Package Forge: The Lesser Known Snap/Flatpak Alternative Without Distro Lock-In
An anonymous reader shared this report from the site It’s FOSS:
Linux gives you plenty of ways to install software: native distro packages, Flatpak, Snap, AppImage, source builds, even curl-piped installers. The catch is that each one solves a different problem, yet none of them fully eliminates the “works here, break … ⌘ Read more
Curling’s most unlikely fairytale on the cusp of Olympic spot
The idea of the Philippines curling team reaching the Winter Olympics has a hint of Cool Runnings about it, while one team member, Alan Frei, has more than a suggestion of Eddie the Eagle. But at the heart of this story is a genuine sporting fairytale that is one step away from becoming an Olympic legend. ⌘ Read more
↳
In-reply-to
»
I just noticed this pattern:
⤋ Read More
And regarding those broken URLs: I once speculated that these bots operate on an old dataset, because I thought that my redirect rules actually were broken once and produced loops. But a) I cannot reproduce this today, and b) I cannot find anything related to that in my Git history, either. But it’s hard to tell, because I switched operating systems and webservers since then …
But the thing is that I’m seeing new URLs constructed in this pattern. So this can’t just be an old crawling dataset.
I am now wondering if those broken URLs are bot bugs as well.
They look like this (zalgo is a new project):
https://www.uninformativ.de/projects/slinp/zalgo/scksums/bevelbar/
When you request that URL, you get redirected to /git/:
$ curl -sI https://www.uninformativ.de/projects/slinp/zalgo/scksums/bevelbar/
HTTP/1.0 301 Moved Permanently
Date: Sat, 22 Nov 2025 06:13:51 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 510
Location: /git/
And on /git/, there are links to my repos. So if a broken client requests https://www.uninformativ.de/projects/slinp/zalgo/scksums/bevelbar/, then sees a bunch of links and simply appends them, you’ll end up with an infinite loop.
Is that what’s going on here or are my redirects actually still broken … ?
↳
In-reply-to
»
It happened.
⤋ Read More
For the innocent bystanders (because I know that I won’t change @bender@twtxt.net’s opinion):
curl -s gopher://uninformativ.de/0/phlog/2025/2025-11/2025-11-05--my-current-reasons-against-ai.txt
What’s the problem with pipe-curl-into-sh?
You’ve seen it : many popular tools will have a one-liner homepage with something along the lines of
ˋˋˋ
curl https://fancy.tool/install.sh | /bin/sh
ˋˋˋ
And inevitably people will comment on how unsafe this is.
I don’t get it. How is it any more unsafe than cloning a repo and building and running its code? ⌘ Read more
Potential issues in curl found using AI assisted tools
https://joshua.hu/llm-engineer-review-sast-security-ai-tools…
https://joshua.hu/files/AI_SAST_PRESENTATION.pdf
Comments URL: https://news.ycombinator.com/item?id=45449348
Points: 527
# Comments: 169 ⌘ Read more
↳
In-reply-to
»
What’s Missing from “Retro”: gopher://midnight.pub/0/posts/2679
⤋ Read More
@bender@twtxt.net curl -s gopher://… does that for you.
curl bans “AI” security reports as Zuckerberg claims we’ll all have more “AI” friends than real ones
Daniel Stenberg, creator and maintainer of curl, has had enough of the neverending torrent of “AI”-generated security reports the curl project has to deal with. That’s it. I’ve had it. I’m putting my foot down on this craziness. 1. Every reporter submitting security reports on Hackerone for curl now needs to answer this question: “Did you … ⌘ Read more
@andros@twtxt.andros.dev Can you reproduce any of this outside of your client? I can’t spot a mistake here:
$ curl -sI 'http://movq.de/v/8684c7d264/.html%2Dindex%2Dthumb%2Dgimp11%2D1.png.jpg'
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 2615
Content-Type: image/jpeg
Date: Wed, 19 Mar 2025 19:53:17 GMT
Last-Modified: Wed, 19 Mar 2025 17:34:08 GMT
Server: OpenBSD httpd
$ curl -sI 'https://movq.de/v/8684c7d264/gimp11%2D1.png'
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 131798
Content-Type: image/png
Date: Wed, 19 Mar 2025 19:53:19 GMT
Last-Modified: Wed, 19 Mar 2025 17:18:07 GMT
Server: OpenBSD httpd
$ telnet movq.de 80
Trying 185.162.249.140...
Connected to movq.de.
Escape character is '^]'.
HEAD /v/8684c7d264/.html%2Dindex%2Dthumb%2Dgimp11%2D1.png.jpg HTTP/1.1
Host: movq.de
Connection: close
HTTP/1.1 200 OK
Connection: close
Content-Length: 2615
Content-Type: image/jpeg
Date: Wed, 19 Mar 2025 19:53:31 GMT
Last-Modified: Wed, 19 Mar 2025 17:34:08 GMT
Server: OpenBSD httpd
Connection closed by foreign host.
$
ditatompel releases ‘xmr-remote-nodes’ v0.2.1
ditatompel1 has released xmr-remote-nodes 2 version 0.2.13 with a fix for CVE-2024-453384, new features and updates:
”`
- fix: CVE-2024-45338 in #173
- feat: Added tor hidden service via HTTP header
- feat: Added more information on monero node details page
- feat: Added curl example command to Node details modal and page
- feat: Store hashed user IP address when submitting new node
- build(de … ⌘ Read more”`
Porting the curl command-line tool and library with Goa
For more than a decade, we have a port of the curl library for Genode available. With the use of Sculpt OS as a daily driver as well as the plan to run Goa natively on Sculpt OS by the end of the year, the itch to also port the curl command-line tool became irresistible. Of course this is a perfect territory for using Goa. In this article, I will share the process of porting the curl command-line tool and shared library … ⌘ Read more
curl: (3) URL rejected: Malformed input to a URL function. Writing sender in bash was BAD idea
↳
In-reply-to
»
been playing with making fun scripts using charm CLI's gum library :P
⤋ Read More
@kat@yarn.girlonthemoon.xyz both scripts are here under the names ‘getlyr’ and ‘now playing’ if you wanna try them out yourself, just make sure you have gum installed (also curl and jq but most people have those i think) https://git.sr.ht/~chasinglightning/dotfiles/tree/main/item/home/.local/bin
↳
In-reply-to
»
i like this little ideas utility i've been using like i keep pulling up the idea table to see what i've added and it makes me wanna start one of them like the CLI app i wanna write in golang with charmbracelet's bubbletea even though i only have a vague idea of what i want in a CLI app
⤋ Read More
@kat@yarn.girlonthemoon.xyz i’ve really wanted to make one of those sites you can curl that’s terminal friendly but looks different on the browser like how does wttr.in do it… magic
Al “Slop” Bug Reports Hurting Python, Curl, & Other Open Source Projects
“Low-quality, spammy, and LLM hallucinated security reports” taking time away from real bugs and features. ⌘ Read more
↳
In-reply-to
»
I guess I can configure neomutt to hide the feeds I don't care about.
⤋ Read More
@prologic@twtxt.net Perfect, thanks. For my own future reference: curl -H ‘Accept: application/json’ https://twtxt.net/twt/st3wsda
@prologic@twtxt.net My pod, which is running the same commit you are, does not return an error like that. It returns the same HTML it always has. Try it. I nuked my cache before restarting.
Edit: Oh wait, the plot thickens. I do get an error if I use curl or if I use a web browser that isn’t logged in. That’s good!
↳
In-reply-to
»
There is a bug in
⤋ Read More
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net This does not seem to fix the problem for me, or I’ve done something wrong. I did the following:
- Pull the latest version from
git(I have commit7ad848, same as ontwtxt.netI believe).
make buildandmake install
- Restart
yarnd
- Refresh cache in Poderator Settings
Yet I still see these bogus /external things on my pod when I hit URLs like the one I sent you recently. When I hit such a URL with curl I think it’s giving an error? But in a web browser, the (buggy) response is the same as it was before I updated.
So, this problem is not fixed for me.
https://github.com/lwthiker/curl-impersonate added support for Edge and Safari a while ago and I didn’t realize. Very cool!
Security Advisory: High Severity Curl Vulnerability
The maintainers of curl, the popular command-line tool and library for transferring data with URLs, will release curl 8.4.0 on October 11, 2023. This version will include a fix for two common vulnerabilities and exposures (CVEs), one of which the curl maintainers rate as “HIGH” severity and described as “probably the worst curl security flaw in a long time.” In the meantime, you can prepare ahead of exploitability details being released … ⌘ Read more
A better Postman alternative: Hoppscotch
I used to use Postman for both personal and work projects. It was great for making HTTP requests without having to create curl commands. But now, Postman requires a login, which I hate. I don’t understand why a login is needed for such a simple tool. ⌘ Read more
A special build of cURL that can impersonate Chrome and Firefox: https://github.com/lwthiker/curl-impersonate
#!/bin/sh
# Validate environment
if ! command -v msgbus > /dev/null; then
printf "missing msgbus command. Use: go install git.mills.io/prologic/msgbus/cmd/msgbus@latest"
exit 1
fi
if ! command -v salty > /dev/null; then
printf "missing salty command. Use: go install go.mills.io/salty/cmd/salty@latest"
exit 1
fi
if ! command -v salty-keygen > /dev/null; then
printf "missing salty-keygen command. Use: go install go.mills.io/salty/cmd/salty-keygen@latest"
exit 1
fi
if [ -z "$SALTY_IDENTITY" ]; then
export SALTY_IDENTITY="$HOME/.config/salty/$USER.key"
fi
get_user () {
user=$(grep user: "$SALTY_IDENTITY" | awk '{print $3}')
if [ -z "$user" ]; then
user="$USER"
fi
echo "$user"
}
stream () {
if [ -z "$SALTY_IDENTITY" ]; then
echo "SALTY_IDENTITY not set"
exit 2
fi
jq -r '.payload' | base64 -d | salty -i "$SALTY_IDENTITY" -d
}
lookup () {
if [ $# -lt 1 ]; then
printf "Usage: %s nick@domain\n" "$(basename "$0")"
exit 1
fi
user="$1"
nick="$(echo "$user" | awk -F@ '{ print $1 }')"
domain="$(echo "$user" | awk -F@ '{ print $2 }')"
curl -qsSL "https://$domain/.well-known/salty/${nick}.json"
}
readmsgs () {
topic="$1"
if [ -z "$topic" ]; then
topic=$(get_user)
fi
export SALTY_IDENTITY="$HOME/.config/salty/$topic.key"
if [ ! -f "$SALTY_IDENTITY" ]; then
echo "identity file missing for user $topic" >&2
exit 1
fi
msgbus sub "$topic" "$0"
}
sendmsg () {
if [ $# -lt 2 ]; then
printf "Usage: %s nick@domain.tld <message>\n" "$(basename "$0")"
exit 0
fi
if [ -z "$SALTY_IDENTITY" ]; then
echo "SALTY_IDENTITY not set"
exit 2
fi
user="$1"
message="$2"
salty_json="$(mktemp /tmp/salty.XXXXXX)"
lookup "$user" > "$salty_json"
endpoint="$(jq -r '.endpoint' < "$salty_json")"
topic="$(jq -r '.topic' < "$salty_json")"
key="$(jq -r '.key' < "$salty_json")"
rm "$salty_json"
message="[$(date +%FT%TZ)] <$(get_user)> $message"
echo "$message" \
| salty -i "$SALTY_IDENTITY" -r "$key" \
| msgbus -u "$endpoint" pub "$topic"
}
make_user () {
mkdir -p "$HOME/.config/salty"
if [ $# -lt 1 ]; then
user=$USER
else
user=$1
fi
identity_file="$HOME/.config/salty/$user.key"
if [ -f "$identity_file" ]; then
printf "user key exists!"
exit 1
fi
# Check for msgbus env.. probably can make it fallback to looking for a config file?
if [ -z "$MSGBUS_URI" ]; then
printf "missing MSGBUS_URI in environment"
exit 1
fi
salty-keygen -o "$identity_file"
echo "# user: $user" >> "$identity_file"
pubkey=$(grep key: "$identity_file" | awk '{print $4}')
cat <<- EOF
Create this file in your webserver well-known folder. https://hostname.tld/.well-known/salty/$user.json
{
"endpoint": "$MSGBUS_URI",
"topic": "$user",
"key": "$pubkey"
}
EOF
}
# check if streaming
if [ ! -t 1 ]; then
stream
exit 0
fi
# Show Help
if [ $# -lt 1 ]; then
printf "Commands: send read lookup"
exit 0
fi
CMD=$1
shift
case $CMD in
send)
sendmsg "$@"
;;
read)
readmsgs "$@"
;;
lookup)
lookup "$@"
;;
make-user)
make_user "$@"
;;
esac
https://curl.se/libcurl/c/ curl api
@prologic@twtxt.net I would like to see “header” lines in twtxt.txt parsed.
Personally I started looking at some twtxt files with curl and saw information about avatar images.
I assumed that to be sort of standard and mentioned my avatar image in my stackeffect.txt. But it was not “avatar.png”.
Later I saw in logfiles that the info was totally ignored and instead several “avatar.png” locations were tried by the pulling side.
When information in “header” of twtxt file were respected one could easily change avatar file to one with a new filename and there would be no caching problem.
https://curl.se/libcurl/c/https.html code curl écriture
curl https://raw.githubusercontent.com/jointwt/we-are-twtxt/master/we-are-twtxt.txt | grep -v '^niplav ' | field 2 | xargs curl ^/dev/null | grep niplav here we go
I tried removing a flag from curl, and now tweets are downloading to the cache folder now. I think. will have to wait for folks to say stuff.
@freemor@freemor.homelinux.net It’s seems that txtnish isn’t able to retrieve your twtxt file :/ I get the “curl: (6) getaddrinfo() thread failed to start”
Detecting the use of “curl | bash” server side | Application Security https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
@mdom@domgoergen.com my own custom client I wrote, I use cron to run the update my timeline every 20 mins. My update process also processes 10 curl calls at time. I did that to save time when I poll everyone.
@mdosch@mdosch.de: Yes, #txtnish uses curl and can therefore handle all curl supported protocols.
One thing for sure on this project I’m working on, being able to run multiple CURL requests at once has been a real time saver.
Use the x-use-gopher header on your http proxies.. “curl -sI https://codevoid.de | grep ^x-u” bitreich.org, r-36.net, taz.de are already there. #gopher
Had to update my client to use CURL so I could get @mekon@sdf.org twtxt file via gopher
Okay, i dumped the wget backend from #txtnish, curl works better and providing the same interface with both was hard.
@tomas@bootlog.org Something is still broken, every clients but curl works for https. The ppl in #curl bet it is some ssl option.
@tomas@bootlog.org Something weird is happening when i want to curl your twtfile: Empty reply from server. Browsers works fine.
If you don’t have wget, #txtnish can also use curl via http_backend=curl
Already registered with ?
@kdave@kdave.github.io Not that i endorse anything like that, but one could always just .