57 – Daniel Stenberg Creator of cURL and libcurl
Shiva Maharaj Kontinuum 0:00
Good morning, ladies and gentlemen. Welcome to another episode of cybersecurity amplified and intensified today we have with us Daniel Stenberg. Hey, Daniel,
Daniel Stenberg 0:08
how are you? Hello. Good to be here.
Shiva Maharaj Kontinuum 0:11
Thanks, if you don’t mind starting off with giving the listeners and the viewers a little background on yourself?
Daniel Stenberg 0:18
Well, I am a Swedish software engineer I’ve been. I’m mostly known for being the founder and maintainer of the curl project that I’ve been doing for well, 24 years soon, under the name curl at least. So yeah, I’m a developer, I’ve, I’ve done a lot of things over the years. And I do curl. I work on curl full time now since three years back.
Shiva Maharaj Kontinuum 0:46
But and one of the reasons that I came across you is recently there was the log for J issues back in, I think, December through January. And I came across a tweet where a company was asking you for a full rundown on what is in an open source project you worked on? And I believe you replied along the lines of well, we don’t have a support contract. So let’s talk about that first.
Daniel Stenberg 1:12
Correct. And, well, I think in this particular case, it shows so many different levels of I don’t know, immaturity, or presumptions in large companies or something. Because what it started out by, of course, they didn’t ask about a particular project that I’ve written, they emailed me, assuming we’re talking about the project them and I know about, which is I think it’s fun, because they just emailed me, I actually do more than one product. So what are we talking about? And then, of course, I don’t have any business association with this company, which happens to be a super big, I mean, it’s a top 100 Fortune comm company. So it’s a multi billion company. And of course, they don’t, we don’t have any relationship at all. I actually didn’t even know the company existed when they emailed me, I had to, you know, Google, what kind of companies this actually realized that? Well, they’re super big. So no, and I’m also quite used to the fact that companies find me or not only companies, but people in general find me because they find my email address in some somewhere in a product that it’s using code that I’ve written, because my email address tend to end up in many places, because it’s the license of open source stuff that I’ve written. So it’s sort of follow the line of many, many other image. And then they asked me about details about log for J in my product. And then then we get into the technical details, right? That’s a Java library for logging. And I’ve never done any Java, I’ve never touched log for J, nothing I’ve ever been involved with in my entire life I’ve ever been close to look for j. So it seemed like the detachment from asking me about that it’s completely unreal. So probably they have, you know, gathered a long list of email addresses from products they have or use, or ship or whatever, and email everyone there. And that included me then as a resource author, because probably some products they use, right, use a component that I’ve written. So just a sort of a multi layer cake of confusion and silliness.
Shiva Maharaj Kontinuum 3:30
Okay. How did you get started in open source? And why open source as opposed to I guess what I would consider for profit? I like for profit, by the way,
Daniel Stenberg 3:40
right? Well, I don’t mind open source for profits. But I, it’s a long story, it started a long time ago. So I actually started my sort of career as a software engineer in the early 1990s. Well, 1993, I got my first software engineering job. And at that time, that was even before the term open source was coined, right. So but at that time, of course, open source existed or free source code to stuff and I appreciated that and I enjoyed it, and I played with it or didn’t, because I thought in software engineering, and programming is fun. So I did it in my spare time and did it as a full time job as well. And then I fiddling around, fiddle around with doing some projects in my spare time. In the, over the years, and then I when I just wanted to do another little cool tool toy for my own personal gain or sort of use, it was sort of natural and came I didn’t even, I mean, I wanted to be part of the open source movement or also produce open source stuff like the others. Apparently do. So I just it wasn’t a religion. Think about it much, of course, it would be open source, because doing that would enable me to, it would enable the tool or the stuff I work on to go far beyond what I could do just myself, we could sort of, you know, as a community make it go much further and become something much bigger than just little media can do.
Shiva Maharaj Kontinuum 5:22
Now, you start, he said, you started back in 1993. As a
Daniel Stenberg 5:27
Yeah, that was my first gig as a prime
Shiva Maharaj Kontinuum 5:31
developer, you’ve been around long enough to see evolving cybersecurity needs. And how has that affected how you produce open source product, as well as the time requirements required to I guess, support these projects products as the requirement as cybersecurity requirements? Events?
Daniel Stenberg 5:52
Well, I think, I think it has gradually, it sort of first, of course, it has become a sort of a maturity in my own way of, of developing code, and as an industry as a whole, as well. So I think we’re doing things over the years, we have sort of learned and realize that we need to pay attention to certain things more better and earlier in the in the process of writing code. And I think it is a big difference to how we did it back in the early 90s was sort of looking back at it, it seems really silly and immature to do away with it. But things like you know, we have these days, we do all these constant integration testing much earlier, we do that nonstop all the time, while developing were much better tools were much better scrutiny and review processes and sort of established procedures in much better ways to to make sure that we actually do things with quality and security already, from the first line of code, right? So I think it’s it actually has changed all over the line. And for someone who’s also says, I work primarily writing code in C, which is also an sort of an unsafe language, I also see that, of course, a lot of solutions is going to other languages, memory safe languages or other managed languages that don’t let your let us shoot yourself in the foot as easily as you see this.
Shiva Maharaj Kontinuum 7:27
Okay. And now, you said that you are working primarily or mainly on the curl project? Yes. And sorry, good.
Daniel Stenberg 7:36
No, it’s, it was my spare time project for many, many years. And until I quit Mozilla in 2018, and then I decided to I want to try to do, I want to try to make it a living to actually spend all my days working on curl. So then I joined wolf SSL. So now I work for francisella. We sell curl support and curl services, really, to anyone who pays for it.
Shiva Maharaj Kontinuum 8:04
I have been using curl for a very long time. Now my main line of businesses managed services. So we use a lot of art. Well, we use RMM products, like a datto of ConnectWise. Are you familiar with those? Nope. It’s basically a command and control infrastructure. So we put an agent on to client computers, and we can do remote support remote commands, do whatever we like. And I was going through my, my library of scripts prior to this call. I don’t think I have any deployment scripts that are not using, quite honestly, right. You know what I came across that tweet I mentioned earlier about you, it was nice to kind of put a face to the name of a product that I use, and a product that I used ignorantly not knowing that I should probably be supporting it when I finally realized how much I actually use it.
Daniel Stenberg 8:54
Yeah, yeah, it’s a, it’s out there. It’s widely used.
Shiva Maharaj Kontinuum 8:59
And it’s a fantastic product for whoever’s listening. So, yeah,
Daniel Stenberg 9:05
right. And it’s been out, and we’ve sort of been working on it for such a long time. So we polished it pretty well, you know, it’s for most people, it’s just there. It does what it needs to do. And, and it’s been doing that for a long time. I talk to a lot of users are basically asking me when I say that I work on curl full time them asked me, what do you do? I mean, it’s already there. It did the same thing 10 years ago, and it still does it today. Sort of. So what do you do all day?
Shiva Maharaj Kontinuum 9:32
What do you do all that?
Daniel Stenberg 9:34
Oh, yeah, what do I do? What do I do? filling my thumb’s? No, but but there’s a lot of things going on beneath the surface, right? So for me, it’s more of a mark of approval that we actually make it appear as if nothing has changed from the outside, right, all the command line options, they work the same way. It behaves mostly the same way as it did from the beginning. But things constantly evolve and change on the internet, right? Like everything else. We need to adapt and constantly upgrade things as, as we learn to do things, new ways on the internet, you know, the browser’s suddenly decide that we should never do this anymore. And then all the sides will say, No, no, we will ban these versions of TLS. Or we will no longer accept certificates that look like this, or we are going to talk about the new HTTP version tomorrow. And it’s like this. So there’s this constant, constant tiny changes, and there are these, every now and then larger steps in the development that we need to take to follow the rest of the internet and make sure that the curl can do transfers and in the security we want and the way we want and need. So there’s that. And then there’s, of course, when you do, we, we estimated curl or lib curl wrote that the library then is in somewhere around 10 billion installations worldwide, which is a mind bogglingly large number. But that also makes it I mean, that is fantastic and sort of more of a dream come true. But it also makes it it ends up in a lot of niche cases like that nobody has used in before. And while weird cases, strange network strange surroundings. So there are also a lot of people find bugs in all sorts of weird ways, because they happen to end up in a situation. Nobody ever thought about when we wrote that feature 12 years ago. There’s a lot of that, too.
Shiva Maharaj Kontinuum 11:36
Now, when I woke up this morning, one of the first things was I go on to YouTube to see what’s on my cover page. And I saw you guys or perhaps you yourself, put out a video, there’s a new curl update.
Daniel Stenberg 11:48
Yes, we did it. Yeah, I did this a few days ago.
Shiva Maharaj Kontinuum 11:53
Okay, what, what’s new in this update?
Daniel Stenberg 11:57
So first, we do releases very frequently. Typically, we try to do them every eight weeks. So it’s sort of well, yeah, so we do have to have that rather fast pace of doing releases. And so normally, then, when we do releases, we don’t have a large number of news, because we do them so frequently. So we just slowly trickle out new things really spread out over many releases. But in this particular release, we actually have a feature that I know a lot of people are interested in, that we’re adding, we’re adding a new command line option, which isn’t rare, because we have a lot of them. But we’re adding the one called dash dash Jason as a shortcut. And the simpler way to send Jason to service using curl.
Shiva Maharaj Kontinuum 12:38
I think I could, I can use that in a few places very well,
Daniel Stenberg 12:41
right, because a lot of server endpoints or rest API’s or whatever you send JSON to, they also want you to send the right content type header and the right expect, Accept header. So to do that, on a command line is a little bit of a quirky thing to do. And you have to provide those different options to make it behave properly. And this so this test JSON option is a shortcut to do that in an easier more convenient way.
Shiva Maharaj Kontinuum 13:10
And now that you’re working on curl, full time, how can people support the project? Because I saw you put a tweet out this morning that donations are nice, but and I’m paraphrasing here, people. So these are my words, not Daniel’s, it doesn’t pay the bills.
Daniel Stenberg 13:28
It is exactly that way. And I get that question. Sometimes what do you do, of course, donations are great, and I appreciate them. And we use them for for kernel related stuff. Usually we, we use donations, for example, to fund our bug bounty program so that we pay security researchers monetary rewards when they report security problems. And I think that’s an awesome way to stimulate them and give them sort of the incitement to actually go look for security problems. So that’s a great way. But typically, we don’t get donations to the level that they can actually pay for developers, because then we need the donations at a much higher scale than we do now. So sure, donations are good and appreciated. But what pays my bills is companies paying me or for full support or services around curl? Because that’s, that takes the amount of money to another level that actually can pay my salary, actually, so they get food on the table.
Shiva Maharaj Kontinuum 14:33
How big is your team?
Daniel Stenberg 14:36
Well, I’m the only one who was getting paid to work in curl. So I’m the only I’m the only one who’s doing it full time. I’m the only one with SSL who works on curl as a developer. But then, of course, currently is open source and we recently surpassed 1000 Commit authors in in the repository. So there’s a lot of people who have contributed code or Because most people have only contributed code once, so that, you know, the tail is enormously long here. And I think people who have actually committed code 100 times that’s more than 40 people, or maybe 25 or so. So there’s a small set of people will actually do more than just a little in the project.
Shiva Maharaj Kontinuum 15:23
So what kind of support do people get when they pay for it?
Daniel Stenberg 15:27
Usually, well, my regular sales pitch is more like, if you’re if you have a company, and you have a product or device or whatever, as many companies do that use lib curl in ways, then, sort of some portion of your development team needs to understand lib curl, you have to use lib, curl it directly lib curl, and you run into problems with curl or internet transfers every now and then. And then I could be there to you know, offload ask me about the problems, I can fix the problems for you. So issues, work on bugs, the missing features, your your lack and stuff like that. Because, for me, it’s a natural, that would actually be a win win for many companies to not waste a lot of time on current problems, but hand them over to me instead. And I could, you know, solve them for them in much shorter time and probably, you know, answer the questions they have, so that they can go on with doing things other things with their time instead of wasting them on on current stuff. But usually, my my, I would say, the, the larger amount of customers I get they they arrive in my inbox, they get to me they they sign up for a support contract, after they run into some kind of curl problems, bugs issues, that that make them, you know, stop or get stuck somehow. And then I say, Yeah, sure if I can help you out with this, and let’s set up a support deal. And I help them with their bug and they get stuck with a or they stay with a support contract, because then then realize that I can the next time we end up in this situation, we can sort of shorten the time. And just ask me and we can fix the problem in a much shorter time and less friction.
Shiva Maharaj Kontinuum 17:19
Or I’m sorry,
Daniel Stenberg 17:21
but the interesting thing is that it’s rarely that companies approached me before they have that initial problem, which I think you can understand. But it is also that’s one of my challenges, right. So if you haven’t run into those problems, it’s hard for me to sell that contract to someone who hasn’t had that problem, because they see more of a, what’s the product, it works, it works for a long time. We don’t need any support from this guy.
Shiva Maharaj Kontinuum 17:48
I’ve been in IT services since the early 2000s. Playing with computers in some way shape, or form since about 9495. But I would say professionally got started in in around the year 2000. And I remember when you needed to actually know what you were doing, as opposed to being able to go Google a solution. And I’ve seen that descending curve over the last 20 years where even my own customers, sometimes they just want to go on to Google to fix something. And they call us because well, they don’t have administrator privileges, or they can’t do certain things. And I think that eats into the quality of systems.
Daniel Stenberg 18:30
Yes, I agree.
Shiva Maharaj Kontinuum 18:32
So, you know, I’m happy to see that you guys are having a support contract to help people get away from that. But I feel like as long as there’s a free way to do something, people will gravitate towards that until they exhaust it. And then that’s when they’re more apt to paying for support, I think.
Daniel Stenberg 18:49
Absolutely, absolutely. And I think it also is its economic thing, right, as long as they can get away with doing it, without paying for it. And as long as it gives them quality enough to actually get customers for their products and tools. I understand that it is easy for them to take shortcuts not set up support contracts before because they don’t need to, because they they are sort of they think they’re in declare and everything is good. Maybe it’s it’s maybe it’s not because, you know, it goes back to is this entire supply chain consideration. When you build products and everything and you have a lot of open source products. I understand that maybe you can have support contracts with all those authors and creators. So all those products and components, but maybe you should and maybe we’re you know, oh do you do you lean on the proper set of tools here and our data quality stuff,
Shiva Maharaj Kontinuum 19:49
right? I would say pay your t pay you guys more support, you grow your team and then you can support the 10 odd billion installs of right How do you feel? Well, I guess with 10 billion in well, 10 billion installs, you said?
Daniel Stenberg 20:06
Yes. Well, it’s a very rough number to write because I can’t really tell for sure.
Shiva Maharaj Kontinuum 20:13
What, in your opinion, is the coolest or most outrageous in a good way, use of curl that you’ve seen? I think
Daniel Stenberg 20:22
one of the certainly most, the coolest one that is sort of tops most what I can come up with is that it’s been used in the helicopter Mars landing in 2020. So when not NASA assess the use curve in the helicopter mission on Mars. That’s, that’s it’s hard to beat, you know, any other way.
Shiva Maharaj Kontinuum 20:45
Very cool. And, again, going back to being having 10 billion installs, which I think is amazing. It would you phrase this correctly? Every not a lot of people, a lot of countries are moving towards an F bomb. System? Yes. And have you guys put anything out to have that bill of goods in the curl? Project?
Daniel Stenberg 21:22
While I known not really, but but we are more than Manaphy. I don’t think it’s a it’s an issue for us. So it’s not it’s, it’s not our job to do that we pretty much provide a component, and the ones who are actually using our component or the components, they build our stuff to us, they are the ones to provide that bill of material.
Shiva Maharaj Kontinuum 21:46
Okay, I can see that.
Daniel Stenberg 21:48
Because we rarely provide anything at all except just a source code package. So the ones who is actually using curl, they have actually downloaded it, built it, put it together themselves, or use someone else did it for them.
Shiva Maharaj Kontinuum 22:02
Okay? And where can someone go to get curl for the for the three of you listening who don’t know where to actually get curl? Where do we get the line
Daniel Stenberg 22:12
everything? Well, so everything currently is a book. But everything about curl is actually on curl.sc. SC, the Swedish top level domain. And if you go to everything, curl dot Dev, that’s the book everything curl, which is also documents, pretty much everything but curl.
Shiva Maharaj Kontinuum 22:35
And if people wanted to reach out and help support with donations, how could they do that?
Daniel Stenberg 22:41
Well, it’s pretty easy to do that on that curl website on curl.sc. There’s, there’s actually link on the front page. And there’s even a link on the front page on how to get to pay for curl support as well. So it should be really easy to figure that out on this site.
Shiva Maharaj Kontinuum 22:57
And how is support? Is it priced on a per opportunity basis? Or is there a static rate?
Daniel Stenberg 23:04
We have a few different rates, but we do tend to say X number of issues during a year for a certain amount of money. Okay? But I mean, where we’re at overwater sell is a small company where we’re open to negotiations with whoever in whatever way. So if sort of, you know, if you’re a super mega company that have ideas about doing it in some particular way, we’re always open to discussing that. When but we provide a fixed set of starting point discussions. This is how we usually work with it, and it works out pretty good.
Shiva Maharaj Kontinuum 23:41
Okay. Sounds good. I mean, that that’s it for me, unless you have anything else you’d like to discuss.
Daniel Stenberg 23:48
And not at all, I’m good with this.
Shiva Maharaj Kontinuum 23:51
Okay. And how can people reach out to you if you want them to reach out to you at all?
Daniel Stenberg 23:56
Oh, sure. Absolutely. Well, you find me at, I’m on Twitter as at baggy there as a typo animal. And I’m, well, you can always find me or if you have any sort of curl issues, you can just go to get help on the curl site and find different ways to contact us in the code project. And usually, I try to get people to not contact me privately about current issues unless you really want to pay for me, for them. Pay me for working on them. Because otherwise I drowned in persons in people’s personal problems. And I don’t want to I also have that problem. I don’t want to be insensitive or rude to people. But when everyone sends me their private problems, it turns out that really it’s a scaling problem for me. I would say yeah, it is and also this problem rights if when everyone emails me about the same issue, I can’t go on just repeating myself saying the same thing. So I rather try people try to move people to actually Google for The answers first, and if you don’t find them ask in a public way so that others can answer them, or I can answer them. But more people than just you can read that answer. You know, we have 1000s of people on the mailing list, for example. So when I answer a question, a lot of other people’s can get that same answer at the same time. But otherwise, of course, you can contact me privately to if there’s anything like that, and you can find me at Daniel DOD hacks.sc For for all everything my personal stuff.
Shiva Maharaj Kontinuum 25:27
Sounds good. Thank you again, Daniel, Stenberg, creator and maintainer of curl for joining us. See you guys next time. Thank you.
Transcribed by https://otter.ai
