Utility began as a personal project, found its way into billions of devices:
Daniel Stenberg has observed the 25th anniversary of the curl open source project with the publication of curl 8.0.0, the 215th release of the command line tool, and a modest tele-celebration.
The name curl, originally rendered as "cURL" to emphasize its function, stands for "Client for URLs" or "Client URL Request Library" or its recursive form, "curl URL Request Library."
It's a command line tool and library for transferring data with URLs. Once installed on a device with command line access, curl can be used, through a text command, to send or fetch data to and from a server using a variety of network protocols.
Any developer who is serious about writing code that interacts over a network has probably used curl, or does so regularly. Presently, billions of devices rely on curl – cars, mobile phones, set top boxes, routers, and other such items use it internally for data transfer.
"The curl project started out very humbly as a small renamed URL transfer tool that almost nobody knew about for the first few years," said Stenberg in a blog post. "It scratched a personal itch of mine."
The first version of curl debuted on March 20, 1998 as version 4.0. It had 2,200 lines of code and had been adapted from projects known as httpget and urlget. As Stenberg explained, curl 4.0 supported just three protocols, HTTP, GOPHER and FTP, and 24 command line options. Version 8.0.0 can handle 28 protocols and 249 command line options.
"The first release of curl was not that special event since I had been shipping httpget and urlget releases for over a year already, so while this was a new name it was also 'just another release' as I had done many times already," he wrote.
HTTPS and TELNET support soon followed. According to Stenberg, curl was initially released under the General Public License (GPL) but was put under an Mozilla Public License (MPL) by the end of 1998. In 2001, curl added a new license that's close but not identical to the MIT license, alongside the MPL license, which was dropped in 2002.
The project has become a juggernaut. Stenberg says that his goal has been simply to keep improving the code over time. And in the years he and other contributors have worked on it, curl grew and grew, reaching hundreds of millions of installations in 2010. Today it's estimated to have been installed more than ten billion times.
As of the start of 2023, curl consisted of 155,100 lines of code. It incorporates contributions from more than 2,800 people, and more than 1,100 commit authors who have created more than 30,000 commits. Bug bounties for curl code fixes add up to more than $48,000.
Related Stories
Daniel Stenberg of cURL fame has written about the impact of fake, LLM-generated bug reports has on his project, cURL. The main problem with LLM-generated bug reports is that they tend to be bunk while at the same time looking close enough to a real bug report as to end up wasting a lot of developer time which could have been used triaging and addressing real bugs.
A security report can take away a developer from fixing a really annoying bug. because a security issue is always more important than other bugs. If the report turned out to be crap, we did not improve security and we missed out time on fixing bugs or developing a new feature. Not to mention how it drains you on energy having to deal with rubbish.
Often wannabe security consultants will take the output of an LLM and modify it with their own language, thus intentionally or unintentionally obscuring some of the telltale warning signs of LLM-generated bunk.
Previously:
(2023) "cURL", the URL Code That Can, Marks 25 Years of Transfers
(2023) Half of Curl's Security Vulnerabilities Due to C Mistakes
(2020) curl up 2020 and Other Conferences Go Online Only
(2018) Daniel Stenberg, Author of cURL and libcurl, Denied US Visit Again
(Score: 5, Informative) by bart9h on Wednesday March 22 2023, @04:21PM
8.0.0 is borked, but already fixed
https://daniel.haxx.se/blog/2023/03/20/curl-8-0-1-because-i-jinxed-it/ [daniel.haxx.se]
(Score: 2) by bzipitidoo on Wednesday March 22 2023, @05:14PM
> As of the start of 2023, .... lines of code
is still a thing?
25 years of improvements and maintenance sounds more steady and dedicated. 30,000 commits, more than 2800 people, yes. On CVE's radar, yes, impressive. Seem to be clocking in at very roughly a dozen new vulnerabilities found per year.
(Score: 3, Informative) by looorg on Wednesday March 22 2023, @05:42PM
https://www.youtube.com/watch?v=gNWg2Wtxz-w [youtube.com]
If you want to listen/watch to what Stenberg did pre-cURL. It's somewhat amusing and interesting.
(Score: 0) by Anonymous Coward on Thursday March 23 2023, @12:39AM (2 children)
Nothing against cURL. Stuff like that is great if you're pressed for time and just want to look up a man page real quick and git 'er done; but when we controlled the client and the server, I was adamant about using our in-house solution and not some huge dependency like this.
(Score: 2) by vux984 on Thursday March 23 2023, @01:23AM
Sure if you control both client and server, you can just use something really simple in house or a common simple library.I agree curl is overkill, for that, but that's not really the use case. If you start consuming external APIs etc, and you need to deal with different security options, pass client certificates, cookies, etc etc... then 'rolling your own' is just reinventing the wheel for no reason.
As a point of interest; Filemaker uses curl for its support to talk to external web APIs.
https://help.claris.com/en/pro-help/content/curl-options.html [claris.com]
(Score: 2) by Beryllium Sphere (r) on Thursday March 23 2023, @05:14PM
Sometimes it's fun to let myself be cranky.
This "Internet" thing is not exactly new or obscure. You don't have to download a library and manage dependencies to read things from your hard disk. Why isn't the functionality of curl built in to all our languages, natively or in their standard libraries?