl-library list today.
I previously thought of releasing 7.18.0 in December but since there are still outstanding topics in the list and since there’s no pressure due to any serious bug fixes or anything, I decided we can just as wait until January. I want January 13th to be the feature freeze day after which no new features will be committed until the release, which hopefully then could be done by January 28th or so.
The live updated TODO-RELEASE document will change over time, but it currently contains these items:
Is there anything we’ve forgotten we should include in the next release? To get a feel for how the next release will look like, check out the RELEASE-NOTES in progress, or try out a daily snapshot!