Bra podcast
Sveriges mest populära poddar
FLOSS-808
Jonathan: Hey folks, this week, Randall joins me and we talk with Daniel Stenberg about Curl. It's an open source success story that lets you download anything and everything from the internet. It's a great show, you don't want to miss it, so stay tuned. This is Floss Weekly, episode 808, Curl. Gotta download em all.
It's time for Floss Weekly, that's the show about free, libre, and open source software. I'm your host, Jonathan Bennett, and we've got something really fun today. We're talking with Daniel Stenberg about Curl. That is gonna be, ooh, I've written, I've written code a couple of times now to use libcurl, which is part of the curl project.
I know somebody else that I'm sure has used curl, maybe written some code around it. And that is the the amazing Randall Schwartz. Welcome back as co host, sir!
Randal: Hey, hi David. Now Jonathan, sorry. And I Dave, what, where the heck did that come from? Oh my God. It's not enough caffeine and I'm just drinking out of my giant Stanley cup that you can't see anyway.
But no, yes. Jonathan, thank you, thank you for having me back on this show, despite my guffaw, this may be my last show then, we'll see. We'll fix it in post, it'll be fine. Okay.
Jonathan: Nobody will ever see this. Yeah,
Randal: right. Except the live stream and the actual show, I know it'll be there somewhere. It'll be in the transcript too, people can search for it.
When did Randall call Jonathan David for some reason?
Jonathan: Ah, goodness. So you've, I am sure you've done stuff with curl. Have you ever used libcurl? Have you written, have you written code with libcurl? I think at one
Randal: point I wrote some Perl stuff that used curl, the libcurl binding there to get some stuff downloaded.
Of course it was because Perl had direct bindings to sockets and stuff. I actually wrote a FTP mirroring software using just direct sockets. It was pretty cool. It's what actually became the basis for the CPAN. So, the CPAN had been mirrored for many, many years by just having pure Perl code do all that.
I guess I could be ensured that live girl was everywhere and everybody had it installed. I imagine we probably could have shifted to that. And I don't know what they're currently doing these days. I am, I'm sort of out of the Pearl world. I'm sort of, there is, you know something emeritus, something, something, you know, but but I actually went full time dart and flutter starting about four years ago.
So in that respect, I've been using curl from the command line a lot because there are tools that seem like they always want to install themselves on your machine using the extremely dangerous. We can talk about this and the show really dangerous, something, something piped into your root shell. Oh, that always bugs me when I see that.
How does, how does this keep becoming the meme for easy installation? But it's, I have used curl multiple times based on that. So so yeah I'm a heavy, I'm a heavy curl command line user. Yes.
Jonathan: Yeah. So let's bring, let's bring Daniel on and let's ask him about it. First off, welcome to the show, Daniel.
Glad to have you here. Hello, hello. Thank you. Good to be here. Yeah, so Hi. Hi, Daniel. Get it right, Randall. Almost David. That's probably where it came from. Almost David. Ah, it was a
Randal: blur.
Jonathan: It was a blur. So we've had Daniel on the show to talk about Curl and some other things, but it's been like, 15 years ago, back before I had anything to do with Floss Weekly, but Randall was the, the host or maybe the co host, even at that point.
I don't, I'm not sure. I think it was with Leo, like episode 53 or something a long time ago. So welcome, welcome back.
Daniel: Yeah, it's been a while. Yeah. Leo and Randall back in 2009. Yeah. So.
Randal: I think that may be the record for the longest gap on this show. Counting all the shows together. Yeah. The radio show, the TV show.
And now this show I'm sure this is like yeah, this is, this has got to be a record.
Jonathan: Yeah. So we've started out with already we have a question from the chat room and I'm going to corrupt this question just a little bit because I'm a troll and I can. And David Ruggles asks, Why is W get better than curl?
Daniel: Yeah, why is it? So I never wanted to do W curl replacement so I never did. So I have really never. Intended it to be a W get replacement. So sort of, for me, it's always been a case of both are open source and you use the right tool for the right job. So if you want to use W get, you use W get, and if you want to do something else, if you want to fiddle with the protocol in a, in a more sort of more flexible way, rather than just doing a download, then curl is probably your better friend.
Jonathan: Is it, is it fair to say then that W get is kind of like. A pocket knife to curl's swiss army knife plus plus maybe
Daniel: Yes, I would say so. I mean wget is a more limited single more narrow use case basically just download this url to file on disk while curl has a lot more use cases and Really a swiss army knife in comparison.
Yeah.
Jonathan: Yeah, but You know, I talked about using libcurl there for a while, and I think we actually, we still do, we, in ZoneMinder, we use libcurl to get video streams, video and audio streams. And that's, that's part of the process there because it, it talks the right protocol. And so it'll just reach out there and it'll grab it and shuffle bits around.
Curl gets used for sort of everything these days. Do you have a feel of like how many curl installs there are in the world? Are there more curls than there are people?
Daniel: There are way many more curls. So, and usually when I talk to people like this people always think about the. command line tool that hence the comparison with wget, right?
But the, the much more used component is libcurl and libcurl is really, really everywhere. And since that is a little component that everyone is using these days. So we, yeah, we estimate that it's used in somewhere around 20 billion installations. So it's way more than humans on the globe and, and really an average human in, in the Western world, like, like us here, we have a lot of libcurl installations everywhere in our households, you know, phones, cars, fridges, printers, TVs, video games.
So basically all of us, we have 10, 15, 25 installations of curl per person.
Jonathan: That's gotta be kind of surreal, right? To just like look around and go, my camera probably has libcurl in it. My monitor probably has libcurl in it. My led ring light might have libcurl in it Like that's just going to be a surreal feeling like my code is in all of these places sprinkled around the entire world
Randal: Well, so here would be the challenge on that.
Is there more sqlite installations than libcurl installations? Because that's also embedded. That's everywhere, too
Daniel: Yeah, and of course, it's impossible to know, and it's impossible to tell. So it's just a matter of religion, I guess, or guessing. How do you know? I mean, they have the same situation as we do, that it's completely open source, someone downloads it and installs it in a billion devices, but they never tell us, right?
So how do we know this? We can just guess and see some traces somewhere, and I don't know. I mean, I say 20 billion installations. It could be 25. It could be 17. I don't know. So it's more of a. How do you actually know? So comparing, so I often say that it's one of the most installed software components in the world, but I cannot say that it's the most, because as you say, SQ light, maybe Lib Z is one of those also.
Mm-Hmm. And, and the TLS libraries. There are other libraries that are tiny and used in a lot of places. Could be those. I don't know. It's, and it really doesn't matter. It's just in a humongous amount of places. And of course it's, it's, pretty mind boggling.
Jonathan: You've got it. You've got it. You've got enough installs.
You have enough installs now to be like a lot of installs by any metric. And beyond that, it's like, Oh, who's counting?
Daniel: Yes, exactly. And I have this graph I showed once when they, when they told me about that, they actually use curl with the, in the Mars helicopter landing. Right. And then suddenly, you know, two planets as well.
So not only those three, It's 20 billion installations. Now it can also save on more than one planet. That's pretty awesome. I wonder if
Randal: anybody's done an SQLite extension that calls libcurl.
Daniel: I would not rule that out because it's been done on a lot of other databases at least. So yeah. Cool.
Jonathan: I'm sure there's plenty of instances of using libcurl to fetch SQLite databases.
Probably. What license is curl under? Is it, is it GPL? Is it one of the more permissive?
Daniel: It's an MIT, but, but actually, but I filled with it a long time ago. So it's actually not exactly an MIT. I was stupid enough. I should say, because it's not recommended. I wouldn't say that anyone should do it, but it's an MIT.
But so it's actually in the SPDX registry, it's actually its own license. It's actually listed as a curl license, but it's basically MIT with just a few words twisted.
Jonathan: Don't do that. Don't do this at home for no good
Daniel: reason at all. Exactly. Don't do that.
Jonathan: Ah, licensing, licensing will get you every time. So it's been, like we said, it's been like 16 years.
What, what's, what's changed? What is and. The highlights only, please.
Daniel: Yeah, what hasn't changed. Right, right. It seems like 2009 is, I mean, we lost our innocence and open source has exploded in every aspect possible since then. So I think pretty much everything has changed. The internet as an as an So the internet changed, open source has changed, software has changed.
And so there's not a lot of things that that's still the same as it was back then. And suddenly, I mean, curl as a project has changed and my own. approach to it and my own situation has changed. So it's everything is different. And I mean, back in that 2009, that was also before we didn't even do a lot of TLS and SSL back then.
So a lot of clear text protocols that was only the days with HTTP one only. And so it was a lot of, a lot of things were much simpler internet transfers and protocols in general have really, they have become much more complicated, much more, they have evolved a lot in both in security and in complexity.
Jonathan: Yeah. So security is something that's real interesting for curl. I've, I've been following your blog and we've gotten some fun. So I, I, I handle the security beat. I'm not the only one, but I handle the security beat at a hack a day. And I've, I've written up your blog posts a few times here in the last couple of months because Curl is doing some interesting things.
You guys are now, you're a, you're a CNA, so a CVE numbering authority for the Curl project. And that sort of came about, from what I understand, because you had some people that were submitting, maybe you could say, low quality CVEs and trying to make more of them than they should have. And then there's also been a couple of interesting stories about We su suspect you, you suspect where AI has been involved with people trying to find CVEs.
I'd love to love to dive into this.
Daniel: Yeah. So, so first, first, the cv C the CVE side of things. So CVEs, I mean, that's, CVS are made like this's, a database of. Basically issue or backtrack numbers, right? So anyone can pretty much request a CVE ID as a number from MITRE, who's the sort of the head organization of CVEs.
And there's really no requirements from the, I mean, they don't require anything pretty much from the reporter. They just, so I want to have a CVE ID. And if you ask for that for any product, you can just get it. It's, I mean, you can do it today for, for free. And they will just give you that CVE with no questions asked, no requirements, nothing.
And then you as a, you imagine that you have found an issue. And then when you get your CVE, you can publish that at some point later on. And, and there's really nothing in the system that puts a break to that. So that, that just happens one day and that's how the system works. And it's completely. stupid and unhinged, I would say.
So there's really no filter in this. Well, there are filters, but, but, but for the majority of people, there's no filter involved, so that just happens. And, and so then suddenly one day someone can just publish a CV about your product and they can claim whatever because there's really no filter. Nothing involved that prevents that.
I mean, MITRE could theoretically have some technical person who would read it and complain, but they don't. And I'm. There's nothing. So the only way is that this numbering, the numbering authorities within the CVE, they have a veto right so they can deny your CVE, but only for the products that they are responsible for.
So there are a lot of those organizations that there are over 400 now. Well, and now curl is one of those. So now we can actually deny your CVE being created. If someone says we found a problem in curl and if they don't have enough details or enough proof of that, we can just say, no, it's not go away. Try again another time.
So basically we did that to put that filter on. So now stop that. So now we cannot get those. Ridiculously stupid CVs and in the particular one that the last one that I blogged about was one One user found a commit message from a few years ago when I mentioned integer overflow in the commit message The person extracted that and and whoa the integer overflow that must be bad So it's sort of extrapolate make a cve Publish score 9.
8 because, you know, the sky is falling. Everything is going to burn clearly because it's an integral flowing curl, but it was super stupid. It was just a delay. That was. sort of miscalculated. So sure it could do completely wrong delay, but it was really completely harmless. And it was a bug, stupid one that I fixed also years ago.
So it was sort of, yeah, it's, it should never have been a CV in the first place. It's impossible to reject because MITRE refuses to reject it because. They argue that it could be a security problem and NVD that sets the score. They also won't refuse, refuse it. So it's, it's in there. So that's, that's the CV part of things.
And this is potentially a really a danger for any open source project or any project at all, because there's, as I said, there's nothing that stops this from happening again and again, and again, really, unless you have a CNA that says this product is our responsibility. And now suddenly we are the judges of if we should deem this or allow this to be a CV or not.
So that, so now we can stop that. But then the, the, but the, the part about AI is that's a sort of a slightly different angle to everything. So, because at the same time we run a bug bounty program in curl. It's actually sponsored by the sort of the upper project called the Internet Bug Bounty, IBB. And they, they have a.
idea of sort of running bug bounties for internet infrastructure, open source projects. So they they've sponsored bug bounties for, I don't know, 20 different projects or something. Anyway, so we're part of that. And that means that anyone who reports a security problem to curl may then get a potentially big reward cash, big bunch of cash if they find a security problem, which I think it's a really great thing because it really makes people.
Put in the extra effort and spend a lot of time and to research and actually find problems. But I mean, that's a good part of it. But of course, when we say, hey, we can give you a lot of money. It also attracts the people who are sure I want the money, but I might not actually understand what I'm doing. So I'm just going to run some tools.
And then, of course, people ask some questions. friendly AI to find problems in curl and use that and report those findings to us. And, and that's one of the, some of those more hilarious reports when, when, well, yeah, hallucinations is a friendly way to say it, but it's just blatant lies, right? Sort of And sometimes that's hard sometimes to, well, it's hard to say immediately that it is wrong because the AIs are also very good at English and they're very good at, you know, producing a lot of texts and, you know, you get a report that is, I don't know, very long, very detailed and how it takes time to assess, I mean, what are we talking about?
Is it true? Is it not? And in most cases when someone has said, actually found a serious problem. It can actually take a lot of time, right? Because it's the details and you have to understand things. What's the possible outcome, blah, blah, blah. So a very good crap report takes a lot of time to dismiss.
Usually, I mean, the really bad ones, they're just, you know, someone ran a scanner, found some completely bogus things. It was a mistake. I didn't understand it. They, those are the ones you can dismiss like in seconds, right? Those are easy. They're not a burden to us. We get those all the time, but the better the crap, the harder it is.
Threw away.
Jonathan: Do you see a, do you see a scenario or a future where AI actually becomes useful for finding real security problems?
Daniel: I'm sure that they can be useful. It's probably already useful in some senses, but I think right now, I think the ones who are using these tools are not the sharpest knives in the drawer.
So, I mean, you can, you should use it as a tool and then sort of understand the output, maybe try some further dig a little deeper, and then maybe you will find something right. Not just throw some code at a tool, see what it says. Thanks. Copy and paste that report back into us without understanding at all what it said or what it meant, or what it po possibly was really, then, then that's not gonna fly for a long time.
Jonathan: Yeah. I, I think there are some companies working on this, but the, the idea there that really makes sense to me. I think there could actually be some, some use for it is an LLM that is, that is running a fuzzing scanner. And so you're actually taking the output from the AI and actually running the code.
And then you've got a test suite that will find something. And that seems like there's some potential there for actually being useful.
Daniel: Right, exactly. That that's, I mean, taking what it finds, actually throwing that back into the code to actually verify that what you found actually finds the problem for real.
That's, that's a really good way to do it. But, and of course I can imagine that you could, you know, Do something with fuzzers in general and maybe use the AI to improve the fuzzer. So sure. I'm sure AI can be used in a lot of good ways here, but I think as most things with AI right now is that you need humans involved to sort of filter a little bit and guide it and extract and, and, you know, back and forth a little bit before you actually just throw it out on someone.
Jonathan: Yeah, absolutely.
Randal: It's, it's, it's obvious that if the if the fuzz is trying to find things that are similar to what has been bro appear to have broken other things, LMS gonna be pretty good at locating those kinds of things. Mm-Hmm. . So, because you know, really what l m's doing is it's saying.
Here's a whole body of existing text. And here's a little bit of a new piece of text. Is there anything kind of in this whole body of text and sequences of things that would sort of extend this a little bit? And so, so it is the kind of thing that, that works that way. It's, it's You know, it's we could do a whole show on AI.
I'm sure actually dozens of shows have been done entirely on AI. I think that's pretty much every
Daniel: show since the last couple of years.
Randal: I was going to wonder how soon before AI comes into this show, actually, I was sort of taking mental bets about, is it going to be right after this question or right after that question?
And really,
Daniel: I mean, You can also get a sense that that's exactly the way you mentioned is that when when we have got a single security report reported and published and everything, and that's, you can already tell that that's exactly what the humans already do. When there's been one security problem, you, you can be sure that people will investigate sort of nearby situations.
Almost that or the same thing in a different part of the code or something. So it's, it's very common that when we have one issue reported, people suddenly start to report similar things in nearby code or nearby situations. And so on. So yeah, I agree that that's exactly, and I think it's actually a pretty good way to do it.
Because then you have proven that you had one of these flaws. Maybe you have another one.
Randal: Yeah, that that definitely once you crack that egg open, you know, it's like, it's you gotta make lots of, lots of eggs from there. I get it. And I, that apparently I don't cook cause it doesn't even make sense.
Oh man. Oh man. Well, I, I'm not sure what it was before the show or whether in the show, we were talking about the use of curl pipe directly into the shell. Do you have any comments about all these ways of installing things that seem to show up that are curl piped into a root shell?
Daniel: Well, I don't do that Well, I don't think I don't take that I don't take responsibility for that I I I would say perhaps that sometimes I think I mean People have downloaded things from the internet for a very long time without verifying anything.
And people tend to sort of, yeah, and if you just, if you install a code from somewhere and you don't check it out, that's roughly the same thing. So as long as you actually trust the site that you do download this from, I would say it's not that hard. that bad. I shouldn't say that. I wouldn't encourage it still.
Randal: How is curl giving enough information to the host computer to tell whether it's being piped into a shell or just going into a file? Because it doesn't, it doesn't
Daniel: at all, but you can. I've seen people do tricks that you can actually guess if it does that or not, depending on how the shell works. So there's some timing differences, potentially.
So I've seen those that have actually done it differently so that you can do some different display in the shell than the download. So you can do really nasty tricks. That's what works most of the time.
Jonathan: By default, when you URL, it'll just spit the outputs to standard out, right?
Daniel: Yes.
Jonathan: Yeah.
Daniel: As long as it doesn't detect binary in the first hundred bytes.
Randal: So what protocols have been added in 19 years? All of them. I mean, right. Well, right.
Daniel: How many protocols
Randal: are you still, I still primarily only do HTTP and FTP, or is there some other protocols that curl now is including.
Daniel: So in 2009. We were still innocent and young, and then and then all, everything broke loose.
So we implemented pretty much every email protocol after that. imap Pop three SMTP, and then we went into RTSP, RTMP and our tm, and of course all the TL s versions of those.
Randal: Mm-hmm, .
Daniel: And then we went further and went into SMB Microsoft to. File transfer things. And then after that took a little longer and then we did MQTT.
We did, and then we did Gopher over TLS. And then we added WebSockets a few years ago.
Randal: Gopher, TLS. I love it. Gopher over TLS. It's the two ends of the internet spectrum of time. It's kind of,
Daniel: yeah. And you know, this, those enthusiasts are still Gopher users. And apparently some of them are even Gopher over TLS users.
No. And those three people, they contacted us about it.
Randal: And they're just shipping files to each other.
Jonathan: That's incredible. So like HTTP 3 and QUIC, have those been added? Stuff like that? Yeah. Yeah. Yeah. The real, the real new shiny stuff.
Daniel: Yes. So an HTTP is of course, one of the primary protocols that for curl and we added HTTP two in.
So we shipped that already when the standard came, the standard came in 2015 and then we added HTTP three support early on. So we had HTTP three already in 2019. I think we started having that. And we've been shipping it to be three cents. And we Nowadays we have, as we do with, with all the, we support a lot of different TLS libraries for TLS, and we support a lot of different QUIC and HTTP 3 libraries for HTTP 3.
The situation is really complicated for HTTP 3 because of the weird Situation for APIs and the components involved to actually do quick HTTP 3. So it's, it's a little bit of a messy state there. So when I say, yeah, we support it, it's still the fact that in most places where you install curl, it won't be enabled because of situations in the surrounding support libraries.
Randal: So you just mentioned IMAP. I didn't realize that I could actually go fetch some email with my curl. Now you can fetch email and you can
Daniel: even upload email with IMAP.
Randal: Wow. Okay. Cause I'm actually trying to diagnose some problems with my current mail server. And I've been trying to like. Type they're all the right you know, Dart commands and stuff to get that to happen.
But it sounds like I might pop curl out. And so that must mean the curl dash dash help command is now what? How long? Super long.
Daniel: We have actually the other day we added the 266. Command line options. Wow. I'm not sure that's a good thing.
Randal: With all those protocols, how do you test all that? Do you have like a, a extensive test suite that's able to simulate both ends of the conversation and curl complaint? Yeah, well. In the middle
Daniel: or whatever?
We, yeah, we have custom servers written for every protocol pretty much. So yes, and so we test against our own test servers and we have unit tests and we have tests. So yeah, we do a lot of tests and of course, Fuzzing and scanning and everything. Wow. So when you, you know, when you have your code in 20 billion installations, you want it to be at least decent.
Randal: Yeah, you definitely want it. You definitely don't want to show up on this top CV list at all. And I mean, now that you can control that, you can say, Oh no, that's not a bug. But, but I mean, you don't have any bugs anymore. Yeah. Right. Gone. It's all, it's all gone. So so a lot of times I'm typing curl and I get like halfway through the command.
Then I go, I don't know what the switch is. And so I've, I think if you just type like dash dash help in the middle of the command line, will it sort of take what's already there to kind of give a hint about what the rest of the band page to show or not?
Daniel: Well, there are a lot of these command line completion scripts.
So
Randal: yeah,
Daniel: if, so for, for a lot of shells, you can just have those completion scripts and then it can complete all those command line options. And since since a while back, I also offer a, so you can do curl dash H and then do the so you can get a help for that particular switch and get a huge chunk of The man page output in the terminal.
Randal: That's what I was looking for. So there is a way to not have to read the 10, 000 line version every time. Exactly. So you can
Daniel: get the help for just a particular option you want to do.
Randal: Oh, cool. Cool. So I would ask for curl help for IMAP or whatever. So to try to understand those protocols. Cool. That way it makes sense.
Jonathan: So David in the chat room he has a metaphor here that he thinks maybe helps us understand. He says, is curl to data transfer what OpenSSH is to encryption?
Daniel: Yeah, a little bit like that. So we've tried to, or I tried to narrow what, what, So, so the question then of course comes what, what is, what is included in cURL and what isn't included in cURL, right?
What, what, what's ever is subject to be supported and what's not supported. But as long as we have a URL format for protocol and it's related to upload download, then I think it's, it's fine. Fair game for Curl to support it. But now I think there aren't that many more protocols we can add support for it.
Jonathan: Somebody will come along. It's an, it's inevitable. Like how often, how often does that happen that you get a support request that somebody goes, this obscure protocol that I care about, it would be great if it was added to Curl, like that's going to happen. A lot? Weekly? Monthly? Yearly?
Daniel: Yeah, well most of the requests are not as a pull request and then most of them will be someone just asking for hey Why don't we support some weird protocol?
Or something strange because in many cases people They found find themselves in a situation when they already have curl right and then they just want this little extra thing as well. So why doesn't curl do that as well? Because that would be really easy for them because then they could just use curl for everything.
But that's not how we work, right? So we cannot just add support for everything just because of that. So that happens regularly. And, and then of course, I mean, it's not always that easy to just add support for another protocol either. So yes, we also get the occasional pull request that just, you know, here's a new protocol someone made and, and It just never actually materializes because the one who actually wants that to happen doesn't really have the energy and effort or energy or time and whatever to actually make it happen all the way.
Jonathan: Yeah. So speaking about these requests, one of the, one of the things you mentioned in the in the show notes when we were prepping beforehand was you occasionally get crazy emails. And I went and I looked at a couple of these and I I too, not emails usually, but I get support requests for various things like that.
And it's, it's, Okay, set the stage for us. What are the crazy emails that you get?
Daniel: Well, I could set the stage by going back to the, so, curl, runs into a lot of places, right? And it is an MIT license and in the curl license, it actually says copyright Daniel Stenberg, blah, blah. And my email address. And that is, I think that is the key here.
And because Not a lot of other licenses have email addresses in them. So, so anyway, so fast forward. So when the person sits there in his car and you know, I want to enter my GPS position in my map and I can't figure out how it works. I need to contact someone and you
Randal: know, and then
Daniel: how does that person find someone to contact?
I, I guess in some cases they find some kind of open source license screen, you know, scroll through this needs to be an email address somewhere. Oh, there's a guy. I'm going to email that guy and send him some questions. I mean, that's my guess how this is happening because I get so many car questions that it's ridiculous because why, why would I get car questions?
Jonathan: Oh, jeez. That's, that's hilarious. Okay, I, I, I had not, I did not realize it was going to take that direction because I, I am used to getting, I am used to, bless them, I'm used to getting dumb questions, or, or really poorly thought out questions, or sometimes even questions where someone's native language is not English.
I'm trying to have a little bit more grace with those. I get, I get dumb questions all the time. But that's, that's a special kind of special.
Daniel: Yeah, but my, my questions, they're beyond, they're not really dumb. They're just completely out of my league, right? They're just, you know, someone asking about their account on some weird service because they found my name in a game they're playing, right?
And I had no idea. I didn't even know that it was a game or that my code existed in the game in the first place. You know, so I'm so far away from. Whatever they are talking about. So that's quite impossible for me to do anything except, you know, giggling and putting it up and say, here's another funny email.
Jonathan: Do you respond to these, these email them back and say, I'm sorry, I can't help you.
Daniel: I used to do that, but, but I realized over time that it was just, it was just. It actually turned, I mean, it was, I gave the opposite effect many times that they just think that I'm ducking the question, avoiding it and being rude by not answering it really.
So, so they, they just get upset with me and sort of, no, no, no, shut up. Help me instead of, you know, avoiding the question when I think it's really fun as this, I have this, Among those emails, one of the, that woman from emailed me about her Instagram account getting hacked, right? Why do you email me about your Instagram account?
I have no idea what you're talking about. And then she sent me a screenshot from Instagram. Look, your name is in there. Cool. So she did not think that was cool, you know,
but I of course had no idea that my name was in that app. And so, and that's kind of, it's just impossible for me to. help them with their question, actually, because I'm not involved in that. I don't know what they're talking about. I don't have any contacts. It's not my thing to answer.
Jonathan: You mean you didn't put a backdoor in Libcurl so that you can just go in and solve all these problems for people?
Randal: You can't tell us that. You can't put them on the spot like that there, Jonathan.
Jonathan: So that actually, that actually raises an interesting, an interesting thought. With, with Libcurl being as big as it is. Have you, have you, have you had any contributors that you think are trying to, to Jian, Jian Tei, John, John T, whatever, the, the, the, the, the random Chinese, yeah, the random Chinese name that tried to get the back, that managed to get the backdoor into XZ.
Have you seen anything that matches that sort of a, that sort of a pattern?
Daniel: No, never. I've never even seen an attempt like that. And that's also the, that also made me more impressed by that attack because it was so brilliantly performed in so many ways. But no, I've never seen that attempt, or maybe I've just been naive enough to not understand or dismissed it early enough so that it never materialized.
Or maybe it hasn't happened yet. And, you know, one of the main trainers I already have. relationship with is actually JR 10, right? So,
Randal: Or maybe it has happened and, Or maybe it has happened. Yeah. There's
Daniel: so many
Randal: dimensions. And we just haven't found it yet.
Jonathan: That's, that's the terrifying one, Randall.
Randal: Yeah.
Sorry. That's what I'm good at. Yes. Yeah.
Daniel: But no, I think, I, I mean, it's so, so, really, really difficult to actually perform that kind of attack. I mean, not even that guy managed that attack, right? So even though it's so excellently well performed, it failed anyway. So I think there are much better ways to invest all that money and time to actually exploit real issues that we have landed anyway.
Yeah. Those are my probably The better way to attack a current situation
Randal: in the last recent times who's contributed most of the The patches is that are you mostly still the primary author or are you have a lot of it delegated out now and you're just Taking poll requests. How does this? How does it keep getting moved forward?
I
Daniel: think this there's a lot of contributors the other day, I think we are over 1300 Authors and commit authors over time But of course, it's a narrow as a much smaller subset of people that are actually contributing a lot I still do a lot, but there are a bunch of other maintainers who do a significant portions of the commits these days So maybe 10, 20 people that are actually contributing frequently.
Randal: How well has the design held up over all these years? Do you think if you started over, would you redesign it in a different architecture?
Daniel: It has held up surprisingly well, which I think is Part of the explanation why we have succeeded so well, because we haven't had to, you know, rip it apart and do it all over and change the APIs and everything.
So I blogged about it the other day when we celebrated our 18th year of not breaking the
Randal: API.
Daniel: So I think that is an explanation why everyone can still keep using libcurl, right? Because they haven't had to change their applications for 18 years. They can just upgrade to the latest libcurl and everything keeps working.
So in that sense, we have actually succeeded. Excellently well in, in sort of separating the app from the internals of the library. But then of course, we have a few things that I sort of have regretted over the years. We should not have done that, but now we're stuck with it because we won't break the ABI.
So we have to support this until the end of time, right?
Jonathan: I mean, I've written C and C or C one of the other code against libcurl. And it was decidedly not terrible. Which is much more than I can say about some libraries that I've worked with.
Daniel: No, I think it actually is pretty good in many aspects. Then it becomes a little bit hard to use sometimes because you have so many options and so many ways to use it.
Could sort of, you can get lost in among all this.
Randal: It's good to hear that you haven't done much architecture change. Cause I know that I get a lot of questions from people who want like the perfect architecture for their Dart application. And it's like, you really don't know until you get a ways into it.
Right. But I think, I think we,
Daniel: I think we have done architectural changes within, I mean, limited, but we have still supported the same external API, but we have refactored the internals several times, but we've, we've sort of with a little bit of skill and a little bit of luck, we managed to do a fairly good API that I abstracted a lot of internals good enough so that we can, could actually remodel things.
So we could introduce things, for example you know, when, when HTTP2 was introduced back in 2015, right? So suddenly, that was really one of the first protocols that suddenly it was not a single request for a single connection, right? Then suddenly you could do multiple requests over the same connection.
That's a completely different paradigm. So, and by, but by pure luck, really, we had an API that really was agnostic to that. So we could just Transition into that world without breaking the API, we could just add an option and suddenly we could do that. And that was, of course, I mean, we couldn't have foreseen that like 15 years before it was just.
Yeah, we just decided on that API and it happened to work that way when we transitioned how we do protocols. I mean, it's not unlikely or I mean in the future, maybe we can come up with something else that will not be possible with existing existing API because some new thing is not possible to do with this old API.
Jonathan: When, when did the dual API come about because in lib curl you've got lib curl easy and lib curl multi, and so easy. The lib curl easy. You can, you could be grabbing files in just literally like four or five lines of C code. It is like, it says on the 10, it's easy, and then if you wanna do something more complicated, you've got the multi what the, what you guys call the multi interface.
What did that come about? Was that from the beginning?
Daniel: No, well, from the beginning I had the idea of making layers of APIs sort of provide something that would be easy to use to just get the file or get the transfer done when you don't need to do anything fancy, sort of quote unquote fancy. And, but but then I wanted to also have a way to do more than one transfer in parallel.
I struggled a bit to, to do that. figure out how to do that in the API. And then I came up with this solution so that we sort of build the same API into the other API in, so to speak, so that you can just build a lot of transfers and make sure that all of those transfers happen in parallel instead of serially.
So it wasn't really, Sort of from the beginning, but we had this sort of the foundation for the beginning and then we sort of worked it out over the years.
Jonathan: Yeah So we've talked about the the maintainer burden and like how you're still very involved with it does does libcurl pay your rent? Is this how you feed your family?
Have you, have you managed to turn libcurl into a career?
Daniel: Yes. So in, since 2019, I do curl full time now. Yeah, that's great. And yes, so that's, this is the only thing I do. So now I have paying customers, paying to get the code for free.
Jonathan: Yay. How do you, how do you make that transition? Like there are, there are a multitude of programs, open source programs in the world that just, they would love to make, to turn that corner.
What, what does that process look like? How did, how did you, how did you get to that point?
Daniel: It's a really tough Well, yeah, that helps. Yeah, but still, I still struggle with sort of that exact step, right? How do you go from not doing it as a work at all until sort of do that only? Or even doing gradually, that might be even harder, right?
So how do we actually do that? Turn that from not having it as a job and having it as a job. And for me, it was I was in a fortunate position because I had friends who worked then at Wolf SSL and they believed in this as a business concept. So I sort of, I just moved my product into their library pretty much and say, now we sell support under this umbrella.
You pay me my salary from day one and we start selling this and they believed in it and we could do it this way. So I think that was a great way for me to. Kickstart the business and also have a get an infrastructure for the support and for contracts and stuff like that already from day one.
Jonathan: Yeah, that's great.
So is that still the case? If somebody needs some sort of support for for curl, do they go through wolf SSL?
Daniel: Yes, they still handle the business. They signed the contracts and I do. I do pretty much all the support. Well, I have a few others that could do. You know, the basic ask the follow up questions, which version have you tried to blah, blah, blah.
But then otherwise it's pretty much me
Jonathan: Does that does that keep you busy? All right Are you just running around like a chicken with your head cut off trying to keep up with that or is it manageable?
Daniel: It is it's quite manageable. It's actually it's actually pretty good Pretty neat situation, I think. For me, all of this has just turned into sort of landing, landing the dream job, really, because now I work full time on my spare time projects.
And most of the time I'm not occupied by projects. Customer support cases. Most of the time I can pretty much decide myself what I want to spend my time on. And that means, you know, working on much code, reviewing, writing new stuff, whatever you want. Whatever you think is the project needs right now.
Randal: Is this do you have a big community?
Do you have like, like live curl meetups and stuff and annual conferences?
Daniel: We have an annual conference. I wouldn't call it big. But we can we can gather maybe 25 people in a room. All right. All right. But it's an awesome conference. Just curl stuff for two days. Yes.
Randal: Wow. That's great. That's great. Do you have like a, you have like mailing lists and like maybe a discord or something?
Daniel: We have a mailing list. We have IRC channel on of course a lot of things on GitHub.
Randal: Yeah.
Daniel: So yeah, we have a pretty active community of people. It's happening a lot of things. So, I mean we're doing a release tomorrow, actually November six. And in this, we have, we have a eight week release cadence.
So we do new releases every eight weeks sort of on the clock pretty much. And tomorrow we ship 260 bug fixes and five changes. So there's a lot of things happening. Even though we've been around for 28 years and everything seems to be the same.
Jonathan: Do you have problems with distros and distros in particular, but I guess this will be true for a lot of things.
Shipping super, super old versions of curl and lip curl.
Daniel: Yes. Period. Of course. I, I, I don't know. I, I, I sometimes I feel like I'm, I'm even more of, I don't know, hurt or affected by this than others, because for some reason people like to get stuck on really, really old versions of curl. And I think sometimes the distros are not the worst offenders here or people using old outdated end of life versions of distros.
But even a lot of these device manufacturers, they, you know, they got that libcurl install 12 years ago and they installed it in a device and it runs there, you know, and now suddenly they want to upgrade So sometimes we see that oh i'm upgrading from blah blah blah and now this doesn't work anymore And you know, and then you can see that.
Okay They have not touched this in a decade or so and things have changed. Yeah
Jonathan: well, I mean, I think I think a big part of that is SDKs honestly is what I blame SDKs for pieces for for hardware are terrible Pretty much across the board. You have ancient kernels that'll get shipped as part of the SDK.
All of the support infrastructure around it is terrible. It'll, a lot of times it'll have weird, you know, custom code bolted onto it that's terrible. And so you have people that, you know, they get, it's like, oh, here's this new chip to build a router out of. And it's got Ethernet built into it. It's got Wi Fi built into it.
Oh, and here's the SDK from 2006. I guess we're shipping the 2. 6 kernel with it then, huh?
Daniel: I agree, but I think it's also sometimes we have had a culture when people have allowed this to happen. So the device manufacturer, they don't want to upgrade because upgrading is a sort of, yeah, it might break, it might be work, you know, it could just stick to the old thing and it seems to work and we can be fine with that and earning sort of just, you know, Earned some more money on these devices and just avoid it.
So I think it's a little bit of that too, because in some cases it's clearly, they could have upgraded a long time ago, but somehow they decided not to.
Jonathan: Yeah. Have, have you guys felt any impact yet? Or do you anticipate any impact from some of the legislation around this that's happening, both the United States and Europe where, you know, they're, they're trying to put some of the onus back onto.
The people writing the software to, to make sure bugs are fixed and insecure. Yeah.
Daniel: There's a lot of talk about that. Yeah. The CRA, for example, in, in, in the EU. And so, yeah, I'm, I'm sort of looking forward to see where that goes and how that could possibly be converted into an opportunity rather than a problem.
Punishment for me or for us, right? So, so for example, I want to be the one who guarantees my functionality. I don't want to have any middleman on top of me saying that I'm going to guarantee functionality on these things. Just because it could actually be a, you know, a business opportunity, right? If a lot of companies say they ship products with curling and they need to guarantee that there's a functionality.
Sure. I want to be the one who guarantees that functionality, because I think I can do that, but I don't know how that will play out.
Jonathan: Yeah. You know, I've, I've, I've heard people tell stories about, you know, Open source developers, and they'll get a request from some business that, you know, they have no relationship with and like, Oh, we've got to have this and this and this to be able to put our S bomb together.
And, you know, the open source guys are complaining about this. And my take has always been, tell them your hourly rate. Yes, I will be glad to help you with this. This is my hourly rate. Let's make it happen. And sometimes open source devs are terrible about that.
Daniel: Yeah. But That's has actually been my response for the last few years, but the, the typical action from the other end tends to be silence
So it's, it's easier said than done well, but, but it, it might change then with legislation. Oh, sure. So it might. Actually go in the right direction going
Jonathan: forward. The golden part of that silence is that's one less support request that you have to deal with. It at least doesn't waste your time having to fiddle with
Daniel: it.
Exactly. So at least I don't bother to actually respond in a very long and elaborate way. I can just say, sure, I can respond if we just get a support contract first.
Jonathan: Yeah, absolutely. In some ways, I'm gonna, I'm gonna wax philosophical here for a moment. I
Daniel: just wanted to insert a little bit about that, that exact thing, because a few years ago I got several questions from NASA about exactly that.
You know, I got three emails from different departments at NASA asking me questions about, you know, who's writing this and where are you from? Is any contribution from one of these five, seven band Chinese companies or something?
Randal: I don't
Daniel: know. You know, I have no ideas from on, from which companies people are working on it, you know, blah, blah, blah.
But so I got a little bit annoyed by all those questions from NASA and I blogged about it, right? Look at all these silly questions from NASA. Ha ha. And then I moved on, of course, because they didn't answer my, I asked them, well, fun. You're using my code. You can tell me about what are you using curve for?
They didn't, they didn't want to answer that. They say we're using it to further blah, blah, blah. It was just some nonsense. Anyway, I forgot about it, but I think it was last year or the year before that a NASA guy appeared on did a presentation at FOSDEM in Brussels. I talked about their use of open source and what do you know they showed my blog post in his presentation.
At least, you know, it was red. You had an impact. Exactly. At least someone got it. I don't know if it actually had an effect, but it actually appeared on the slide anyway.
Jonathan: Yeah. So I was, I was going to point out that I think open source kind of needs to have this growing up moment where we become more willing to Ask businesses to financially support what we're doing.
And I'm, I'm just, I've got to say I am tickled pink. I am delighted that you have made this work and you've, you've actually turned it into a career and it's taken care of you. I think that is, I think that is awesome. Yeah. One of the, one of the things that recently has been in the news, I've done some writing about it and talking about it is and, and, You mentioned this question from NASA, this is what brings it to mind the Colonel has had to do some reshuffling of maintainers because of U.
S. laws and executive orders and, and geopolitics coming in and messing up everybody's open source fun. I don't, I don't want to dive into like the geopolitics of that. That's not what the show is about, but I do want to ask, is that, is that something that's had an impact on on your work as well?
Have you felt that?
Daniel: I have not I, I guess I don't have any prominent contributor from any of those countries. I think, I mean, how would I know, but not that I have detected anyway. So no one has said anything and I have no one has remarked it. So it hasn't happened, but I actually, I have actually had the reverse because I have right now a support customer who actually dropped, he had to, they actually used a Russian tool as a replacement as, I mean, as current alternative.
Hmm, which one, which they can't pay for anymore because the author is actually Russian. So they can't pay him. So actually, in that case, you
Jonathan: picked up a company.
Daniel: So it's weird. I mean, yeah, I didn't select that. It just happened.
Randal: To Jonathan's point, I think also the you may not be subject to the U. S.
restrictions. And so you know, exactly not the U. S.
Daniel: restriction. I could be subject to EU restrictions because we have a lot of Russian similar restrictions here. So I couldn't do business with a lot of Russian businesses, for example. Yeah.
Jonathan: Yeah.
Daniel: Wow.
Jonathan: So I managed to not ask about it and I meant to ask about it.
You've got something new coming that's kind of related to this support contract thing. A like a long term release, an LTS version of curl.
Daniel: Yeah. So, so I've had this actually debated that question back and forth for a long time, because we're in curl, as I mentioned, we all, We don't break the API, right?
So we keep supporting the old API all the time. So it should just be a question of upgrading to the latest. And that's what we always support in the open source project. We support the latest version. But over time, I've just come to realize that companies are still scared of that jump, even though we say that everything is safe.
And that's one of the reasons why right back again to why people get stuck on old versions. It's safe to just get stuck on an old version because then you don't have to risk getting something bad when you upgrade. So now we're finally going to bite that bullet and start offering a proper long term support version so we will get stuck in time.
Randal: Yeah.
Daniel: Or offer a version stuck a little bit in time at least but still patch it with security fixes and Important stability fixes really, and try to support that in a little bit style, the style similar to how distros do it already. And a little bit try to get some of their business back to us.
Jonathan: Yeah.
This is something that, that you've had requests for, I assume, like, you know, there's a market there for doing this.
Daniel: Yes, I, I assume there is one because I've had questions and I think there is so it's a little bit about testing the waters too. And it's not, at least in the beginning, it's, it's not that hard.
I mean, the support job grows over time, right? Because it's going to be harder and harder to backport stuff and maintain. Code the older it gets so it's a little bit of a Experiment here and testing to see how How interested companies and customers actually are in this but I have faith.
Jonathan: Yeah, i'm sure there will be some interest because you would hope at least that some of these people Places that are using these old versions of curl are doing some of this internally Watching for very severe CVEs and doing fixes.
Daniel: Exactly. So, so, so that's what I'm hoping for here. I want to aim this at these companies that are already doing stuff like this, or they want stuff like this. And you know, they're concerned about their product services and they're already having some support businesses involved for, for, I mean, obviously commercial companies are this directed to.
Commercial businesses.
Jonathan: How, how long, how long are you planning to do support? Like how old of a, how old of a kernel of a curl lib curl install. Do you think you'll backport patches to
Daniel: I've said five years now. And it's, you know, right now it's just putting the finger in there and say, how long do I actually need it to be?
Maybe five. I haven't actually no idea really how long it actually needs to be. So I say five now, maybe I need to. Adjust that as we go and I think As also as it gets more work as older as it gets I also think it gets more valuable to the customers the older it gets so I guess it's also that's also maybe an opportunity to Get more customers for the older ones the longer the support term is but I I don't know Yes, that's the easy answer.
Jonathan: Yeah, I used to think that five years was a Almost eternity for technology. And then I started a business and ran on that for a while. And the next thing, you know, I've got servers that have been installed for five or six years and have almost five years of uptime in a couple of instances. And
Daniel: yeah, I have a customer right now.
They offer their customers 13 years of API stability, 13. So they want that stability from me. So I already have that support burden sort of implied. So. I have already, you know, this set up that we don't break the API anyway. So in theory, it should be possible.
Jonathan: Yeah. We'll see. Yeah. It's
Daniel: a, it's an adventure.
We'll see. We'll
Jonathan: have to, we'll have to bring you back in five years and ask how that went.
Daniel: So see if there's any tears or joy.
Jonathan: Yeah, for sure. Randall, is there anything you wanted to get in before we, we start the wrap?
Randal: No, I was trying to think of anything else that we really haven't covered, but we've kind of covered the whole thing.
I, I think I guess the only last question is sort of a historical question. When you started all this, did you figure it would get this far?
Daniel: Oh, absolutely not.
And it is actually kind of ridiculous, right? Because I started with something that was just such a tiny little piece of toy thing, and it now has, I mean, I actually, you know, I've gone back and looked at the first code that I've actually started working with. That was 160 lines. And now it's actually more than, A thousand times more code, right?
So that's actually, it's now approaching 180 K from 160 lines. So it's the, the growth is, it's, it's amazing. No, I had no idea when we started, where we were going, what I wanted, what would happen.
Randal: I can imagine it must be similar to what, how Linus felt about. Minix when he first released it, like who knew that it would grow into like a universal world industry, you know,
Daniel: exactly.
It's just a simple little thing. Sure. We can have some fun with it.
Randal: A little kernel running on this processor. Who cares? It'll
Jonathan: never be big and important like a GNU's kernel. Right. Exactly. Yeah. Alright. There are a couple things you mentioned in your notes here that we did not get to. And I wanna give you just a quick chance to to plug what these are.
You, you mentioned earlier, and I honestly don't know what it is, W Curl. And then I also see, twirl? T R U R L. I'm not sure how one pronounces that. No. It's quite
Daniel: impossible to pronounce. But I, I, so I like to pronounce it True rel, with an extra E there at the end. So True rel is actually a new tool that I, that we started last year.
It's actually a tool for The tr is actually for the tr command as in transpose, translate as for, and for URL. So transpose, translate URLs, basically parse and manipulate URLs on the command line. Pretty much when you write a script somehow and you'll need to, you know, extract the host name from the URL or add something to the path or add a query part to the URL.
That's really tricky when you do that in the shell script because manipulating URLs is really tricky. It's next to impossible to do in a shell script. And well, you can reg exit somehow, or you can mess it up.
Jonathan: I was just thinking it's a replacement for using Perl with reg X.
Daniel: It is. And, and, and that also goes back to this.
There's been several papers over the years, how there's a common security. Problem when you mix and match URL parsers pretty much use one URL parser to do one thing and you pass on the result or you And they get some results
Jonathan: slightly differently Exactly
Daniel: because urls are a messy. Sorry thing that we should talk too much about because i'm ah, it's it's It's terrible in every aspect.
So anyway, so there's just impossible for two parsers to parse a URL the same way. So you, so, so basically, this is a way to, if you're going to use curl anyway, and you want to manipulate and work with URLs, it's a pretty convenient way to just do that.
Jonathan: So true rel uses the exact same parser code that curl uses.
Daniel: Exactly. So it's based on the exact same URL parser. So it's just a small command line tool for manipulating and fiddling with URLs.
Jonathan: And then what is wcurl?
Daniel: So wcurl, back to the, what's the difference with wget? So one of the most questions, so now people are going to giggle and tell me that the only reason, or the reason I use wget is because then you can type wget.
And apparently you can do that with your left hand only on a QWERTY keyboard. That's, that's apparently a benefit. But anyway, and then you can type a URL. So you can type wget and a URL and it will download it. And you know, you don't have to remember any options at all. It'll just do that magically. And with curl, you actually have to remember some option, capital O.
But people don't do that. So, so someone then introduced the wcurl. Program is actually the replacement for W get because you can type W curl and the URL or many URLs actually, and it'll download that URL to file on disk. So basically the W get version of curl.
Jonathan: Yeah, if you wanted to really have fun with it, you could, you could just add a little bit of code in curl that looks for the binary name that it was called with.
And if it's called as w curl just imply the dash capital o and the people could just make their own sim link and get It free.
Daniel: Yes, that's one way to do it That has also been debated Of course
Jonathan: Of course, i'm not the only one that thinks about but
Daniel: w curl is then only just now It's just a shell script anyway, so it's just a shell script that invokes curl with the right the right way Yeah makes sense Is
Jonathan: is there anything that we didn't ask you about that we should have that we that we neglected to cover?
You
Daniel: Not that I can think of. We covered a lot of area here. We did. We did. I think we're good.
Jonathan: Yeah. Okay. So I've got to ask. I don't know if we were doing this. Randall, do you think we were asking the two questions way back then? I
Randal: invented
Jonathan: the two
Randal: questions.
Jonathan: So,
Randal: yes.
Daniel: And we can, if it's the same questions, we can compare with 2009.
Jonathan: Yes.
Daniel: Yes. Yeah.
Jonathan: So, favorite, favorite text editor and shell script?
Daniel: Well, text editor is still Emacs as it was in 2009. I'm pretty sure that's not going to change.
Jonathan: It's amazing how many people are like, yeah, it used to be VI or Emacs back in the day, but I use VS code a lot now. Yeah, we don't like that. No, I used to be, I used to be as good a lot now too.
I,
Daniel: well, I can see Randall is on my side here
Jonathan: in shell script,
Daniel: shell script. Yeah. When it
Jonathan: comes
Daniel: to scripting, I tend to default to Perl actually. I'm one of those old, old people who still do that.
Jonathan: You're two for two, Randall.
Daniel: Yeah, so yeah, exactly. And I'm pretty sure I said the same things in 2009. Pretty much you could imagine that not a lot of things, you know, I'm writing code in C still too, so my life is pretty the same.
Anyway, you know, I type make in terminals. I use Emacs. Yeah. 16 years later here I am doing the same things.
Jonathan: And you just have more cores and more memory and more hard drive space to do it with now.
Daniel: Exactly. So, yeah, that's true. That's true.
Jonathan: That's and a lot
Daniel: more code to handle too.
Jonathan: Yeah. Yeah. Yeah.
Alright, Daniel Sandberg, thank you so much for being here. This has been a blast and we, we sure appreciate it. It's been really good to catch back.
Daniel: It was fun.
Jonathan: Yeah. Alright Randall, what
Randal: what do you think? He may have more disk space, but I bet he has the same percentage free. Oh, it's sad, but true.
I have seen this as a constant over the decades now. It's sad, but true. It's, it's somehow, for some reason, it always ends up being about 80, 85 percent free. Full no matter how many outside discs you bought and how many things you've wired up. It's always 85 percent full They should maybe they just ship them that way.
I don't know. Maybe that's Maybe i'm not actually getting empty discs. I'm only getting discs that have some a bunch of stuff already on them. But yeah But no, no, that's, that's, that's guaranteed. And just to, just to update. Yes, I do use VS code primarily. Now I do hierarchy max occasionally. I'm still happy that there's a little bit of me in every copy of Guru Emacs that goes out.
Cause I wrote the project for Guru Emacs from many, many decades ago. It now seems, and I do have Perl scripts doing backend work for me, but I don't actually, I don't think I've written a line of Perl and probably I don't know, a couple of months, six months, something like that. So it's all been Dart and Flutter because it's my new.
Claim to fame on you operation stuff. So about our guest, let's get back to that. Not just me. So, so it's, it's again, this is and I, and I sort of mentioned it in the show, it's like, it's, it's this fascinating thing where you invent something small and useful, and then you share it with people and they also find it useful and it grows sort of organically on its own.
It wasn't like either Linus or. Or that guy, the other guy Stallman. No, no, no. Our guests, Daniel, Daniel, see it's the D words. I kept thinking David in my head now. So that's really messed up. It's cause I, just before I was on this show, I watched something with Larry David in it and it just, it just messed up my brain.
So, so so these guys, they start out, you know, not knowing That what they're going to do is eventually going to have such a huge impact. And, and I'm, I'm happy that we live in a world where that can happen and that And, and, and yes, to give to give some credit to Stallman, the idea of fighting for free software, which became the fight for open source software, which is less restrictive,
which
became an opportunity for us to do what we're doing and, and for the world to be expanding and building upon each other's work, at least at the, the software.
Engineering level. So
Jonathan: yeah,
Randal: yeah, it's, it's, it's really good. And it's, it sounds like he's had a great time with the project too. He's still with it. So that's that means he's, it's probably going to stick around for a while. And he's probably gonna stick around for a while around it, which is good.
Have being a BFDL, you kind of have to do that, but, but you know, he could have abandoned it a long time ago, or at least having some fun. Making changes to it and fixing things and adding new features. I didn't realize they could do IMAP. Cause like I said, I needed to F I need to diagnose some problems with my IMAP servers.
So I was trying to do it the hard way, watching stuff on, you know, typing the right things with SO cat and things like that, trying to get that working. So cat can kind of get you there, but not the same way as having the whole protocol. Yeah.
Jonathan: I'm, I'm just, I'm so delighted that he's able to make a career out of it and he's, he's not, it's not killing him.
And he's actually able to make some money from it. And I just, I think that's, I think that's great. I wish, I wish more of our foundational tools, we had that sort of success story. Because we don't for all of them. Right? There's, there's some of them where somebody has been, you know, just maintaining it thanklessly and not getting paid for it for 20 years.
And I like these, I like these a lot better.
Randal: Well, like, like when we talked to the NTP guy who had basically been managing single handedly the project for, for years, you know and getting an occasional grant here and there to take care of that, but
Jonathan: yeah,
Randal: yeah. So there's definitely that.
Jonathan: Yeah. And then there's, there's even things that are super important that like nobody's even heard of, like the term info files.
Right? Like how many people across the world do you think know how to write a terminfo file? You could probably count them on one hand. Those things are obscure and ancient and super important.
Randal: And then we have entire projects dedicated to things like TZData, you know, which are critical to everybody. Yep.
And nobody knows it's a handful of guys on a mailing list that That you have to listen to crazy requests from governments to say, can you change the DST time next to next week? We can, and nobody will have it working for six months. It's just the way it is. Crazy stuff. Yep. Yep. All right.
Anything you want to plug Randall? Just that I have been doing a lot of online presence to deal with Dart and Flutter. If you're interested in all that stuff, you'll probably already know how to find me, but I'm on all the major places. Flutter. dev slash community will lead you to the places that I hang out at and I patrol on a regular basis.
I'm also appearing at conferences and doing virtual talks. I am doing a talk coming up in March. The middle of December, if you're a Pearl person, you already know about the Pearl Advent calendar. Well, the Pearl Advent calendar has been going for like 15 years now, I think. So as a special celebration, I've got like December 19th or 18th.
One of those days right in there is going to be me doing a live presentation of My half life with Pearl or half my life with Pearl. I was going to switch the two around to kind of make it funny. Half my life with Pearl where, and I gave this talk about 12 years ago at OSCON, but at that point. I was 50 Pearl was 25 and I was able to talk about the relationship between me and Pearl and my company and the people around me and what is it, what does it meant to me, what does it meant to the world?
Because Pearl at that point had already had a significant impact on creating the. com boom and everything like that. So I have this talk that's about a, about a one hour talk that talks a lot about, about to some people behind the scenes history that you've never heard before. To kind of talk about how that all kept interrelating for those 25 years.
So I'm giving a version of that talk not updated for current because I haven't done much apparel since then, but at least it will be accurate as of the, the talk I gave 12 years ago. So, yeah, yeah,
Jonathan: cool. All right. I appreciate you being here, man.
Randal: Yeah. Thanks for inviting me again.
Jonathan: Yeah. All right.
Let me hit the right button here. That button. Okay. So the things I want to plug, of course, is you can get my security column at Hackaday. It goes live every Friday. And then of course we appreciate Hackaday being the home of Floss Weekly. And the show tapes on Tuesdays and goes live on Wednesdays.
And then the other thing that I'll plug is the Untitled Linux show over at Twit. And that is live every Saturday afternoon, we have a whole lot of fun with that as well, and you should check it out if you can. So to everyone that caught us live, and those that get us on the download, we appreciate it, and we will see you next week on Floss Weekly.
00:00
-00:00