Home | History | Annotate | Download | only in docs 
      1                                   _   _ ____  _
      2                               ___| | | |  _ \| |
      3                              / __| | | | |_) | |
      4                             | (__| |_| |  _ <| |___
      5                              \___|\___/|_| \_\_____|
      6 
      7 BUGS
      8 
      9  1. Bugs
     10   1.1 There are still bugs
     11   1.2 Where to report
     12   1.3 Security bugs
     13   1.4 What to report
     14   1.5 libcurl problems
     15   1.6 Who will fix the problems
     16   1.7 How to get a stack trace
     17   1.8 Bugs in libcurl bindings
     18   1.9 Bugs in old versions
     19 
     20  2. Bug fixing procedure
     21  2.1 What happens on first filing
     22  2.2 First response
     23  2.3 Not reproducible
     24  2.4 Unresponsive
     25  2.5 Lack of time/interest
     26  2.6 KNOWN_BUGS
     27  2.7 TODO
     28  2.8 Closing off stalled bugs
     29 
     30 ==============================================================================
     31 
     32 1.1 There are still bugs
     33 
     34   Curl and libcurl keep being developed. Adding features and changing code
     35   means that bugs will sneak in, no matter how hard we try not to.
     36 
     37   Of course there are lots of bugs left. And lots of misfeatures.
     38 
     39   To help us make curl the stable and solid product we want it to be, we need
     40   bug reports and bug fixes.
     41 
     42 1.2 Where to report
     43 
     44   If you can't fix a bug yourself and submit a fix for it, try to report an as
     45   detailed report as possible to a curl mailing list to allow one of us to
     46   have a go at a solution. You can optionally also post your bug/problem at
     47   curl's bug tracking system over at
     48 
     49         https://github.com/curl/curl/issues
     50 
     51   Please read the rest of this document below first before doing that!
     52 
     53   If you feel you need to ask around first, find a suitable mailing list and
     54   post there. The lists are available on https://curl.haxx.se/mail/
     55 
     56 1.3 Security bugs
     57 
     58   If you find a bug or problem in curl or libcurl that you think has a
     59   security impact, for example a bug that can put users in danger or make them
     60   vulnerable if the bug becomes public knowledge, then please report that bug
     61   using our security development process.
     62 
     63   Security related bugs or bugs that are suspected to have a security impact,
     64   should be reported by email to curl-security (a] haxx.se so that they first can
     65   be dealt with away from the public to minimize the harm and impact it will
     66   have on existing users out there who might be using the vulnerable versions.
     67 
     68   The curl project's process for handling security related issues is
     69   documented here:
     70 
     71         https://curl.haxx.se/dev/secprocess.html
     72 
     73 1.4 What to report
     74 
     75   When reporting a bug, you should include all information that will help us
     76   understand what's wrong, what you expected to happen and how to repeat the
     77   bad behavior. You therefore need to tell us:
     78 
     79    - your operating system's name and version number
     80 
     81    - what version of curl you're using (curl -V is fine)
     82 
     83    - versions of the used libraries that libcurl is built to use
     84 
     85    - what URL you were working with (if possible), at least which protocol
     86 
     87   and anything and everything else you think matters. Tell us what you
     88   expected to happen, tell use what did happen, tell us how you could make it
     89   work another way. Dig around, try out, test. Then include all the tiny bits
     90   and pieces in your report. You will benefit from this yourself, as it will
     91   enable us to help you quicker and more accurately.
     92 
     93   Since curl deals with networks, it often helps us if you include a protocol
     94   debug dump with your bug report. The output you get by using the -v or
     95   --trace options.
     96 
     97   If curl crashed, causing a core dump (in unix), there is hardly any use to
     98   send that huge file to anyone of us. Unless we have an exact same system
     99   setup as you, we can't do much with it. Instead we ask you to get a stack
    100   trace and send that (much smaller) output to us instead!
    101 
    102   The address and how to subscribe to the mailing lists are detailed in the
    103   MANUAL file.
    104 
    105 1.5 libcurl problems
    106 
    107   When you've written your own application with libcurl to perform transfers,
    108   it is even more important to be specific and detailed when reporting bugs.
    109 
    110   Tell us the libcurl version and your operating system. Tell us the name and
    111   version of all relevant sub-components like for example the SSL library
    112   you're using and what name resolving your libcurl uses. If you use SFTP or
    113   SCP, the libssh2 version is relevant etc.
    114 
    115   Showing us a real source code example repeating your problem is the best way
    116   to get our attention and it will greatly increase our chances to understand
    117   your problem and to work on a fix (if we agree it truly is a problem).
    118 
    119   Lots of problems that appear to be libcurl problems are actually just abuses
    120   of the libcurl API or other malfunctions in your applications. It is advised
    121   that you run your problematic program using a memory debug tool like
    122   valgrind or similar before you post memory-related or "crashing" problems to
    123   us.
    124 
    125 1.6 Who will fix the problems
    126 
    127   If the problems or bugs you describe are considered to be bugs, we want to
    128   have the problems fixed.
    129 
    130   There are no developers in the curl project that are paid to work on bugs.
    131   All developers that take on reported bugs do this on a voluntary basis. We
    132   do it out of an ambition to keep curl and libcurl excellent products and out
    133   of pride.
    134 
    135   But please do not assume that you can just lump over something to us and it
    136   will then magically be fixed after some given time. Most often we need
    137   feedback and help to understand what you've experienced and how to repeat a
    138   problem. Then we may only be able to assist YOU to debug the problem and to
    139   track down the proper fix.
    140 
    141   We get reports from many people every month and each report can take a
    142   considerable amount of time to really go to the bottom with.
    143 
    144 1.7 How to get a stack trace
    145 
    146   First, you must make sure that you compile all sources with -g and that you
    147   don't 'strip' the final executable. Try to avoid optimizing the code as
    148   well, remove -O, -O2 etc from the compiler options.
    149 
    150   Run the program until it cores.
    151 
    152   Run your debugger on the core file, like '<debugger> curl core'. <debugger>
    153   should be replaced with the name of your debugger, in most cases that will
    154   be 'gdb', but 'dbx' and others also occur.
    155 
    156   When the debugger has finished loading the core file and presents you a
    157   prompt, enter 'where' (without the quotes) and press return.
    158 
    159   The list that is presented is the stack trace. If everything worked, it is
    160   supposed to contain the chain of functions that were called when curl
    161   crashed. Include the stack trace with your detailed bug report. It'll help a
    162   lot.
    163 
    164 1.8 Bugs in libcurl bindings
    165 
    166   There will of course pop up bugs in libcurl bindings. You should then
    167   primarily approach the team that works on that particular binding and see
    168   what you can do to help them fix the problem.
    169 
    170   If you suspect that the problem exists in the underlying libcurl, then
    171   please convert your program over to plain C and follow the steps outlined
    172   above.
    173 
    174 1.9 Bugs in old versions
    175 
    176   The curl project typically releases new versions every other month, and we
    177   fix several hundred bugs per year. For a huge table of releases, number of
    178   bug fixes and more, see: https://curl.haxx.se/docs/releases.html
    179 
    180   The developers in the curl project do not have bandwidth or energy enough to
    181   maintain several branches or to spend much time on hunting down problems in
    182   old versions when chances are we already fixed them or at least that they've
    183   changed nature and appearance in later versions.
    184 
    185   When you experience a problem and want to report it, you really SHOULD
    186   include the version number of the curl you're using when you experience the
    187   issue. If that version number shows us that you're using an out-of-date
    188   curl, you should also try out a modern curl version to see if the problem
    189   persists or how/if it has changed in appearance.
    190 
    191   Even if you cannot immediately upgrade your application/system to run the
    192   latest curl version, you can most often at least run a test version or
    193   experimental build or similar, to get this confirmed or not.
    194 
    195   At times people insist that they cannot upgrade to a modern curl version,
    196   but instead they "just want the bug fixed". That's fine, just don't count on
    197   us spending many cycles on trying to identify which single commit, if that's
    198   even possible, that at some point in the past fixed the problem you're now
    199   experiencing.
    200 
    201   Security wise, it is almost always a bad idea to lag behind the current curl
    202   versions by a lot. We keeping discovering and reporting security problems
    203   over time see you can see in this table:
    204   https://curl.haxx.se/docs/vulnerabilities.html
    205 
    206 2. Bug fixing procedure
    207 
    208 2.1 What happens on first filing
    209 
    210   When a new issue is posted in the issue tracker or on the mailing list, the
    211   team of developers first need to see the report. Maybe they took the day
    212   off, maybe they're off in the woods hunting. Have patience. Allow at least a
    213   few days before expecting someone to have responded.
    214 
    215   In the issue tracker you can expect that some labels will be set on the
    216   issue to help categorize it.
    217 
    218 2.2 First response
    219 
    220   If your issue/bug report wasn't perfect at once (and few are), chances are
    221   that someone will ask follow-up questions. Which version did you use? Which
    222   options did you use? How often does the problem occur? How can we reproduce
    223   this problem? Which protocols does it involve? Or perhaps much more specific
    224   and deep diving questions. It all depends on your specific issue.
    225 
    226   You should then respond to these follow-up questions and provide more info
    227   about the problem, so that we can help you figure it out. Or maybe you can
    228   help us figure it out. An active back-and-forth communication is important
    229   and the key for finding a cure and landing a fix.
    230 
    231 2.3 Not reproducible
    232 
    233   For problems that we can't reproduce and can't understand even after having
    234   gotten all the info we need and having studied the source code over again,
    235   are really hard to solve so then we may require further work from you who
    236   actually see or experience the problem.
    237 
    238 2.4 Unresponsive
    239 
    240   If the problem haven't been understood or reproduced, and there's nobody
    241   responding to follow-up questions or questions asking for clarifications or
    242   for discussing possible ways to move forward with the task, we take that as
    243   a strong suggestion that the bug is not important.
    244 
    245   Unimportant issues will be closed as inactive sooner or later as they can't
    246   be fixed. The inactivity period (waiting for responses) should not be
    247   shorter than two weeks but may extend months.
    248 
    249 2.5 Lack of time/interest
    250 
    251   Bugs that are filed and are understood can unfortunately end up in the
    252   "nobody cares enough about it to work on it" category. Such bugs are
    253   perfectly valid problems that *should* get fixed but apparently aren't. We
    254   try to mark such bugs as "KNOWN_BUGS material" after a time of inactivity
    255   and if no activity is noticed after yet some time those bugs are added to
    256   KNOWN_BUGS and are closed in the issue tracker.
    257 
    258 2.6 KNOWN_BUGS
    259 
    260   This is a list of known bugs. Bugs we know exist and that have been pointed
    261   out but that haven't yet been fixed. The reasons for why they haven't been
    262   fixed can involve anything really, but the primary reason is that nobody has
    263   considered these problems to be important enough to spend the necessary time
    264   and effort to have them fixed.
    265 
    266   The KNOWN_BUGS are always up for grabs and we will always love the ones who
    267   bring one of them back to live and offers solutions to them.
    268 
    269   The KNOWN_BUGS document has a sibling document known as TODO.
    270 
    271 2.7 TODO
    272 
    273   Issues that are filed or reported that aren't really bugs but more missing
    274   features or ideas for future improvements and so on are marked as
    275   'enhancement' or 'feature-request' and will be added to the TODO document
    276   instead and the issue is closed. We don't keep TODO items in the issue
    277   tracker.
    278 
    279   The TODO document is full of ideas and suggestions of what we can add or fix
    280   one day. You're always encouraged and free to grab one of those items and
    281   take up a discussion with the curl development team on how that could be
    282   implemented or provided in the project so that you can work on ticking it
    283   odd that document.
    284 
    285   If the issue is rather a bug and not a missing feature or functionality, it
    286   is listed in KNOWN_BUGS instead.
    287 
    288 2.8 Closing off stalled bugs
    289 
    290   The issue and pull request trackers on https://github.com/curl/curl will
    291   only hold "active" entries (using a non-precise definition of what active
    292   actually is, but they're at least not completely dead). Those that are
    293   abandoned or in other ways dormant will be closed and sometimes added to
    294   TODO and KNOWN_BUGS instead.
    295 
    296   This way, we only have "active" issues open on github. Irrelevant issues and
    297   pull requests will not distract developers or casual visitors.
    298