The cURL project was not accepted as a mentoring organization for Google’s Summer of Code this year (which is the first year we’ve applied).
Oh well.
The cURL project was not accepted as a mentoring organization for Google’s Summer of Code this year (which is the first year we’ve applied).
Oh well.
It is yet again time to pause the add-new-features-craze in order to settle down and fix a few more remaining bugs before we go ship another curl and libcurl release in the beginning of April.
So at March 20 we hold back and only fix bugs for about 2 weeks until we release curl and libcurl 7.18.1.
The only currently mentioned flaw in TODO-RELEASE to fix before this release is the claimed race condition in win32 gethostbyname_thread but since the reporter doesn’t respond anymore and we can’t repeat the problem it is deemed to just be buried and forgotten.
Other problems currently mentioned on the mailing list is a POST problem with digest and read callbacks and a mysterious bad progress callbacks for uploads, but none of them seem very serious and thus terribly important to get fixed in case they should turn out hard-to-fix.
Yes, I picked the date on purpose as that is the magic date in this project. Especially this year.
To get good results from Google’s Summer of Code, we need a fair amount of volunteering mentors and we need a good set of interesting projects to make students get attracted.
If your interest is in the Rockbox project, add your project ideas or add yourself as mentor on this wiki page.
If your interest is in the cURL project, read this page about the existing ideas and provide new ones or submit yourself as mentor on the mailing list!
Organizations can apply for becoming part of this starting tomorrow, March 3 2008.
Information to this was mailed to me from a friend but is easily verified as I’ll describe below.
America Online in the UK (AOL UK) is using our cURL application (without including the license anywhere) as part of their automated broadband router configuration CD for their AOL UK customer base. The CD is provided to all AOL UK customers and the automated router configuration component using cURL has been included with it for a couple of years.
The software includes the cURL application renamed to “AOL_Broadband_Installer.EXE“. There is no license included or mention of the license anywhere on the CD or installer, contrary to what’s required at http://curl.haxx.se/docs/copyright.html.
The md5sum for AOL_Broadband_Installer.EXE matches the win32 binary in the curl-7.15.3-win32-nossl.zip release package I personally built and offer for download…!
If you want to check it out yourself, the direct link I figured out to the installer is here and I found it on this page (download the “easy installer” for Netgear DG834G).
Update: see my reply below.
As I was involved in gsoc 2007 within the Rockbox project, I ventilated the idea on the libcurl mailing list just yesterday that perhaps this is a good year for the cURL project to apply to become a mentoring organization to be able to host students doing gsoc work?
If so, this is no point unless we can at least present a bunch of interesting projects to lure students to us to have them work to improve (lib)curl and do stuff we otherwise might have a hard time to get done.
What things would you like to see that you consider would be a good project for a student to work on during the summer 2008?
New protocols? Fixing the last remaining blocking calls within libcurl? Fixing up/replacing language bindings? It’s not strictly a requirement that we come up with the best ideas since students apply with their own suggestion anyway, but we can provide good suggestions and ideas that will make students attracted to us and make them select to work for our project – should we be selected as a mentor organization.
Since the dawn of time (at least it feels that long) we’ve included a copy of a ca cert bundle in the curl releases. That ca cert bundle originates from Netscape 4.72 and no cert has been added to it since the year 2000(!)
Instead, we’ve offered things like an easy downloadable version from our web site, and documented that this is what you often need to do.
Anyway, we were recently triggered by a bug report and are discussing updating the bundle in the curl tarballs – we’ll just need to sort out the license situation first but we’re slowly progressing there and I think we’re pretty fine with things as they are right now.
However, the question is perhaps better put the other way: why should we bother to include a ca cert bundle in the first place? Most users will already have one in their system (since basically all SSL-based applications want one) and those that don’t can very easily get an updated one using our online server or a recent perl script added to the curl source tree.
I hope I don’t have to tell you that I value all input I can get on this issue!
Given that there are an endless series of open source and free software projects around. What makes companies and projects likely to chose to depend and use one of the existing ones rather than to write it themselves or possibly buy a closed-source solution instead? I’ll try to answer a few of the things that might matter, and deal with how curl and libcurl relates to them.
Proven Track Record
The project needs to have been around for a while, so that external people can see that the development continues and that there is a continued interest in the project from developers and users. That bug reports are acknowledged and fixed, that it has been scrutinized for the most obvious security problems etc. The curl project started almost ten years ago, have done more than one hundred releases and there is now more developer activity in the project than ever before.
Certified Goodness
With companies and associations that “certify” others, you can get others’ views on the quality of the projects.
The company named OpenLogic offers “certification” of open source software for companies to feel safer. I must admit I like seeing they’ve certified curl and libcurl. You can get their sales-pitch style description of their certification process here.
Of course I also like to see curl going to rung 2 on the scan.coverity.com list as it would mean a second (independent from the first) source would also claim that there’s a reasonable level of quality in the product.
If they did it so can we
With a vast list of existing companies and products that already are using the project, newcomers can see that this and that company and project already depend on this, and that fact alone makes the project even more likely to be a solid and trustworthy choice.
Being the answer when the question comes
Being known is important. When someone asks for help and guidance about what possible solutions there are to a particular problem, you want a large portion of your target audience to know about your project and to say “oh for doing X you could try project Y”. I want people to think libcurl when asked a question about doing internet-related transfers, like HTTP or FTP.
This is of course a matter of marketing and getting known to lots of people is a hard thing for an open source project with nothing but volunteers with no particular company backing.
Being a fine project
Of course the prerequisite to all points above is that the project is well maintained, the source is written in a nice manner and that there’s an open and prosperous community…
Lemme take the opportunity to express my serious dislike about a particular habit in the open source world, frequently seen performed by various distros (and by distro I then mean in the wider sense, not limited to only Linux distros):
They fix problems by patching code in projects they ship/offer, but they don’t discuss the problem upstream and they don’t ship their patch upstream. In fact, in one particular case in a project near to me (make a guess!) I’ve even tried to contact the patch author(s) over the years but they’ve never responded so even though I know of their patch, I can’t get anyone to explain to me why they think they need it…
So hello hey you packagers working on distros! When you get a bug report that clearly is a problem with the particular tool/project and that isn’t really a problem with your particular distro’s way of doing things, please please please forward it upstream or at least involve the actual project team behind the tool in the discussions around the bug and possible solutions. And if you don’t do that, the very least you should do is to make sure the patches you do and apply are forwarded upstream to the project team.
How else are we gonna be able to improve the project if you absorb the bug reports and you keep fixes hidden? That’s not a very open source’ish attitude, methinks.
I’m happy to announce the 103rd curl release: curl and libcurl 7.18.0.
No less than 35 persons beside myself contributed with info, reports and/or code to make the release as it turned out. We’ve added a bunch of new features and we’ve solved well over 30 different bugs. This is the news:
Changes:
Bugfixes:
Dave Jones blogged about his recent problems with curl on Fedora 8. It seems to be a problem somewhere in or related to the NSS library, that Fedora links curl to for SSL/TLS these days.
What I find a bit annoying with this situation, is that I’m using Debian unstable and I’m dist-upgrading fairly frequently to be able to run on the bleeding edge and yet I don’t have the equivalent NSS version Fedora has and what’s perhaps worse is: I don’t even know how to get it and build my own local version! Is Fedora using their own patched version of this (rhetorical question as I’m quite sure they are)? Is it possible to get that version or patch so that I can build it and test on my non- Fedora development machine(s) ?
So, even though it really isn’t my problem or my issue to deal with, I couldn’t even try out his problem on my own!