WEBVTT 00:00.000 --> 00:10.000 Now it should be working, and we are in the time to start. 00:10.000 --> 00:12.000 Oh, and where are the time to start? 00:12.000 --> 00:15.000 So, I'll go around both on our next speaker. 00:15.000 --> 00:18.000 I don't know if it's a time to start. 00:18.000 --> 00:22.000 Stimbert and he's talk about that in every world. 00:22.000 --> 00:23.000 Hi. 00:23.000 --> 00:28.000 No margin at all here. 00:28.000 --> 00:29.000 So, okay. 00:29.000 --> 00:31.000 This is my work for Wolfe's Society. 00:31.000 --> 00:33.000 I do curl all the time. 00:33.000 --> 00:36.000 So, anyway, ask questions, but they do it afterwards because I don't. 00:36.000 --> 00:37.000 And that's 25 minutes. 00:37.000 --> 00:41.000 I'm going to talk fast and hopefully you'll understand it. 00:41.000 --> 00:43.000 So, I'm going to talk about curl, of course. 00:43.000 --> 00:44.000 Because I always talk about curl. 00:44.000 --> 00:47.000 Curl is a little command line tool and a library. 00:48.000 --> 00:53.000 For internet transfer or transferring stuff over internet protocols. 00:53.000 --> 00:56.000 And we've been going on on this project for a while. 00:56.000 --> 01:03.000 And over time, of course, sort of raised our ambitions or what to do in the project. 01:03.000 --> 01:09.000 So, nowadays we just have this modest aim that we do everything the best possible way. 01:09.000 --> 01:12.000 And when it comes to both security wise and open source wise. 01:12.000 --> 01:16.000 So, pretty much, you know, crank everything up as much as possible. 01:16.000 --> 01:18.000 And that's sort of the ambition here. 01:18.000 --> 01:23.000 Sometimes, maybe we fail, but I think in general, we actually do pretty good job. 01:23.000 --> 01:28.000 And to use an old XKCD, of course, because you have to do that when you have a slide. 01:28.000 --> 01:34.000 So, it's really no problem, right? 01:34.000 --> 01:36.000 Because we got you. 01:36.000 --> 01:38.000 But, and how do we do that? 01:38.000 --> 01:44.000 And I have a fun slide that I use to show where curl runs. 01:44.000 --> 01:49.000 And when I do show this, it's kind of fun. 01:49.000 --> 01:54.000 Because most models can not even mention 25 operating systems, right? 01:54.000 --> 01:55.000 Because how could you? 01:55.000 --> 02:00.000 And usually someone can always, anyway, find a few that is not included here. 02:00.000 --> 02:03.000 But it's kind of a fun map. 02:03.000 --> 02:05.000 So, it runs in a lot of places. 02:05.000 --> 02:10.000 A lot of operating systems, basically any CPU architecture you can imagine. 02:10.000 --> 02:12.000 More than one planet. 02:12.000 --> 02:15.000 And so much. 02:15.000 --> 02:22.000 And on anything you have, we have that connects to the internet, everyone's in a while. 02:22.000 --> 02:28.000 It probably runs curl already or we'll run curls soon. 02:28.000 --> 02:35.000 You know, cars, TVs, vehicles, play, games, stuff, printers, medical devices. 02:35.000 --> 02:38.000 Well, anything, right? 02:38.000 --> 02:43.000 We estimate that there's somewhere in the World Park of 20 billion installations of curl. 02:43.000 --> 02:46.000 And I think it's really low estimate. 02:46.000 --> 02:48.000 So, it's probably more. 02:48.000 --> 02:52.000 But, you know, a crazy amount of curl everywhere. 02:52.000 --> 02:58.000 So, it puts a little bit of a responsibility and a challenge for us, of course. 02:58.000 --> 03:04.000 Sure, what happens when we ship a little bug in 20 billion installations? 03:05.000 --> 03:08.000 But, of course, we write this in the safest possible language. 03:08.000 --> 03:14.000 So, we have 180,000 lines of C code. 03:14.000 --> 03:20.000 And actually, sometimes people think it's a lot or not a lot. 03:20.000 --> 03:23.000 But, what is 180,000 lines of code? 03:23.000 --> 03:24.000 Maybe it's not that big. 03:24.000 --> 03:25.000 Maybe it is big. 03:25.000 --> 03:30.000 Yeah, what do you, but it is 1.14 warrant piece if you count the words. 03:31.000 --> 03:35.000 Warren piece is actually a pretty thick novel. 03:35.000 --> 03:41.000 So, it's actually quite a lot of code I would say for what it is. 03:41.000 --> 03:43.000 It transfers data. 03:43.000 --> 03:44.000 Okay. 03:44.000 --> 03:47.000 So, how do we make sure that we actually don't break, 03:47.000 --> 03:53.000 or we don't have our hot bleed moment, or whatever you want to call the next problem? 03:53.000 --> 03:56.000 So, we start out, of course, we host our stuff. 03:56.000 --> 03:59.000 So, we host downloads, and we have everything. 04:00.000 --> 04:02.000 On the CDN, everything is of course TLS. 04:02.000 --> 04:04.000 We have everything there. 04:04.000 --> 04:07.000 So, we have, make sure that we have a redundant websites. 04:07.000 --> 04:12.000 It's actually pretty reliable to get data from the Chrome website. 04:12.000 --> 04:17.000 It's like that is 99.95% of the CDNs. 04:17.000 --> 04:22.000 And, of course, we have the source code entirely on the served on GitHub. 04:22.000 --> 04:26.000 So, it's, we used to have a, for everyone. 04:26.000 --> 04:31.000 We have 17 people who cannot push code to the repository. 04:31.000 --> 04:35.000 I think we're about four or five, actually, do it regularly. 04:35.000 --> 04:37.000 So, that's sort of the basic setup. 04:37.000 --> 04:42.000 And then, of course, in the source code, how do we manage 180,000 types of code? 04:42.000 --> 04:47.000 So, of course, we have reviews for whatever anyone wants to contribute. 04:47.000 --> 04:52.000 Something, human comments and machine tools to verify. 04:52.000 --> 04:54.000 We have a really strict code style these days. 04:54.000 --> 04:58.000 It's actually been sort of started out really, really leading back in the days. 04:58.000 --> 05:04.000 Nowadays, we have, it's really, it should look, as a single author has written a code. 05:04.000 --> 05:07.000 I think it's really convenient because it makes it easy to read a code. 05:07.000 --> 05:10.000 It looks and feels like it's written by a single person. 05:10.000 --> 05:14.000 It makes it easier to find debugging and read code. 05:14.000 --> 05:20.000 And, of course, we have these data also banned a bunch of desired functions 05:20.000 --> 05:25.000 that in C is sort of easy to use the wrong way. 05:25.000 --> 05:28.000 So, even, it doesn't really matter how experienced you are. 05:28.000 --> 05:34.000 Some functions in the C standard is really not advisable to use a code. 05:34.000 --> 05:36.000 And we have those, we check for them with tools. 05:36.000 --> 05:40.000 We banned them so you can't really sneak them in by mistake you. 05:40.000 --> 05:45.000 We also are, well, they're called reuse, compliance. 05:45.000 --> 05:49.000 So, we have copyright and license information in every single file in the repository. 05:49.000 --> 05:55.000 So, we should be completely covered in sort of understanding the provenance 05:55.000 --> 06:00.000 and who owns what and what's the legal status of everything. 06:00.000 --> 06:05.000 And we have a lot of documentation about this source code and internal APIs and everything. 06:05.000 --> 06:08.000 And we have had multiple audits. 06:08.000 --> 06:11.000 And when it comes to audits, that's fun. 06:12.000 --> 06:16.000 We had, I was, I first external audits was made in 2016. 06:16.000 --> 06:22.000 And they found, what resulted in 7 CVEs, back then. 06:22.000 --> 06:26.000 It's a big task and it's an expensive thing to do. 06:26.000 --> 06:31.000 What it's, someone is going to spend a lot of expensive hours looking at code. 06:31.000 --> 06:36.000 We did one later in 2022, ended up in two CVEs. 06:36.000 --> 06:39.000 I think it was also much more expensive. 06:39.000 --> 06:43.000 But it, because things go more expensive over time. 06:43.000 --> 06:46.000 And, but the result from that, of course. 06:46.000 --> 06:50.000 And then we had another one in 2024 or more narrow, 06:50.000 --> 06:54.000 because not all of what it's covered everything, right, 180,000 times. 06:54.000 --> 06:57.000 So code is too much for a single audit. 06:57.000 --> 06:59.000 But anyway, it resulted in zero CVEs. 06:59.000 --> 07:02.000 So it's a little bit of a trend, I would say. 07:02.000 --> 07:04.000 So yeah, super expensive. 07:04.000 --> 07:08.000 So it's not, it's not something that's easy to be done right for a small open source project. 07:08.000 --> 07:13.000 You have to have someone who just have a very deep pocket of suddenly wants this to happen. 07:13.000 --> 07:18.000 And this, or this, three, or this, they have the cost of this, 07:18.000 --> 07:24.000 have been much more than our entire bug bounty for many years. 07:24.000 --> 07:28.000 That has resulted in many, many, many more CVEs. 07:28.000 --> 07:32.000 Okay, so, of course, we have all of that to make sure that the code looks and feels right. 07:32.000 --> 07:34.000 And then we have a lot of tests. 07:34.000 --> 07:39.000 So of course, we want to make sure that all those 20 billion installations run fine. 07:39.000 --> 07:43.000 We have, you know, unit tests, library tests and tool tests. 07:43.000 --> 07:47.000 And we do test that the code style is right and the intent and, you know, 07:47.000 --> 07:50.000 spelling even in code. 07:50.000 --> 07:56.000 And we have a fun torture test, which I'm going to explain separately because I'm so happy about it. 07:56.000 --> 08:01.000 And of course, we have the analyzers checking code all the time. 08:02.000 --> 08:07.000 And we have a part of the Google, was a fast project. 08:07.000 --> 08:11.000 So they keep passing parallel nonstop on Google hardware. 08:11.000 --> 08:14.000 Excellent thing. 08:14.000 --> 08:17.000 And then, of course, in the documentation. 08:17.000 --> 08:23.000 I think a big part, to really get to the next level in when it comes to the documentation. 08:23.000 --> 08:26.000 In a project is to make sure that the documentation is correct. 08:26.000 --> 08:28.000 And we do that a lot with tools. 08:28.000 --> 08:32.000 Not only spelling pros and, you know, using the right words. 08:32.000 --> 08:36.000 Like, for example, we try to avoid contractions in the English that we write the documentation in. 08:36.000 --> 08:40.000 So isn't, isn't something that's allowed in the documentation. 08:40.000 --> 08:43.000 Then you get a red CI job if you try to write that. 08:43.000 --> 08:44.000 As stuff like that, right? 08:44.000 --> 08:46.000 Just, we're common spelling of words. 08:46.000 --> 08:49.000 So make sure that everything is consistent and the wording is consistent. 08:49.000 --> 08:53.000 The English is sort of written in a way that we think it should be. 08:54.000 --> 08:57.000 And then, for example, we do have mandatory content. 08:57.000 --> 09:02.000 So we do, for example, in the code project, we have over 500 man pages that we ship. 09:02.000 --> 09:05.000 And every man page right that has to have a certain number of sections. 09:05.000 --> 09:07.000 And the sections has to be in the right order. 09:07.000 --> 09:08.000 And it should be in the correct thing. 09:08.000 --> 09:11.000 They all have that checked, right? 09:11.000 --> 09:13.000 And a proper man page for reliability. 09:13.000 --> 09:15.000 It should have an example section, right? 09:15.000 --> 09:16.000 An example section. 09:16.000 --> 09:17.000 It's mandatory. 09:17.000 --> 09:18.000 It should be there. 09:18.000 --> 09:19.000 And how do you know it works, right? 09:19.000 --> 09:22.000 Because we compile every example in every man page in library. 09:22.000 --> 09:24.000 To make sure that it's actually compiling. 09:24.000 --> 09:27.000 It might still be actually wrong because we can run it. 09:27.000 --> 09:33.000 But it's still, as many checks to make sure that it's actually pretty good. 09:33.000 --> 09:39.000 And of course, we verify links and references across man pages and stuff like that. 09:39.000 --> 09:43.000 This actually makes sure that most of it is in a pretty decent shape. 09:43.000 --> 09:51.000 And I wanted to just mention also our torture tests because I think they're pretty cool. 09:51.000 --> 09:54.000 So we have sort of a set up. 09:54.000 --> 10:01.000 So when you build curl with debug mode, so it's special build for a testing case. 10:01.000 --> 10:08.000 We pretty much write a rat by for every fileable function that we want to monitor. 10:08.000 --> 10:09.000 Right. 10:09.000 --> 10:12.000 Maloch or Caloch or FO, blah, blah, blah. 10:12.000 --> 10:15.000 And then we build curl with that. 10:15.000 --> 10:18.000 And then we can control that from the outside. 10:18.000 --> 10:21.000 So we build that and then we run the test case. 10:21.000 --> 10:24.000 And we count how many fileable functions do we actually call? 10:24.000 --> 10:28.000 So when we want to do like, I want to get a web page from a server with curl. 10:28.000 --> 10:30.000 It downloads something. 10:30.000 --> 10:34.000 It's, I don't know, 100 maloch calls and blah, blah, blah, something else. 10:34.000 --> 10:38.000 So then we make sure that we iterate over the test case and we make every one of them. 10:38.000 --> 10:40.000 100 maloch calls fail once, right? 10:40.000 --> 10:42.000 First one, second one, third one. 10:42.000 --> 10:44.000 And then rerun rerun rerun. 10:44.000 --> 10:49.000 And then make sure that whatever fileable function that fails, it should just fail. 10:49.000 --> 10:54.000 Nicely, no memory leak, no crash and just exit with an error code. 10:54.000 --> 10:59.000 And that's an awesome way to test exit pass really. 10:59.000 --> 11:04.000 And make sure that we always free up stuff and clean up stuff when we exit. 11:04.000 --> 11:05.000 Whatever. 11:05.000 --> 11:08.000 In a library it's pretty important that we never leak memory, right? 11:08.000 --> 11:13.000 Because it's potentially used by very long running processes and whatever. 11:13.000 --> 11:21.000 Right? And then it actually takes forever to run this on all tests. 11:21.000 --> 11:24.000 It's not a fast process. 11:24.000 --> 11:29.000 So we actually have to have a weird system to just randomly run a few of them and not fail. 11:29.000 --> 11:33.000 Everyone of them just to make sure that we can actually run through them. 11:33.000 --> 11:39.000 Because we have thousands of tests and some of these test cases that can easily do many, many thousands of 11:39.000 --> 11:42.000 of function calls themselves that's there. 11:42.000 --> 11:45.000 It can be a lot. 11:45.000 --> 11:49.000 So when we have that, we have everything that's so we have of course run everything in CI. 11:49.000 --> 11:52.000 So we now, of course. 11:52.000 --> 11:57.000 And once when I mentioned CI, everyone has a particular idea of what a CI is. 11:57.000 --> 11:59.000 In our project, we run CI. 11:59.000 --> 12:00.000 It's just fine for get VMs. 12:00.000 --> 12:01.000 They fire up. 12:01.000 --> 12:02.000 They build the code. 12:02.000 --> 12:04.000 They run the test cases and then they're done. 12:04.000 --> 12:05.000 Then we throw them away. 12:05.000 --> 12:07.000 So we never get anything back from them. 12:07.000 --> 12:09.000 Really other than logs from test cases. 12:09.000 --> 12:13.000 But anyway, we have a few thousands of tests to do per job. 12:13.000 --> 12:18.000 And we do builds on as many platforms as we can. 12:18.000 --> 12:21.000 Really that we have, you know, it's a little bit of a, 12:21.000 --> 12:25.000 I mentioned 100 in six operating systems and 28 CPU effectures. 12:25.000 --> 12:27.000 Really a little bit hard to run tests on all of those. 12:27.000 --> 12:28.000 So we don't. 12:28.000 --> 12:34.000 We sort of focus on a bunch of primary ones and the rest just has to work. 12:34.000 --> 12:38.000 It usually works out really well because most of the code is perfect and portable. 12:38.000 --> 12:40.000 And it's the same code anyways. 12:40.000 --> 12:43.000 Most of the bugs appear on all of them. 12:43.000 --> 12:46.000 Right. 12:46.000 --> 12:48.000 We also. 12:48.000 --> 12:53.000 Office support with a whole lot of different third party libraries. 12:53.000 --> 12:59.000 Right. So there's literally millions of combinations of different TLS compression libraries and SSH libraries and 12:59.000 --> 13:03.000 IDN libraries or whatever. So it makes for a. 13:03.000 --> 13:06.000 Really really a lot of number of combinations too, which is also sort of. 13:06.000 --> 13:08.000 Of course adds to the complication. 13:08.000 --> 13:10.000 And we're about to see I stuff as. 13:10.000 --> 13:13.000 Thing which makes a little bit of fuzzing. 13:13.000 --> 13:16.000 It just in the CI run for a short period of time. 13:16.000 --> 13:22.000 So when we have these CI, we run now more than 200 jobs per. 13:22.000 --> 13:24.000 PR and commit. 13:25.000 --> 13:27.000 It's a crazy amount of tests. 13:27.000 --> 13:30.000 And because all of them have around 2,000 each. 13:30.000 --> 13:34.000 So we're around 400,000 tests per PR and. 13:34.000 --> 13:36.000 And commit so it's. 13:36.000 --> 13:40.000 Still areas that we don't test very good, but. 13:40.000 --> 13:43.000 At least we do a lot of testing. 13:43.000 --> 13:45.000 And. 13:45.000 --> 13:47.000 We have. 13:47.000 --> 13:52.000 We spread this out over a number of different CI services just to make sure that we. 13:52.000 --> 13:56.000 And it's. 13:56.000 --> 14:00.000 So well it's a little bit way. 14:00.000 --> 14:05.000 So it's a main trainer sort of a maximum parallelism so that we don't get 14:05.000 --> 14:07.000 choked up by your single service. 14:07.000 --> 14:10.000 It has been a little bit tweaked nowadays because. 14:10.000 --> 14:13.000 We've been sponsored by GitHub. So they have sort of. 14:13.000 --> 14:16.000 Race to volume for our performance and GitHub. So nowadays we sort of 14:16.000 --> 14:19.000 favor GitHub because we can run more jobs. 14:19.000 --> 14:21.000 They're faster than some of some of the others. 14:21.000 --> 14:25.000 really within 20 minutes, 30 minutes, something. 14:25.000 --> 14:29.000 So we work really, really hard to optimize and tweak 14:29.000 --> 14:32.000 so that they actually finish really fast. 14:32.000 --> 14:35.000 Just, I think, a year ago, they could take hours, 14:35.000 --> 14:36.000 some of them. 14:36.000 --> 14:39.000 But it's really convenient to have them finish really fast 14:39.000 --> 14:42.000 that if we know the state of the latest changes right now. 14:42.000 --> 14:46.000 And so we spend about 10 CPU days per day right now 14:46.000 --> 14:49.000 in CI, only. 14:49.000 --> 14:52.000 Right. 14:52.000 --> 14:55.000 And the repository, there's a question other. 14:55.000 --> 14:58.000 How much does it cost? 14:58.000 --> 15:00.000 It costs us nothing. 15:00.000 --> 15:02.000 It's entirely free. 15:02.000 --> 15:05.000 No, no. 15:05.000 --> 15:09.000 If we would pay for it, it would cost a fortune. 15:09.000 --> 15:10.000 That's the easy answer. 15:10.000 --> 15:12.000 So we don't pay for it. 15:12.000 --> 15:16.000 As I said, we have sponsors paying for this. 15:16.000 --> 15:18.000 So they provide this service for us. 15:18.000 --> 15:20.000 So yes, we're happy that they do that. 15:20.000 --> 15:26.000 Otherwise, it would be a challenge. 15:26.000 --> 15:30.000 So we also have added checks, of course, the XZ way 15:30.000 --> 15:33.000 that we don't have any binary blobs in the repository. 15:33.000 --> 15:36.000 We actually have to see a job now to make sure that 15:36.000 --> 15:40.000 no one can even, you know, buy mistake at a binary blob 15:40.000 --> 15:43.000 and then we, because that'll fail your CI. 15:43.000 --> 15:47.000 So there should be no way to hide any encrypted payloads 15:47.000 --> 15:49.000 in our repository anyway. 15:49.000 --> 15:52.000 We have all our, not all our commits are signed yet, 15:52.000 --> 15:54.000 but we're sort of going most of them are. 15:54.000 --> 15:57.000 And we'll, of course, sign tags and we signed releases. 15:57.000 --> 16:01.000 And we have perfectly reproducible builds since a while back. 16:01.000 --> 16:03.000 So it's really easy to whatever we ship. 16:03.000 --> 16:07.000 Anyone is sort of encouraged and welcome to just reproduce 16:07.000 --> 16:11.000 it to make sure that we didn't sneakishly insert anything 16:11.000 --> 16:14.000 the XZ way or any other way. 16:14.000 --> 16:17.000 I still build all the releases locally, 16:17.000 --> 16:20.000 but nowadays, I use a container to do it. 16:20.000 --> 16:23.000 It's actually easy to, for anyone else to use the same container. 16:23.000 --> 16:25.000 And I just wanted to show you so you can actually do this. 16:25.000 --> 16:27.000 So this is the latest kernel release. 16:27.000 --> 16:31.000 If you just download that and you just figure out when I did the package 16:31.000 --> 16:34.000 because you want the exact same time start, right? 16:34.000 --> 16:37.000 And then you can just build the same package exactly the same way 16:37.000 --> 16:40.000 and it'll end up a binary copy, right? 16:40.000 --> 16:42.000 It'll be identical. 16:42.000 --> 16:44.000 And you can even use the script that I've provided. 16:44.000 --> 16:48.000 So you can actually just download it and you verify that is actually the same thing. 16:48.000 --> 16:50.000 Which I think is fine. 16:50.000 --> 16:54.000 I mean, it's not even that hard once you just get yourself to do it. 16:54.000 --> 16:55.000 But I don't think it's fine. 16:55.000 --> 16:59.000 It helps everyone to, anyone who wants to, can verify that. 16:59.000 --> 17:03.000 That is actually, you can make the package the same way I did it. 17:03.000 --> 17:04.000 Or wait for it. 17:04.000 --> 17:06.000 And of course, we get vulnerabilities. 17:06.000 --> 17:08.000 And we fixed them as soon as we can. 17:08.000 --> 17:10.000 We look, this goes as we should. 17:10.000 --> 17:13.000 And we document everything really, really thoroughly. 17:13.000 --> 17:17.000 And I have this commitment. 17:17.000 --> 17:21.000 I work really hard to make sure that the figure out exactly when we inserted the bag 17:21.000 --> 17:22.000 and exactly when we fixed it. 17:22.000 --> 17:24.000 So that I can tell that to the world. 17:24.000 --> 17:27.000 Nowadays, we'll see in a, so that we can sort of manage our own. 17:27.000 --> 17:28.000 See if it's a little bit better. 17:28.000 --> 17:30.000 Less crazy stuff. 17:30.000 --> 17:31.000 Ideally. 17:31.000 --> 17:33.000 And we have this bag bounded to. 17:33.000 --> 17:37.000 So we're paying researchers to report stuff. 17:37.000 --> 17:40.000 Right. 17:40.000 --> 17:43.000 About documentation the CV is done. 17:43.000 --> 17:45.000 We do that really thoroughly. 17:45.000 --> 17:48.000 We provided the metadata as JSON and we. 17:48.000 --> 17:49.000 Document everything. 17:49.000 --> 17:52.000 Of course, we don't provide a CVS score. 17:52.000 --> 17:56.000 Which is awesome, because then someone else will do it for us. 17:56.000 --> 17:59.000 And I mean, it's super crazy instead. 17:59.000 --> 18:01.000 I won't get into why, but CVS. 18:01.000 --> 18:03.000 I hope you all agree with me. 18:03.000 --> 18:04.000 It's totally broken system. 18:04.000 --> 18:07.000 So we're decided pretty much to not participate in. 18:07.000 --> 18:09.000 In that dance. 18:09.000 --> 18:12.000 So we get forced to participate in it anyway. 18:12.000 --> 18:17.000 But still, that's that's the way we do it. 18:17.000 --> 18:19.000 So for example, you can do this. 18:19.000 --> 18:21.000 You can check out a curler version on website. 18:21.000 --> 18:23.000 And they'll show you exactly which. 18:23.000 --> 18:26.000 Vulnerability is it contains. 18:26.000 --> 18:28.000 From version two version. 18:28.000 --> 18:31.000 We can even get it in a nice graphic and overview. 18:31.000 --> 18:35.000 Those versions have those vulnerabilities over time, blah, blah, blah. 18:35.000 --> 18:38.000 And all those are clickable, of course. 18:38.000 --> 18:42.000 So in the background, we have this started five and a half years ago. 18:42.000 --> 18:44.000 Approaching 60 years, I think. 18:44.000 --> 18:48.000 So we paid out more than $85,000 by now. 18:48.000 --> 18:51.000 A small amount compared to those audits. 18:51.000 --> 18:52.000 I mentioned previously. 18:52.000 --> 18:56.000 It has resulted in 76 CVS. 18:56.000 --> 18:59.000 Soon to be 79 CVS. 18:59.000 --> 19:02.000 So it's a pretty good system. 19:02.000 --> 19:05.000 15% success rate, then. 19:05.000 --> 19:10.000 Of course, some of the others that we get are just ordinary bugs. 19:10.000 --> 19:14.000 So we're not, I mean, not everything else is crap. 19:14.000 --> 19:17.000 But there's a fair amount of that too. 19:17.000 --> 19:20.000 And we always sort of disclose all of them after the facts. 19:20.000 --> 19:24.000 So that you can follow the discussion and see whatever is silly decision we made. 19:24.000 --> 19:30.000 And of course, we have a fun race with the rest of the world right now. 19:30.000 --> 19:36.000 With the AI slot rate, sort of increasing in this amount. 19:36.000 --> 19:37.000 We're actually right now. 19:37.000 --> 19:43.000 We have this about the same rate of valid reports as in AI slot reports. 19:43.000 --> 19:47.000 It's sort of in the same ballpark somewhere around 10% 19:47.000 --> 19:52.000 15% of the submission. 19:52.000 --> 19:53.000 Yeah. 19:53.000 --> 20:02.000 And of course, I could do this talk without sort of showing this book cover because it's a popular book. 20:02.000 --> 20:09.000 No one has really finished it or I've been told many times that it only takes a weekend to rewrite it. 20:09.000 --> 20:12.000 But apparently that weekend hasn't happened yet. 20:12.000 --> 20:16.000 So we're not going to rewrite it in any language. 20:16.000 --> 20:18.000 We're not going to rewrite it at all. 20:18.000 --> 20:19.000 It's there already. 20:19.000 --> 20:23.000 So we're just patiently, you know, it's rating and polishing over time. 20:23.000 --> 20:25.000 So there's not going to be any rewrite. 20:25.000 --> 20:29.000 And when it comes to rust, it's a good effort. 20:29.000 --> 20:33.000 It's a possibly good and great language, but we're not going to use it. 20:33.000 --> 20:37.000 But we can still use third party dependencies with the new rust, right? 20:37.000 --> 20:45.000 So if there's a TLS library or another library that we want to make curl use as part of its functionality. 20:45.000 --> 20:49.000 Which is a TLS library, for example, is tend to be something you use with curl. 20:49.000 --> 20:52.000 That could be written in rust and then we could use that. 20:52.000 --> 20:54.000 So that's the way we're going to use. 20:54.000 --> 21:00.000 I think we're going to see more rust in that kind of aspect going forward in curl. 21:00.000 --> 21:06.000 So that's how we try to stay less in class and when it comes to security and open source. 21:06.000 --> 21:08.000 Thank you. 21:08.000 --> 21:18.000 There's a question. 21:18.000 --> 21:20.000 How do I manage dependencies? 21:20.000 --> 21:22.000 Sorry. 21:22.000 --> 21:26.000 How do I manage dependencies? 21:26.000 --> 21:29.000 How do I manage dependencies? 21:29.000 --> 21:36.000 Well, I have a sort of a kind of a fun or unfortunate position that I don't really have dependencies in that way. 21:36.000 --> 21:39.000 Since I ship curl as a source code table, right? 21:39.000 --> 21:42.000 So there's actually no dependencies there. 21:42.000 --> 21:50.000 Here's the dependencies are managed by those who build curl and get a lot of dependencies when they decide what to build curl with and use. 21:50.000 --> 21:54.000 So it's a little bit of a way for me to say that someone else's problem. 21:54.000 --> 22:01.000 So I build curl someone else deals with the dependence problems. 22:02.000 --> 22:06.000 When you say all commits are signed or nearly all commits are signed. 22:06.000 --> 22:09.000 How do you handle external plural requests? 22:09.000 --> 22:11.000 Do you write the commits? 22:11.000 --> 22:13.000 Or do you pull them? 22:13.000 --> 22:16.000 I always do rebase of commits. 22:16.000 --> 22:18.000 Just a rewritten. 22:18.000 --> 22:23.000 So when I merge someone else's commit, it'll be put and committed by me, right? 22:23.000 --> 22:28.000 So it's going to be signed by me. 22:29.000 --> 22:31.000 Do you measure code coverage? 22:31.000 --> 22:34.000 And then look at new code introduced. 22:34.000 --> 22:37.000 Code code coverage is really hard. 22:37.000 --> 22:39.000 Yeah, so yeah, code coverage. 22:39.000 --> 22:40.000 That's what's a question. 22:40.000 --> 22:42.000 So it's really hard. 22:42.000 --> 22:44.000 Yeah, I try to for a while. 22:44.000 --> 22:51.000 But since curl is such a mess with different backgrounds, different dependencies and different options on and off. 22:51.000 --> 22:53.000 It turns out to be really, really hard. 22:53.000 --> 22:54.000 What does it mean? 22:54.000 --> 22:56.000 What is code coverage, really? 22:56.000 --> 22:58.000 Code coverage, it's out of what? 22:58.000 --> 23:02.000 So it turned out to be a really weird number to get. 23:02.000 --> 23:07.000 So I actually still, because it was really hard to even explain what we measured and how to use it. 23:07.000 --> 23:09.000 And what do we want to communicate with it? 23:09.000 --> 23:12.000 So no, I don't do that anymore. 23:12.000 --> 23:16.000 I'm interested in your tool to test it. 23:16.000 --> 23:20.000 How do you function on how many advice you have? 23:20.000 --> 23:24.000 And do you generate the rough functions like manually? 23:25.000 --> 23:31.000 So the torture set up, they monitor a bunch of fallible functions. 23:31.000 --> 23:34.000 And we have written manual wrapper functions for them. 23:34.000 --> 23:37.000 But because they don't tend to increase, right? 23:37.000 --> 23:38.000 It's the same set. 23:38.000 --> 23:42.000 It's basically monitor the memorallications file handling. 23:42.000 --> 23:43.000 Yeah, that's pretty much it. 23:43.000 --> 23:45.000 So it's limited sets. 23:45.000 --> 23:48.000 They're like eight functions or something. 23:48.000 --> 23:51.000 So it's a pretty narrow set. 23:51.000 --> 23:53.000 And it's perfectly fixed. 23:55.000 --> 23:59.000 So you mentioned there are some things such as LAPNs on carol. 23:59.000 --> 24:00.000 Can you give example? 24:00.000 --> 24:02.000 Yeah, see functions that are banning carol. 24:02.000 --> 24:08.000 For example, well, gets or now, since they're while back, S scan F, 24:08.000 --> 24:09.000 we don't allow. 24:09.000 --> 24:11.000 We don't even use string copy anymore. 24:11.000 --> 24:17.000 We, and a few other, of course, we don't use S print either. 24:17.000 --> 24:22.000 Some other, more natural ones that's anyone I want to think about. 24:22.000 --> 24:27.000 The reason for S scan F and string copy are the newer ones that we sort of avoid. 24:27.000 --> 24:34.000 Because basically, most of these, we decided to stop to use because, sort of, 24:34.000 --> 24:38.000 by experience, we see that we don't, they don't really add much. 24:38.000 --> 24:43.000 When we add, when we use them, it tends to lead us into the wrong fixes, wrong solutions. 24:43.000 --> 24:51.000 So we better, we write better code, we create better solutions by sort of forcing ourselves by avoiding those functions. 24:52.000 --> 24:56.000 So you say you have 15, maybe. 24:56.000 --> 25:00.000 How do I get new main trainers? 25:00.000 --> 25:02.000 How do I get new main trainers? 25:02.000 --> 25:04.000 I don't know. 25:04.000 --> 25:10.000 We all age, so do you have a plan? 25:10.000 --> 25:19.000 Okay, well, yeah, the average age of the main trainers, it increases one year every year. 25:19.000 --> 25:21.000 So, yeah, I don't know how to do that. 25:21.000 --> 25:24.000 I get a band, that's a universal resource problem, right? 25:24.000 --> 25:28.000 How do we recruit new main trainers and preferably younger main trainers? 25:28.000 --> 25:32.000 So, I don't know, I don't have any good solution or answer to that. 25:32.000 --> 25:34.000 My time is up, I have to stop. 25:34.000 --> 25:35.000 Thank you. 25:35.000 --> 25:36.000 Thank you.