Verify if lines are not longer than 192 characters. Also verify if lines
have less than 79 repeat spaces (and fix one fallout).
To improve readability by avoiding long lines and to prevent adding
overly long lines with text that may go unnoticed in an editor or diff
viewer.
In addition to pre-existing line length limits: 79 for C, 132 for CMake
sources.
Also:
- spacecheck: fix/harden allowlist regexes.
- spacecheck: tidy-up quotes and simplify escaping.
- spacecheck: allow folding strings with repeat spaces.
- GHA: fix a suppressed shellcheck warning.
- GHA/macos: simplify by dropping brew bundle.
- test1119.pl: precompile a regex.
- FAQ.md: delete very long link to a Windows 7/2008 support article
that's lost it relevance.
Closes#21087
To avoid potential warning with autotools when using `CFLAGS`. Existing
jobs are not affected.
Also:
- drop a redundant `export`.
- ensure not to overwrite per-job options with UWP ones.
Closes#20857
- update action `actions/cache` from 5.0.1 to 5.0.3
- update action `github/codeql-action` from 4.31.9 to 4.32.4
- update pip `filelock` from 3.20.3 to 3.24.3
- update pip `ruff` from 0.14.14 to 0.15.2
Closes#20782Closes#20783
Adds 50 seconds to the 5m long build step. Also more prerequisites to
install, with no apparent effect on step time.
Follow-up to 9b52d516bb#20732Closes#20775
Tests are build in "unity"-style, by including sources into an umbrella
C files (similar to how CMake unity works). This does not play well with
clang-tidy, which seems to unconditionally ignore C sources included
like this. To fix it, curl's CMake implements a manual clang-tidy
support for tests, which compiles sources one-by-one, while also making
sure sources compile cleanly standalone (e.g. all sources need to
include `first.h`). The manual clang-tidy implementation is fragile, and
performance, in particular when targeting Windows, is abysmal.
This patch introduces an alternate solution, enabled by the
`_CURL_TESTS_CONCAT=ON` option. In this mode, umbrella sources include
the actual sources instead of `#including` them. Allowing to use CMake's
built-in clang-tidy support to compile them, with clang-tidy actually
checking the sources. Making the manual clang-tidy support unnecessary.
In the Windows CI job it results in a 4x performance improvement (4m ->
1m), making it practical to run clang-tidy on tests on Windows, in CI.
The main downside is that clang-tidy doesn't understand the `#line`
directive. Meaning issues found show the wrong filename and line number
next to them. It's not impossible to locate errors this way, but also
not convenient.
Minor/potential downside is that the concatenated source needs to be
reassembled each time an original source is updated. This may result in
more copying on the disk when used in local development. The largest
source is 1.4MB, so probably not a show-stopper on most machines.
Another is the complexity of maintaining two methods in parallel, which
may be necessary till clang-tidy understands `#line`:
https://github.com/llvm/llvm-project/issues/62405
This solution may in theory also enable adding clang-tidy support for
tests in autotools, though I haven't tried.
Targeted for curl CI for now, and used in a GHA/windows job. 100%
experimental, not recommended outside these.
Closes#20667
Previous tag v6 changed upstream and points to a different commit. This
made zizmor unhappy. Previous commit is now tagged v6.0 in case we need
it.
Closes#20591
Upgrade a GHA/windows job to VS2026 (from VS2022), using a runner image
released a week ago. It also comes with the same Windows SDK as VS2022:
v10.0.26100.0.
The runner image uses Windows 2025 unfortunately, which makes the job
run significantly slower than before this patch:
- configure: 49s -> 1m10s
- build: 3s -> 5s
- install test prereqs: 23s -> 27s
- run tests: 3m18s -> 4m11s
- build examples: 15s -> 25s
It's a shame.
Also:
- cmake: enable picky warnings for VS2026 internal version 19.50.
Build is clean with existing options.
- GHA/windows: make the built-in OpenSSH intall path recognize
the windows-2025-vs2026 image as windows-2025.
- windows-2025-vs2026 is able to load the cached stunnel made on
the windows-2022 runner.
- disk use of the build is almost identical to VS2022.
Before: https://github.com/curl/curl/actions/runs/21955482367/job/63418133880
After: https://github.com/curl/curl/actions/runs/21957589847/job/63426546943
Ref: 71f0157880/images/windows/Windows2025-VS2026-Readme.md
Ref: #20575Closes#20577
- update `actions/checkout` from 6.0.1 to 6.0.2
- update `ruff` from 0.14.11 to 0.14.14
- update `cryptography` from 46.0.3 to 46.0.4
- update `psutil` from 7.2.1 to 7.2.2
- update `websockets` from 15.0.1 to 16.0
Closes#20490Closes#20491
It has been happening for a long time.
Example:
```
test 3001...[HTTPS localhost, last subject alt name matches, CN does not match]
3001: protocol FAILED!
There was no content at all in the file log/7/server.input.
Server glitch? Total curl failure? Returned: 56
== Contents of files in the log/7/ directory after test 3001
=== Start of file commands.log
../src/curl.exe -q --output log/7/curl3001.out --include --trace-ascii log/7/trace3001 --trace-time -4 --cacert ./certs/test-ca.crt https://localhost:64259/3001 > log/7/stdout3001 2> log/7/stderr3001
=== End of file commands.log
=== Start of file http_server.log
13:57:47.951283 Running HTTP IPv4 version on port 64256
=== End of file http_server.log
=== Start of file https_stunnel.log
2026.01.28 13:57:48 LOG5[ui]: stunnel 5.76 on x64-pc-mingw32-gnu platform
2026.01.28 13:57:48 LOG5[ui]: Compiled/running with OpenSSL 3.5.4 30 Sep 2025
[...]
2026.01.28 13:57:49 LOG5[0]: Service [curltest] accepted connection from 127.0.0.1:64281
2026.01.28 13:57:51 LOG3[0]: s_connect: connect 127.0.0.1:64256: Connection refused (WSAECONNREFUSED) (10061)
2026.01.28 13:57:51 LOG3[0]: No more addresses to connect
2026.01.28 13:57:51 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
=== End of file https_stunnel.log
=== Start of file server.cmd
Testnum 3001
=== End of file server.cmd
=== Start of file stderr3001
curl: (56) Recv failure: Connection was reset
=== End of file stderr3001
[...]
RUN: Unknown server on our https port: 64259 (56)
```
Ref: https://github.com/curl/curl/actions/runs/21440845836/job/61743268798?pr=20461Closes#20462
A cache entry created by windows-2022 is not picked up by
windows-11-arm. Also a cache created by windows-11-arm is not picked up
by windows-2022. Possibly related to this filed in 2025 June:
https://github.com/actions/cache/issues/1622. Also tried
`enableCrossOsArchive` to no avail. Unclear if these two runners count
as distinct operating systems, I'd guess not. Cache entries are
identical on the web UI. Via GH API they show up with the same cache key
bot different "version" (hash) and different sizes, possibly due to the
zstd vs. gzip bug above.
Fixing (identical error text on either runner):
```
Error: Failed to restore cache entry. Exiting as fail-on-cache-miss is set. Input key: Windows-stunnel-5.76-amd64
```
Also fix a silly typo in the shell value.
Follow-up to 0f54ca6150#20454Closes#20456
Replace Chocolatey install with direct download and unpack. To reduce
CI dependencies (Chocolatey, NuGet), improve install performance
(10s -> 1s) and hopefully reliability. Last but not least to enable it
for the Cygwin CI job.
Caveats:
- Need to bump stunnel versions manually (2-3 times a year).
Renovate could likely do it, but I failed to understand its
documentation and miss tooling/interface to make tests.
- FIPS not enabled. (can be done if necessary)
- Possibly losing checksum verification (not sure if Chocolatey did it
automatically for this package.)
Also:
- Increase minimum tests by 100 for the Cygwin job.
Ref: #16819 (earlier attempt)
Ref: https://www.stunnel.org/archive/
Ref: https://www.githubstatus.com/incidents/cqb5hcy0gx18
Follow-up to d176f58a20#20413
Follow-up to 19b1e44660#20409Closes#20410
To enable known linker options dropping unused, dead, code and data from
the executables built.
Useful to reduce binary sizes for curl, libcurl shared lib and apps
linking static libcurl. It's effective on both "unity" and non-unity
builds. Aligning "unity" build sizes with default, non-unity ones.
Supported platforms: Apple, MSVC, llvm/clang and GCC on all tested
platforms: Linux, BSDs, Windows, MSYS2/Cygwin, Android, MS-DOS.
Notes:
- Static libraries grow 20-30% with non-Apple toolchains.
This effect is controlled by separate, optional compiler flags on
non-Apple. This patch enables them automatically for public binaries
(libcurl and curl tool), and leaves them off for internal/test ones.
- MSVC enables this option by default for 'Release' configurations.
The curl build option has no effect on it.
- Observed effect on VS2010 is negligible. VS2012+ is recommended.
- Works with LTO, Fil-C.
- No observed/conclusive effect on build speed.
- On Windows with clang/gcc (mingw-w64/MSYS2/Cygwin) it also enables
`-fno-asynchronous-unwind-tables` as a workaround to make
the toolchain options actually work.
Ref: https://sourceware.org/bugzilla/show_bug.cgi?id=11539
Thanks-to: Andarwinux
Also:
- GHA: enable in Linux and MinGW jobs to test it. Size changes:
- linux aws-lc H3:
curl: 2000000 -> 1937152, libcurl.a: 2065724 -> 2716532 bytes
- macos clang HTTP-only:
curl: 1364376 -> 128799 bytes, libcurl.a: unchanged
- macos llvm MultiSSL:
curl: 410056 -> 405720, libcurl.dylib: 1350336 -> 1348480 bytes
- mingw schannel c-ares U:
curl: 1588736 -> 1507328, libcurl-d.a: 3322040 -> 3884746 bytes
bld: 34 -> 35MB
- GHA: enable in MSVC and Apple jobs to reduce disk footprint, with no
obvious downside. Size changes:
- AppVeyor CI VS2019:
curl: 2339840 -> 1295872, libcurl-d.dll: 3155968 -> 1900544 bytes
bld: 161 -> 97MB
- AppVeyor CI VS2022 clang-cl:
curl: 2933248 -> 2332160, libcurl-d.lib: 4762688 -> 5511330 bytes
bld: 133 -> 121MB
- AppVeyor CI VS2022 HTTP-only:
curl: 3514368 -> 2177024, libcurl-d.lib: 2538420 -> 3151740 bytes
bld: 137 -> 83MB
- GHA intel:
curl: 2629120 -> 2023424, libcurl-d.lib: 4366652 -> 5350670 bytes
bld: 86 -> 69MB
- GHA arm64:
curl: 2832896 -> 2063872, libcurl-d.lib: 4690616 -> 5597250 bytes
bld: 82 -> 66MB
Refs:
https://maskray.me/blog/2021-02-28-linker-garbage-collectionhttps://web.archive.org/web/20110811230637/msdn.microsoft.com/en-us/library/bxwfs976.aspx (VS2010)
https://learn.microsoft.com/cpp/build/reference/opt-optimizationshttps://learn.microsoft.com/cpp/build/reference/gy-enable-function-level-linkingCloses#20357
Unstripped size hides effective binary sizes due to the added debug
information. E.g. `--gc-sections` may inflate unstripped binaries, while
their unstripped size decreases. To see if binary size optimization
options work, it's more useful to observe unstripped size.
Ref: #20357
Follow-up to 4cf43508e8#20355Closes#20359
- schannel: fix mixed-up declaration. (originally fenced infof for
verbose, then changed to failf with the fence kept, then fence
removed and variable marked as verbose, when in fact it's not, but
not tested and caught in CI.
- fix two other fallouts.
- GHA/windows: disable verbose strings in a mingw job.
- appveyor: disable verbose strings in an MSVC job.
- appveyor: add way to pass any CMake option per-job.
Cherry-picked from #20387
Follow-up to 61093e2a81#20353Closes#20388
Drop separate `TrackMemory` (aka `CURLDEBUG`) debug feature.
After recent changes (thread-safety,
193cb00ce9, and updates leading up to
it), `TrackMemory` is unlikely to cause build or runtime issues.
To simplify builds and debug options, enable `TrackMemory`
unconditionally for debug-enabled (aka `DEBUGBUILD`) builds. Before
this patch, this was already the default, with an option to disable
it, or enable it in non-debug-enabled builds.
Note, in practice these two debug options already went hand in hand. It
was not possible to toggle them separately for a long time due to bugs,
before 59dc9f7e69 (2024-05-28) fixed it.
This patch also removes/deprecates separate knobs and feature flags for
`TrackMemory`:
- autotools: `--enable-curldebug`/`--disable-curldebug`
- cmake: `-DENABLE_CURLDEBUG=ON`/`OFF`
- C macro: `CURLDEBUG`
- libcurl: `CURL_VERSION_CURLDEBUG` symbol deprecated in favor
of `CURL_VERSION_DEBUG`. They always return the same value after this
patch.
Also:
- drop `TrackMemory` from `curl -V` output.
- rename internal `CURLDEBUG` macro to `CURL_MEMDEBUG` internally.
To avoid confusion with `DEBUGBUILD`, but to keep guarding
`TrackMemory`-related internals for readability.
- runtests: bind `TrackMemory` to debug feature. Keep it a separate
test feature requirement, for clarity.
- CI: drop test builds for combinations of the two options.
- GHA/linux: no longer disable TrackMemory in the TSAN job.
Ref: https://github.com/curl/curl/pull/20328#issuecomment-3754528407Closes#20331
- It is slower and uses more memory than the alternatives and is only
experimental in curl.
- We disable a few tests for OpenSSL-QUIC because of flakiness
- It gets little attention from OpenSSL and we have no expectation of the
major flaws getting corrected anytime soon.
- No one has spoken up for keeping it
- curl users building with vanilla OpenSSL can still use QUIC through the
means of ngtcp2
Closes#20226
With the same semantics as Apple SecTrust, in both libcurl and the curl
tool, when using non-Schannel TLS backends. In practice it means that
it makes TLS work without manually or implicitly configuring a CA bundle
`.crt` file, such as `curl-ca-bundle.crt`.
To enable:
- autotools: `--enable-ca-native`
- cmake: `-DCURL_CA_NATIVE=ON`
- CPPFLAGS: `-DCURL_CA_NATIVE`
When enabled:
- enables `CURLSSLOPT_NATIVE_CA` (libcurl) / `--ca-native`
and `--proxy-ca-native` (curl tool) options by default.
- unsafe search for an on-disk CA bundle gets disabled by default.
Equivalent to `--disable-ca-search` with autotools,
`-DCURL_DISABLE_CA_SEARCH=ON` with CMake.
- build-time detection of CA bundle and CA path gets disabled. As with
Apple SecTrust. This was already the default for Windows.
- native CA can be disabled at run-time with the `--no-ca-native`
and/or `--no-proxy-ca-native` command-line options.
Rationale: This build option:
- has a repeat and active interest from packagers and users.
- helps integrating curl with Windows for those who need this.
- it also applies to macOS: #17525
Shipped in curl 8.17.0.
- makes it trivial to use custom certs configured on the OS.
- frees applications/packagers/users from the task of securely
distributing, and keeping up-to-date, a CA bundle.
- frees potentially many curl tool from configuring a CA bundle manually
to access HTTPS (and other TLS) URLs. This is traditionally difficult
on Windows because there is no concept of a universal, protected,
non-world-writable, location on the file system to securely store
a CA bundle.
- allows using modern features regardless of Windows version. Some of
these features are not supported with Schannel (e.g. HTTP/3, ECH) on
any Windows version.
- is necessary for HTTP/3 builds, where bootstrapping a CA bundle is not
possible with Schannel, because MultiSSL is not an option, and HTTP/3
is not supported with Schannel.
Ref: #16181 (previous attempt)
Ref: https://github.com/curl/curl/discussions/9348
Ref: https://github.com/curl/curl/issues/9350
Ref: https://github.com/curl/curl/pull/13111
Ref: https://github.com/microsoft/vcpkg/pull/46459#issuecomment-3162068701
Ref: 22652a5a4c#14582
Ref: eefd03c572#18703Closes#18279
After this patch curl requires targeting Vista or newer, and a toolchain
with Vista support.
Supported MSVC compilers (VS2010+) all support Vista:
- VS2012+ target Win8 (or later) by default.
- VS2010 targets Win7 by default.
Supported mingw-w64 versions (v3+) all support Vista:
- mingw-w64 v9+ target Win10 by default.
- mingw-w64 v8 and older target Server 2003 (~XP) by default.
After this patch it may be necessary to override the default Windows
target version to Vista (or newer) via:
autotools: `CPPFLAGS=-D_WIN32_WINNT=0x0600`
cmake: `-DCURL_TARGET_WINDOWS_VERSION=0x0600`
- mingw-w64 v6+ allow changing the default at toolchain build-time.
Notes:
- For non-MSVC, non-mingw-w64 toolchains, `if_nametoindex` needs to be
allowlisted in `curl_setup.h`, if they do support it.
Fixes#17985 (discussion)
Closes#18009
- MSYS2/Cygwin bash shells are now tagged "misfeature".
It is not something we can fix. We need these shells, and using
documented/necessary settings to use these environments should be
allowed without workarounds.
- untagged actions within curl's own organization are now also flagged
as "action is not pinned to a hash (required by blanket policy)". This
seems overkill. Making internal releases would not be helpful or
practical. Also considering that the referred internal action uses an
unpinned external action anyway (google/oss-fuzz/infra/cifuzz), with
near-zero chance to fix.
Ref: https://github.com/zizmorcore/zizmor/pull/1517#issuecomment-3759740853Closes#20339
To simplify the directory layout.
- OS400 and vms support move from `packages` to `projects`.
- Windows README and `generate.bat` files move from `projects`
to `projects/Windows`.
Closes#20271
From 15 to 10 minutes.
To reduce the idle wait for hung jobs from 20 to 15 minutes (hopefully),
so that the failed just can be restarted manually eariler. It appears
that GitHub Actions notices a hung job 5 minutes past the workflow
timeout (reason undiscovered).
Also: Leave extra time for torture and arm64 jobs.
Closes#20170
To avoid building libcurl in both static and shared flavor by default.
It results in 1.5-2.x speed-up for the curl build step in most jobs.
Saving a total of 6-7 minutes. In the Cygwin job alone it saves 1-1.5m.
Also:
- enable static + shared in a Windows job to keep testing this combo.
Follow-up to ff958fc4b2#20159Closes#20167
To make CI turnaround time shorter, by cutting the longest running jobs.
After this patch all jobs should finish around 10-11 minutes. Down from
15-16 minutes before this patch.
Suggested-by: Stefan Eissing
The fuzzing workflow is now the slowest (with a 7-minute startup time
needed to build deps from source on each run), followed by macOS
and Windows torture tests (both split in two now). Without fuzzing, it's
under 10 minutes.
Notes:
- an extra cost with job-pairs is installing prereqs,
configuring/building curl and tests twice. GitHub doesn't support
making a matrix job a prereq for another workflow that may fix this:
https://github.com/orgs/community/discussions/42335
This overhead is significant on Windows: 11m20 -> 9m20 + 8m40
- job-pairs are annoying to maintain and keep in sync.
- splitting tests into halves is a manual process and needs to be
revisited from time to time. Possibly something to automate with
a runtests option, e.g. with `1 of 50%` and `2 of 50%`?
Also:
- split torture tests in two equal pieces, replacing the `FTP` + `!FTP`
split used earlier.
Related perf improvements from today:
- make scan-build 2x fast:
ff958fc4b2#20159
- drop build-only Testi386 fuzz workflow (from curl), saving 9m per run:
0106023c1fhttps://github.com/curl/curl-fuzzer/pull/236Closes#20153
- lib: delete two unused `<sys/un.h>` includes.
- lib: drop interim macro `WIN32_SOCKADDR_UN`.
Follow-up to 0fe9018e1a#7737
Also fixing a potential issue of leaving unix socket support disabled
if any header would include Windows' `afunix.h`, and define
`UNIX_PATH_MAX` on its own.
- connect: honor unix socket disable option.
- connect: simplify unix socket PP condition.
`USE_UNIX_SOCKETS` already means the necessary header/type are
available, guaranteed by configure. `AF_UNIX` is already used
elsewhere in the code without explicit checks.
- curl_setup.h: document availability of `afunix.h` on Windows more.
It requires mingw-w64 10+ or MS SDK 10.17763.0 VS2017 15.8+.
- curl_setup.h: use `afunix.h` with mingw-w64 v10+ to start avoiding
the local workaround if possible.
- GHA/windows: test disable unix socket option on Windows.
Ref: https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/Closes#19989
To detect mistakes made in the runtests framework that reduce
the number of test runs. Before this patch it could go undetected with
a green CI.
The minimum thresholds will need light maintenance going forward (either
bumping them periodically, or adjust if some may fell below minimums for
justified reasons). We may also make minimums tighter or looser, or more
job-specific.
Latest number of test runs for each job can be seen at Test Clutch:
https://testclutch.curl.se/static/reports/feature-matrix.html
Also:
- GHA: set minimums.
Assisted-by: Dan Fandrich
Follow-up to f2a75a14dd
Follow-up to bb1391f943#19510Closes#19942
Nothing conclusive for the last ~30 days when `taskkill` was made
a no-op. Jobs remained flaky with all known failure modes. Sometimes
they finish green on the first run, sometimes they fail. Hard to say
more without comparing detailed stats for this period and the
preceding (or upcoming) one.
In almost all runs, the PID to be killed did not exist at the time of
check.
Follow-up to 2701ac6a4d#19421Closes#19897
With Schannel and Unicode, `-shallow=13`. It finishes in 12 minutes,
making it the slowest Windows job. It's still on par with torture jobs
on other platforms (though they manage to fit `-shallow=25`).
Also `-shallow=13` still caught leaks in multiple tests.
Also:
- test2300: exclude from CI Windows torture tests.
- experimental.
The downside of going with deeper torture tests, is that it requires
increasing the job timeout. This in turns means that a hung job takes
more minutes to be killed (due to GitHub bugs where a hung step does not
honor the per-step timeout on Windows, another bug where a hung job gets
killed +5 minutes above the workflow timeout, and another bug (or
feature?) where other failed/hung jobs in the the workflow cannot be
restarted till the last job finishes or gets killed. And all this
probably related to a Perl bug which makes it hang on fork errors, which
is turn related to Cygwin/MSYS2 runtime bugs which breaks fork in case
of curl's mixed MSYS2-Perl/native-curl-binaries environment.)
The end result in longer forced waits before being able to restart flaky
jobs, which slows down iterations and annoying.
Also tried:
- non-c-ares job: detected known issues much less often.
- replaced libidn2 with WinIDN: detected known issues much less often.
- runtests -j9-j20 values: did not make a difference.
- other `-shallow` values: 20 is the max feasible, but comes with the
downside described above.
Ref: #19675 (reboot of)
Follow-up to f08417c425#19863Closes#19865
