Conversation
- explicitly install `libldap-dev` to not rely on test-specific packages installing it implicitly, to have the same `curl -V` output for each TLS backend build pair. Follow-up to 0455d87 curl#18509 - install `libev-dev` for tests. It's a runtime dependency for the local build of `nghttpx`. Missing it made pytest skip 178 tests. Also skewing the 'Gain' time. I estimate it to account for 3 minutes, making the total gain ~20 minutes. Follow-up to 0455d87 curl#18509 (It may be a better solution to disable libev for the local nghttp2 build, to avoid this hidden dependency.) - fix quiche jobs to use the local build of `libnghttp2`. - stop installing the `clang` package for Windows-cross. `clang` and `clang-tidy` tools are preinstalled on the Ubuntu 24.04 runner. Closes curl#18519
When switching to TSLv1.2 as default in 9d8998c, this led to an explicit setting of 1.2 on QUIC connections when using quictls, overriding the already set min version of 1.3. This leads to a ClientHello with TLS 1.2+1.3 offered on a QUIC connect which is rejected by the Caddy server. Using ngtcp2 with OpenSSL 3.5+, GnuTLS or AWS-LC is not affected. Fixes curl#18518 Reported-by: fds242 on github Closes curl#18520
Access the error codes of ngtcp2 when a connect attempt failes. Trace the information for analysis. Treat errors as permanent failure by default, trigger retrying only when the server refused without indicating an error. Closes curl#18521
Also make managen output the experimental text with the correct prefix/margin for the ascii version. Closes curl#18523
- fix `nghttp2` build to also build the `nghttpx` application. Restore required `libc-ares-dev`. Also confirm that `libev-dev` is required too. Document these requirements. Follow-up to 0455d87 curl#18509 - explicitly enable `nghttpx` for the `nghttp2` build to make it fail if requirements aren't met: ``` configure: error: applications were requested (--enable-app) but dependencies are not met. ``` - explicitly install brotli, zstd, zlib for the dependency builds. Of these, zstd and zlib are preinstalled. zlib is required for `nghttpx`. zstd and brotli doesn't seem to be used, but keep them there just in case and to match the test env. Follow-up to 0455d87 curl#18509 - enable brotli for `nghttpx`. It doesn't change the tests, and also cost almost nothing, so I figure why not. Closes curl#18522
Set a default value to only reuse existing connections if less than 24 hours old. This makes the TLS certificate check get redone for the new connection. An application can still set it to zero. Closes curl#18527
The struct field thus does not depend on the presence of it Closes curl#18525
To make the texts easier on the eye. - Remove most free text references to curl versions before 7.60.0 (May 2018) - Leave those present in a HISTORY section Most of them are already documented in symbols-in-versions anyway. Closes curl#18530
Some applications may want to periodically recheck the remote server certificate, which doesn't happen on a long-running connection. Ref: curl#18527 Closes curl#18533
Earlier we used `security-extended` and tried `security-and-quality`. Try the default to see how it works. CodeQL no longer uses the project's Actions cache, also fixing the previously seen repeat cache entry issue. - switch to `manual` build. It's 3x faster than the default `autobuild`. - enable more dependencies to increase coverage. - docs/tests/CI.md: re-add CodeQL. Ref: https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites Ref: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages Ref: curl#16263 Ref: 173805b curl#15798 Closes curl#18528
- bump OpenSSL 3.4 to 3.5 on VS2022 runners.
- bump OpenSSL 1.1.1 to 3.0 on VS2019 runners.
1.1.1 is documented to be present, but missing.
Fixes:
```
+ cmake -G 'Visual Studio 16 2019' -A x64 [...] -DOPENSSL_ROOT_DIR=C:/OpenSSL-v111-Win64 [...]
CMake Error at C:/Program Files/CMake/share/cmake-4.1/Modules/FindPackageHandleStandardArgs.cmake:227 (message):
Could NOT find OpenSSL, try to set the path to OpenSSL root folder in the
system variable OPENSSL_ROOT_DIR (missing: OPENSSL_CRYPTO_LIBRARY
OPENSSL_INCLUDE_DIR)
Call Stack (most recent call first):
CMakeLists.txt:757 (find_package)
```
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/52740431/job/tq6h4xhqpa3vgq47?fullLog=true
Ref: https://www.appveyor.com/docs/windows-images-software/
Ref: appveyor/website@9a739f7
Closes curl#18543
- remove "connect to multiple IPs in parallel" - remove "CURLOPT_RESOLVE for any port number", It can already be accomplished with CURLOPT_CONNECT_TO - remove "dynamically load modules", we don't believe in this - remove "netrc caching and sharing", we already cache it - remove "Offer API to flush the connection pool", this is effectively what CURLMOPT_NETWORK_CHANGED now allows - remove "WebSocket read callback", introduced in 8.16.0 Closes curl#18542
Make sure to not rebuild man pages after purging system curl, to make the job faster and avoid timeouts: ``` Sun, 14 Sep 2025 10:16:28 GMT Removing curl (8.5.0-2ubuntu10.6) ... Sun, 14 Sep 2025 10:16:28 GMT Processing triggers for man-db (2.12.0-4build2) ... Sun, 14 Sep 2025 10:21:22 GMT (Reading database ... 218629 files and directories currently installed.) ``` Ref: https://github.com/curl/curl/actions/runs/17709785947/job/50326910814?pr=18535#step:3:19 Closes curl#18544
Follow-up to cc50f05 curl#18528 Closes curl#18545
One for file name arguments and one for "strings". Closes curl#18546
... without outputing a verbose message about it. In the early days we had 2L and 1L have different functionalities. Reported-by: Jicea Bug: https://curl.se/mail/lib-2025-09/0031.html Closes curl#18547
Remove use of pthread_cancel in asnyc threaded resolving. While there are system where this works, others might leak to resource leakage (memory, files, etc.). The popular nsswitch is one example where resolve code can be dragged in that is not prepared. The overall promise and mechanism of pthread_cancel() is just too brittle and the historcal design of getaddrinfo() continues to haunt us. Fixes curl#18532 Reported-by: Javier Blazquez Closes curl#18540
`CI.md` slipped into the 8.15.0, 8.16.0 tarballs by accident. Remove it again and update the checker exception. Follow-up to fa3f889 curl#17463 Closes curl#18549
Closes curl#18553
Before this patch there was a single C config detected, named `build:`. Closes curl#18555
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.2.2...08c6903) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Closes curl#18556
If recvfrom() fails, it might not have stored an address. Follow-up to c4f9977 Pointed out by CodeSonar Closes curl#18738
Adjust the flow to always succeed in verbose trace of connect. Reported in Joshua's sarif data Closes curl#18722
To avoid depending on Docker Hub, an Docker image and a GitHub Action. Also to simplify running this check on a local machine. Pending question if Dependabot and Mend/Renovate will automatically pick up `requirements-docs.txt`. Also: - enable parallel spellchecking. (also to win back the time lost with installing components directly from Debian and pip.) - pin `pyspelling`. - link to official `pyspelling` docs. Closes curl#18736
Fixed misleading comment. Simplified the bit setup. Reported in Joshua's sarif data Closes curl#18739
Reported in Joshua's sarif data Closes curl#18740
- update github/codeql-action digest to 303c0ae - update dependency ruff to v0.13.2 Closes curl#18716 Closes curl#18734
Since it would indicate errors to the degree that continuing would just risk hiding the earlier errors or make things weird. Inspired by a report in Joshua's sarif data Closes curl#18646
When there is more than one user-supplied 'Connection: ' header, add values that curl needs internally to the first one and emit all subsequent ones thereafter. Fixes curl#18662 Reported-by: Evgeny Grin (Karlson2k) Closes curl#18686
The progress meters max out at 2^63 bytes. Reported-by: BobodevMm on github Fixes curl#18744 Closes curl#18746
The man page says nothing about what the return code means but Howard Chu tells me it is 0 on success, -1 on fail. Help-by: Howard Chu Closes curl#18747
Add script to run all Perl sources through `perl -c` to ensure no issues, and run this script via GHA/checksrc in CI. Fallouts: - fix two repeated declarations. - move `shell_quote()` from `testutil.pm` to `pathhelp.pm`, to avoid circular dependency in `globalconfig.pm`. Closes curl#18745
In the connect error message if a unix domain socket was used. Reported-by: kuchara on github Ref: curl#18748 Closes curl#18749
Follow-up to 34b1e14 curl#18745 Closes curl#18750
- GHA/checkdocs: rename `spellcheck` job to `pyspelling` to say the exact tool used. - GHA/checkdocs: restore a comment. - GHA/linux: add `-B .` to a cmake configure to avoid warning, and future breakage. - autotools: use correct casing for `Schannel`. - doh: update RFC URL. - drop redundant parenthesis. - fix indentation, whitespace. Closes curl#18756
To sync with other builds and to use `-B` to avoid a cmake warning and future breakage. Closes curl#18757
- drop unnecessary installed packages. - sync built type name with other jobs. Closes curl#18758
To avoid typos and non-existing options passed to `./configure` in CI builds. Also delete obsolete option `--enable-test-bundles` from Circle CI jobs. Closes curl#18759
Also sync `pip` options with those used in GHA. Closes curl#18760
To show the details in cmake builds using the oldest supported version. Use a legacy method. `--verbose` became supported later, in 3.14. Closes curl#18764
- replace `COMPILE_FLAGS` with `COMPILE_OPTIONS` that superceded it. Follow-up to 6140dfc https://cmake.org/cmake/help/v4.1/prop_sf/COMPILE_FLAGS.html - replace `target_link_libraries()` with `LINK_FLAGS` property for CMake <=3.12, because we are passing linker options (not libs). Follow-up to 91720b6 curl#18468 Follow-up to 5488739 curl#17670 Follow-up to 95aea79 curl#5843 https://cmake.org/cmake/help/v3.7/command/target_link_libraries.html https://cmake.org/cmake/help/v3.7/prop_tgt/LINK_FLAGS.html - replace `target_link_options()` with `LINK_OPTIONS` propery for CMake 3.13+, to use the modern style. Follow-up to 91720b6 curl#18468 Follow-up to 5488739 curl#17670 https://cmake.org/cmake/help/v3.13/command/target_link_options.html https://cmake.org/cmake/help/v3.13/prop_tgt/LINK_OPTIONS.html Also: - fix to append to, not override, previously set linker options when using `CURL_LIBCURL_VERSIONED_SYMBOLS=ON`. Before this patch, it was overwriting linker options when using `CURL_CODE_COVERAGE=ON`. Follow-up to 91720b6 curl#18468 Closes curl#18762
Turns out the signal handler on Windows still wasn't signal safe after the previous round of fix. There is an `open()` call made from there, and `open` happens to be unconditionally overridden via `curl_setup.h` on Windows, to its local implementation (`curlx_win32_open()`), which does memory allocations and potentially other things that are not signal safe. This is a temporary fix, till avoiding the override of system symbols `open` and `stat` on Windows. FTR this did not fix the CI 2304 errors, diskspace fail or job hangs due to 0xC0000142 fork failure (it's rare all three occurs in the same run): https://github.com/curl/curl/actions/runs/18110523584?pr=18774 Ref: curl#18634 Follow-up e95f509 curl#16852 Closes curl#18774
By introducing wrappers for them in the curlx namespace: `curlx_fopen()`, `curlx_fdopen()`, `curlx_fclose()`. The undefine/redefine/`(function)()` methods broke on systems implementing these functions as macros. E.g. AIX 32-bit's `fopen()`. Also: - rename `lib/fopen.*` to `lib/curl_fopen.*` (for `Curl_fopen()`) to make room for the newly added `curlx/fopen.h`. - curlx: move file-related functions from `multibyte.c` to `fopen.c`. - tests/server: stop using the curl-specific `fopen()` implementation on Windows. Unicode isn't used by runtests, and it isn't critical to run tests on longs path. It can be re-enabled if this becomes necessary, or if the wrapper receives a feature that's critical for test servers. Reported-by: Andrew Kirillov Bug: curl#18510 (comment) Follow-up to bf7375e curl#18503 Follow-up to 9863599 curl#18502 Follow-up to 3bb5e58 curl#17827 Closes curl#18634
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.