Interesting, HTTPS is almost twice as slow as plain HTTP on my server (~72 ms vs. ~135 ms):
$ hyperfine -r 50 "curl -so /dev/null 'http://movq.de/blog/postings/2024-05-23/0/t/word11a.jpg.jpg'"
Benchmark 1: curl -so /dev/null 'http://movq.de/blog/postings/2024-05-23/0/t/word11a.jpg.jpg'
Time (mean ± σ): 72.7 ms ± 17.2 ms [User: 6.2 ms, System: 4.8 ms]
Range (min … max): 49.5 ms … 99.7 ms 50 runs
$ hyperfine -r 50 "curl -so /dev/null 'https://movq.de/blog/postings/2024-05-23/0/t/word11a.jpg.jpg'"
Benchmark 1: curl -so /dev/null 'https://movq.de/blog/postings/2024-05-23/0/t/word11a.jpg.jpg'
Time (mean ± σ): 135.5 ms ± 28.9 ms [User: 17.8 ms, System: 5.6 ms]
Range (min … max): 93.2 ms … 198.5 ms 50 runs
<updated> of the feed, too. But for some reason, some articles were suddenly marked as new.
Aha, yesterday’s newly added support for LC_TIME to render localized timestamps also broke the feed parsing with my LANG=de_DE.UTF-8 and LC_CTYPE=de_DE.UTF-8 environment. :-)
Atom feeds make use of RFC 3339 timestamps. They are first converted into RFC 882 timestamp representation, which is the one that RSS feeds use. However, this conversion now results in localized RFC 882 timestamps, which cannot be parsed into Unix timestamp numbers via curl_getdate(…). I bet that it doesn’t know about the localization at all and expects English month and weekday names. Looking at its docs, I reckon that function was selected because of its myriad of supported timestamp formats: https://curl.se/libcurl/c/curl_getdate.html RFC 3339 is not included, though, hence the transformation up front.
The intermediate Item objects in the parser domain use std::string for the timestamp representation. This isn’t all that silly, because Newsboat supports all sorts of different feed formats with different timestamp formats. These RFC 883 timestamps are centrally parsed into time_t.
Speaking of time: It’s time to go to bed after this late bug hunting fun. :-)
KMD Brands launches business review, opens door to possible sale
KMD Brands is reviewing its business and is open to a possible sale after rejecting a Rip Curl de-merger proposal earlier this year.
The dual-listed company announced the review alongside the release of its results for the third quarter of 2026. ⌘ Read more
Stenberg: The pressure
Curl maintainer Daniel Stenberg writes about\
the stress of keeping up with the current flood of security reports.
This is a never-before seen or experienced pressure on the curl
project and its security team members. An avalanche of high
priority work that trumps all other things in the project that is
primarily mental because we certainly could ignore them all if we
wanted, but we feel a responsibility, we have a conscience and we
are p … ⌘ Read more
[$] LWN.net Weekly Edition for May 14, 2026
Inside this week’s LWN.net Weekly Edition:
Front: Fedora AI; Forgejo “carrot” disclosure; memory-management maintainership; huge THPs; mshare; 64KB base pages; DAMON; direct map.
Briefs: Dirty Frag; Fragnesia; Mythos and curl; killswitch; Debian reproducible builds; KDE investment; Quotes …
Announcements: Newsletters, conferences, security updates, patches, and more. ⌘ Read more
Anthropic’s Bug-Hunting Mythos Was Greatest Marketing Stunt Ever, Says cURL Creator
cURL creator Daniel Stenberg says Anthropic’s hyped Mythos bug-hunting model found only one confirmed low-severity vulnerability in cURL, plus a few non-security bugs, after he expected a much longer list. He argues Mythos may be useful, but not meaningfully beyond other modern AI code-analysis tools. “My personal … ⌘ Read more
Stenberg: Mythos finds a curl vulnerability
Daniel Stenberg has published a lengthy\
article on his thoughts on Anthropic’s Mythos, which the company
decided was too dangerous for wide public release.
My personal conclusion can however not end up with anything else
than that the big hype around this model so far was primarily
marketing. I see no evidence that this setup finds issues to any
particular higher or more advanced degree than the other too … ⌘ Read more
Security updates for Wednesday
Security updates have been issued by AlmaLinux (corosync, dovecot, image-builder, python-tornado, resource-agents, and systemd), Debian (openjdk-11, openjdk-17, and pyjwt), Fedora (pdns, pyOpenSSL, and squid), Slackware (hunspell), SUSE (alloy, avahi, bubblewrap, cmctl, coredns, curl, dpkg, firefox, golang-github-prometheus-prometheus, grafana, libpng12, PackageKit, sed, and xen), and Ubuntu (docker.io-app, nghttp2, python-django, and python-mako). ⌘ Read more
Security updates for Monday
Security updates have been issued by AlmaLinux (java-25-openjdk, kernel, osbuild-composer, thunderbird, webkit2gtk3, and wireshark), Debian (chromium, distro-info-data, libde265, mbedtls, and thunderbird), Fedora (awstats, bind9-next, bpfman, buildah, calibre, cef, chromium, composer, corosync, coturn, cups, curl, dnsdist, doctl, erlang, fido-device-onboard, flatpak-builder, freetype, glab, goose, jq, kea, libarchive, libcap, libcgif, libgsasl, libinput, libmicrohttpd, libpng, libpng12, libpng1 … ⌘ Read more
Security updates for Wednesday
Security updates have been issued by Debian (firefox-esr, flatpak, ngtcp2, ntfs-3g, packagekit, python-geopandas, simpleeval, strongswan, and xdg-dbus-proxy), Fedora (chromium, cups, curl, jq, opkssh, perl-Net-CIDR-Lite, python-cbor2, python-pillow, tinyproxy, xdg-dbus-proxy, and xorg-x11-server-Xwayland), Slackware (libXpm and mozilla), SUSE (botan, chromium, clamav, cockpit, cockpit-machines, cockpit-packages, cockpit-podman, cockpit-subscriptions, dovecot24, firefox, flatpak, freeipmi … ⌘ Read more
Security updates for Monday
Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, delve, freerdp, giflib, go-rpm-macros, libarchive, and openexr), Debian (gimp, imagemagick, luanti, mapserver, mupdf, opam, perl, pillow, postgresql-13, and tiff), Fedora (aqualung, awstats, curl, incus, mac, mbedtls, mingw-LibRaw, python-msal, python3.11, python3.12, python3.15, smb4k, stb, and usd), Gentoo (DTrace and FUSE), Mageia (gdk-pixbuf2.0, giflib, polkit-122, python-cairosvg, and rsync), Oracle … ⌘ Read more
Via https://github.com/newsboat/newsboat/issues/3220#issuecomment-4198066671 I came across this nice selection on why not to use AI: https://github.com/Vxrpenter/AIMania/blob/main/WHY.md#why
This then lead me to the slopware list: https://codeberg.org/small-hack/open-slopware
Holy shit, there’s even more than I thought. :-O In addition to Vim, the following affects me more or less daily (but hopefully not my ancient versions): curl, VLC, ImageMagick, rsync, Python, systemd and even the Linux Kernel itself. Oh fuck me dead. :‘-(
SaaS Apocalypse Could Be OpenSource’s Greatest Opportunity
Longtime Slashdot reader internet-redstar writes: Nearly a trillion dollars has been wiped from software stocks in 2026, with hedge funds making billions shorting Salesforce, HubSpot, and Atlassian. At FOSDEM 2026, cURL maintainer Daniel Stenberg shut down his bug bounty program after AI-generated slop overwhelmed his team. A new article on HackerNoon argues … ⌘ Read more
cURL Removes Bug Bounties
Ancient Slashdot reader jantangring shares a report from Swedish electronics industry news site Elektroniktidningen (translated to English), writing: “Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports,” reports etn.se. “Joshua Rogers – AI wielding bug hunter of fame – thinks it’s a great idea.” cURL maintainer Daniel Stenber … ⌘ Read more
Package Forge: The Lesser Known Snap/Flatpak Alternative Without Distro Lock-In
An anonymous reader shared this report from the site It’s FOSS:
Linux gives you plenty of ways to install software: native distro packages, Flatpak, Snap, AppImage, source builds, even curl-piped installers. The catch is that each one solves a different problem, yet none of them fully eliminates the “works here, break … ⌘ Read more
Curling’s most unlikely fairytale on the cusp of Olympic spot
The idea of the Philippines curling team reaching the Winter Olympics has a hint of Cool Runnings about it, while one team member, Alan Frei, has more than a suggestion of Eddie the Eagle. But at the heart of this story is a genuine sporting fairytale that is one step away from becoming an Olympic legend. ⌘ Read more
And regarding those broken URLs: I once speculated that these bots operate on an old dataset, because I thought that my redirect rules actually were broken once and produced loops. But a) I cannot reproduce this today, and b) I cannot find anything related to that in my Git history, either. But it’s hard to tell, because I switched operating systems and webservers since then …
But the thing is that I’m seeing new URLs constructed in this pattern. So this can’t just be an old crawling dataset.
I am now wondering if those broken URLs are bot bugs as well.
They look like this (zalgo is a new project):
https://www.uninformativ.de/projects/slinp/zalgo/scksums/bevelbar/
When you request that URL, you get redirected to /git/:
$ curl -sI https://www.uninformativ.de/projects/slinp/zalgo/scksums/bevelbar/
HTTP/1.0 301 Moved Permanently
Date: Sat, 22 Nov 2025 06:13:51 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 510
Location: /git/
And on /git/, there are links to my repos. So if a broken client requests https://www.uninformativ.de/projects/slinp/zalgo/scksums/bevelbar/, then sees a bunch of links and simply appends them, you’ll end up with an infinite loop.
Is that what’s going on here or are my redirects actually still broken … ?
For the innocent bystanders (because I know that I won’t change @bender@twtxt.net’s opinion):
curl -s gopher://uninformativ.de/0/phlog/2025/2025-11/2025-11-05--my-current-reasons-against-ai.txt
What’s the problem with pipe-curl-into-sh?
You’ve seen it : many popular tools will have a one-liner homepage with something along the lines of
ˋˋˋ
curl https://fancy.tool/install.sh | /bin/sh
ˋˋˋ
And inevitably people will comment on how unsafe this is.
I don’t get it. How is it any more unsafe than cloning a repo and building and running its code? ⌘ Read more
Potential issues in curl found using AI assisted tools
https://joshua.hu/llm-engineer-review-sast-security-ai-tools…
https://joshua.hu/files/AI_SAST_PRESENTATION.pdf
Comments URL: https://news.ycombinator.com/item?id=45449348
Points: 527
# Comments: 169 ⌘ Read more
@bender@twtxt.net curl -s gopher://… does that for you.
人人都需要一個 HTTP proxy 來 debug
前言介紹了作爲前端工程師如何使用 HTTP proxy 來進行 debug,超越了 DevTools 的限制。今日文章由前端早讀課 @huli 分享。身爲每天都要與網頁打交道的前端工程師,熟悉 DevTools 的使用是相當合理的。每當接 API 出問題時,就按下快捷鍵打開 DevTools,切到 Network 分頁,找到紅色的那一行,右鍵複製成 cURL 粘貼到羣裏面,讓後端自己找找問題。但不 ⌘ Read more
curl bans “AI” security reports as Zuckerberg claims we’ll all have more “AI” friends than real ones
Daniel Stenberg, creator and maintainer of curl, has had enough of the neverending torrent of “AI”-generated security reports the curl project has to deal with. That’s it. I’ve had it. I’m putting my foot down on this craziness. 1. Every reporter submitting security reports on Hackerone for curl now needs to answer this question: “Did you … ⌘ Read more
@andros@twtxt.andros.dev Can you reproduce any of this outside of your client? I can’t spot a mistake here:
$ curl -sI 'http://movq.de/v/8684c7d264/.html%2Dindex%2Dthumb%2Dgimp11%2D1.png.jpg'
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 2615
Content-Type: image/jpeg
Date: Wed, 19 Mar 2025 19:53:17 GMT
Last-Modified: Wed, 19 Mar 2025 17:34:08 GMT
Server: OpenBSD httpd
$ curl -sI 'https://movq.de/v/8684c7d264/gimp11%2D1.png'
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 131798
Content-Type: image/png
Date: Wed, 19 Mar 2025 19:53:19 GMT
Last-Modified: Wed, 19 Mar 2025 17:18:07 GMT
Server: OpenBSD httpd
$ telnet movq.de 80
Trying 185.162.249.140...
Connected to movq.de.
Escape character is '^]'.
HEAD /v/8684c7d264/.html%2Dindex%2Dthumb%2Dgimp11%2D1.png.jpg HTTP/1.1
Host: movq.de
Connection: close
HTTP/1.1 200 OK
Connection: close
Content-Length: 2615
Content-Type: image/jpeg
Date: Wed, 19 Mar 2025 19:53:31 GMT
Last-Modified: Wed, 19 Mar 2025 17:34:08 GMT
Server: OpenBSD httpd
Connection closed by foreign host.
$
ditatompel releases ‘xmr-remote-nodes’ v0.2.1
ditatompel1 has released xmr-remote-nodes 2 version 0.2.13 with a fix for CVE-2024-453384, new features and updates:
”`
- fix: CVE-2024-45338 in #173
- feat: Added tor hidden service via HTTP header
- feat: Added more information on monero node details page
- feat: Added curl example command to Node details modal and page
- feat: Store hashed user IP address when submitting new node
- build(de … ⌘ Read more”`
Porting the curl command-line tool and library with Goa
For more than a decade, we have a port of the curl library for Genode available. With the use of Sculpt OS as a daily driver as well as the plan to run Goa natively on Sculpt OS by the end of the year, the itch to also port the curl command-line tool became irresistible. Of course this is a perfect territory for using Goa. In this article, I will share the process of porting the curl command-line tool and shared library … ⌘ Read more
curl: (3) URL rejected: Malformed input to a URL function. Writing sender in bash was BAD idea
@kat@yarn.girlonthemoon.xyz both scripts are here under the names ‘getlyr’ and ‘now playing’ if you wanna try them out yourself, just make sure you have gum installed (also curl and jq but most people have those i think) https://git.sr.ht/~chasinglightning/dotfiles/tree/main/item/home/.local/bin
For the time being… I’ve just blocked all of OpenAI(s) Bots. They (thankfully) publish a JSON endpoint that you can use to block all OpenAI …
For the time being… I’ve just blocked all of OpenAI(s) Bots. They ( thankfully) publish a JSON endpoint that you can use to block all OpenAI crawlers from reaching your server ( in my case, blocking it at the edge). Example:
proxy-1:~# curl -qs https://openai.com/gptbot.json | jq -r '.prefixes[].ipv4Prefix' | xargs -I{} ./block-ip.sh {}
Where … ⌘ Read more
@kat@yarn.girlonthemoon.xyz i’ve really wanted to make one of those sites you can curl that’s terminal friendly but looks different on the browser like how does wttr.in do it… magic
Al “Slop” Bug Reports Hurting Python, Curl, & Other Open Source Projects
“Low-quality, spammy, and LLM hallucinated security reports” taking time away from real bugs and features. ⌘ Read more
@prologic@twtxt.net Perfect, thanks. For my own future reference: curl -H ‘Accept: application/json’ https://twtxt.net/twt/st3wsda
@prologic@twtxt.net My pod, which is running the same commit you are, does not return an error like that. It returns the same HTML it always has. Try it. I nuked my cache before restarting.
Edit: Oh wait, the plot thickens. I do get an error if I use curl or if I use a web browser that isn’t logged in. That’s good!
yarnd that's been around for awhile and is still present in the current version I'm running that lets a person hit a constructed URL like
@prologic@twtxt.net This does not seem to fix the problem for me, or I’ve done something wrong. I did the following:
- Pull the latest version from
git(I have commit7ad848, same as ontwtxt.netI believe).
make buildandmake install
- Restart
yarnd
- Refresh cache in Poderator Settings
Yet I still see these bogus /external things on my pod when I hit URLs like the one I sent you recently. When I hit such a URL with curl I think it’s giving an error? But in a web browser, the (buggy) response is the same as it was before I updated.
So, this problem is not fixed for me.
https://github.com/lwthiker/curl-impersonate added support for Edge and Safari a while ago and I didn’t realize. Very cool!
Pretty cool how one can post to the Internet with a single curl command.
Security Advisory: High Severity Curl Vulnerability
The maintainers of curl, the popular command-line tool and library for transferring data with URLs, will release curl 8.4.0 on October 11, 2023. This version will include a fix for two common vulnerabilities and exposures (CVEs), one of which the curl maintainers rate as “HIGH” severity and described as “probably the worst curl security flaw in a long time.” In the meantime, you can prepare ahead of exploitability details being released … ⌘ Read more
A better Postman alternative: Hoppscotch
I used to use Postman for both personal and work projects. It was great for making HTTP requests without having to create curl commands. But now, Postman requires a login, which I hate. I don’t understand why a login is needed for such a simple tool. ⌘ Read more
A special build of cURL that can impersonate Chrome and Firefox: https://github.com/lwthiker/curl-impersonate
will have to implement some curl scanning for follows and mentions. gona be a nice chance to brush up my C-string-fu LoL
#!/bin/sh
# Validate environment
if ! command -v msgbus > /dev/null; then
printf "missing msgbus command. Use: go install git.mills.io/prologic/msgbus/cmd/msgbus@latest"
exit 1
fi
if ! command -v salty > /dev/null; then
printf "missing salty command. Use: go install go.mills.io/salty/cmd/salty@latest"
exit 1
fi
if ! command -v salty-keygen > /dev/null; then
printf "missing salty-keygen command. Use: go install go.mills.io/salty/cmd/salty-keygen@latest"
exit 1
fi
if [ -z "$SALTY_IDENTITY" ]; then
export SALTY_IDENTITY="$HOME/.config/salty/$USER.key"
fi
get_user () {
user=$(grep user: "$SALTY_IDENTITY" | awk '{print $3}')
if [ -z "$user" ]; then
user="$USER"
fi
echo "$user"
}
stream () {
if [ -z "$SALTY_IDENTITY" ]; then
echo "SALTY_IDENTITY not set"
exit 2
fi
jq -r '.payload' | base64 -d | salty -i "$SALTY_IDENTITY" -d
}
lookup () {
if [ $# -lt 1 ]; then
printf "Usage: %s nick@domain\n" "$(basename "$0")"
exit 1
fi
user="$1"
nick="$(echo "$user" | awk -F@ '{ print $1 }')"
domain="$(echo "$user" | awk -F@ '{ print $2 }')"
curl -qsSL "https://$domain/.well-known/salty/${nick}.json"
}
readmsgs () {
topic="$1"
if [ -z "$topic" ]; then
topic=$(get_user)
fi
export SALTY_IDENTITY="$HOME/.config/salty/$topic.key"
if [ ! -f "$SALTY_IDENTITY" ]; then
echo "identity file missing for user $topic" >&2
exit 1
fi
msgbus sub "$topic" "$0"
}
sendmsg () {
if [ $# -lt 2 ]; then
printf "Usage: %s nick@domain.tld <message>\n" "$(basename "$0")"
exit 0
fi
if [ -z "$SALTY_IDENTITY" ]; then
echo "SALTY_IDENTITY not set"
exit 2
fi
user="$1"
message="$2"
salty_json="$(mktemp /tmp/salty.XXXXXX)"
lookup "$user" > "$salty_json"
endpoint="$(jq -r '.endpoint' < "$salty_json")"
topic="$(jq -r '.topic' < "$salty_json")"
key="$(jq -r '.key' < "$salty_json")"
rm "$salty_json"
message="[$(date +%FT%TZ)] <$(get_user)> $message"
echo "$message" \
| salty -i "$SALTY_IDENTITY" -r "$key" \
| msgbus -u "$endpoint" pub "$topic"
}
make_user () {
mkdir -p "$HOME/.config/salty"
if [ $# -lt 1 ]; then
user=$USER
else
user=$1
fi
identity_file="$HOME/.config/salty/$user.key"
if [ -f "$identity_file" ]; then
printf "user key exists!"
exit 1
fi
# Check for msgbus env.. probably can make it fallback to looking for a config file?
if [ -z "$MSGBUS_URI" ]; then
printf "missing MSGBUS_URI in environment"
exit 1
fi
salty-keygen -o "$identity_file"
echo "# user: $user" >> "$identity_file"
pubkey=$(grep key: "$identity_file" | awk '{print $4}')
cat <<- EOF
Create this file in your webserver well-known folder. https://hostname.tld/.well-known/salty/$user.json
{
"endpoint": "$MSGBUS_URI",
"topic": "$user",
"key": "$pubkey"
}
EOF
}
# check if streaming
if [ ! -t 1 ]; then
stream
exit 0
fi
# Show Help
if [ $# -lt 1 ]; then
printf "Commands: send read lookup"
exit 0
fi
CMD=$1
shift
case $CMD in
send)
sendmsg "$@"
;;
read)
readmsgs "$@"
;;
lookup)
lookup "$@"
;;
make-user)
make_user "$@"
;;
esac
https://curl.se/libcurl/c/ curl api
@prologic@twtxt.net I would like to see “header” lines in twtxt.txt parsed.
Personally I started looking at some twtxt files with curl and saw information about avatar images.
I assumed that to be sort of standard and mentioned my avatar image in my stackeffect.txt. But it was not “avatar.png”.
Later I saw in logfiles that the info was totally ignored and instead several “avatar.png” locations were tried by the pulling side.
When information in “header” of twtxt file were respected one could easily change avatar file to one with a new filename and there would be no caching problem.
🤔 curl -s https://www.frogorbits.com/ | htmlq -p main | bat -l html