the AI slop in security reports have developed slightly over time. Less mind-numbingly stupid reports now, but instead almost *everyone* writes their reports with AI so they still get overly long and complicated to plow through. And every follow-up question is another minor essay discussing pros and cons with bullet points and references to multiple specifications. Exhausting nonetheless.

26 years ago, on December 28 1999, we migrated the main #curl source code from self-hosted to Sourceforge. It was the new hot thing. Imagine the idea of a dedicated service devoted to nothing but hosting code! We then kept the code there for ten years (on CVS). A period when the distributed version control systems really exploded.

No strcpy either.

daniel.haxx.se

no strcpy either

Some time ago I mentioned that we went through the curl source code and eventually got rid of all strncpy() calls. strncpy() is a weird function wi...

#curl

*Seven* new hackerone reports the last 36 hours.

strcpy density in #curl source code

#curl has a new sponsor. Thanks #github!

I added a sentence to the #curl hackerone submission page: "Please present your case briefly and to the point. Do not use an AI to help you blab hundreds of lines that will exhaust us to death instead of making us understand your claim."

*Twelve* Hackerone submissions against #curl within the last seven days. Zero of them turned out a confirmed vulnerability. Several of them found, reported, phrased-in-far-too-many-words and mislead by stupid word completion machines.

If your company needs #curl support for OpenSSL 1.1 in 2026, just say so and we can have you covered in no time. OpenSSL 1 support is dropped from the regular #curl releases but is available as a commercial offer.

make a photo realistic embroidered wall piece with the words "never expect two independent URL parsers to treat every URL identically" okay, that failed "again without repeating any words" *ripping my eyes out*