1                                  _   _ ____  _
2                              ___| | | |  _ \| |
3                             / __| | | | |_) | |
4                            | (__| |_| |  _ <| |___
5                             \___|\___/|_| \_\_____|
6
7BUGS
8
9 1. Bugs
10  1.1 There are still bugs
11  1.2 Where to report
12  1.3 Security bugs
13  1.4 What to report
14  1.5 libcurl problems
15  1.6 Who will fix the problems
16  1.7 How to get a stack trace
17  1.8 Bugs in libcurl bindings
18  1.9 Bugs in old versions
19
20 2. Bug fixing procedure
21 2.1 What happens on first filing
22 2.2 First response
23 2.3 Not reproducible
24 2.4 Unresponsive
25 2.5 Lack of time/interest
26 2.6 KNOWN_BUGS
27 2.7 TODO
28 2.8 Closing off stalled bugs
29
30==============================================================================
31
321.1 There are still bugs
33
34  Curl and libcurl keep being developed. Adding features and changing code
35  means that bugs will sneak in, no matter how hard we try not to.
36
37  Of course there are lots of bugs left. And lots of misfeatures.
38
39  To help us make curl the stable and solid product we want it to be, we need
40  bug reports and bug fixes.
41
421.2 Where to report
43
44  If you can't fix a bug yourself and submit a fix for it, try to report an as
45  detailed report as possible to a curl mailing list to allow one of us to
46  have a go at a solution. You can optionally also post your bug/problem at
47  curl's bug tracking system over at
48
49        https://github.com/curl/curl/issues
50
51  Please read the rest of this document below first before doing that!
52
53  If you feel you need to ask around first, find a suitable mailing list and
54  post there. The lists are available on https://curl.haxx.se/mail/
55
561.3 Security bugs
57
58  If you find a bug or problem in curl or libcurl that you think has a
59  security impact, for example a bug that can put users in danger or make them
60  vulnerable if the bug becomes public knowledge, then please report that bug
61  using our security development process.
62
63  Security related bugs or bugs that are suspected to have a security impact,
64  should be reported on the curl security tracker at HackerOne:
65
66        https://hackerone.com/curl
67
68  This ensures that the report reaches the curl security team so that they
69  first can be deal with the report away from the public to minimize the harm
70  and impact it will have on existing users out there who might be using the
71  vulnerable versions.
72
73  The curl project's process for handling security related issues is
74  documented here:
75
76        https://curl.haxx.se/dev/secprocess.html
77
781.4 What to report
79
80  When reporting a bug, you should include all information that will help us
81  understand what's wrong, what you expected to happen and how to repeat the
82  bad behavior. You therefore need to tell us:
83
84   - your operating system's name and version number
85
86   - what version of curl you're using (curl -V is fine)
87
88   - versions of the used libraries that libcurl is built to use
89
90   - what URL you were working with (if possible), at least which protocol
91
92  and anything and everything else you think matters. Tell us what you
93  expected to happen, tell use what did happen, tell us how you could make it
94  work another way. Dig around, try out, test. Then include all the tiny bits
95  and pieces in your report. You will benefit from this yourself, as it will
96  enable us to help you quicker and more accurately.
97
98  Since curl deals with networks, it often helps us if you include a protocol
99  debug dump with your bug report. The output you get by using the -v or
100  --trace options.
101
102  If curl crashed, causing a core dump (in unix), there is hardly any use to
103  send that huge file to anyone of us. Unless we have an exact same system
104  setup as you, we can't do much with it. Instead we ask you to get a stack
105  trace and send that (much smaller) output to us instead!
106
107  The address and how to subscribe to the mailing lists are detailed in the
108  MANUAL file.
109
1101.5 libcurl problems
111
112  When you've written your own application with libcurl to perform transfers,
113  it is even more important to be specific and detailed when reporting bugs.
114
115  Tell us the libcurl version and your operating system. Tell us the name and
116  version of all relevant sub-components like for example the SSL library
117  you're using and what name resolving your libcurl uses. If you use SFTP or
118  SCP, the libssh2 version is relevant etc.
119
120  Showing us a real source code example repeating your problem is the best way
121  to get our attention and it will greatly increase our chances to understand
122  your problem and to work on a fix (if we agree it truly is a problem).
123
124  Lots of problems that appear to be libcurl problems are actually just abuses
125  of the libcurl API or other malfunctions in your applications. It is advised
126  that you run your problematic program using a memory debug tool like
127  valgrind or similar before you post memory-related or "crashing" problems to
128  us.
129
1301.6 Who will fix the problems
131
132  If the problems or bugs you describe are considered to be bugs, we want to
133  have the problems fixed.
134
135  There are no developers in the curl project that are paid to work on bugs.
136  All developers that take on reported bugs do this on a voluntary basis. We
137  do it out of an ambition to keep curl and libcurl excellent products and out
138  of pride.
139
140  But please do not assume that you can just lump over something to us and it
141  will then magically be fixed after some given time. Most often we need
142  feedback and help to understand what you've experienced and how to repeat a
143  problem. Then we may only be able to assist YOU to debug the problem and to
144  track down the proper fix.
145
146  We get reports from many people every month and each report can take a
147  considerable amount of time to really go to the bottom with.
148
1491.7 How to get a stack trace
150
151  First, you must make sure that you compile all sources with -g and that you
152  don't 'strip' the final executable. Try to avoid optimizing the code as
153  well, remove -O, -O2 etc from the compiler options.
154
155  Run the program until it cores.
156
157  Run your debugger on the core file, like '<debugger> curl core'. <debugger>
158  should be replaced with the name of your debugger, in most cases that will
159  be 'gdb', but 'dbx' and others also occur.
160
161  When the debugger has finished loading the core file and presents you a
162  prompt, enter 'where' (without the quotes) and press return.
163
164  The list that is presented is the stack trace. If everything worked, it is
165  supposed to contain the chain of functions that were called when curl
166  crashed. Include the stack trace with your detailed bug report. It'll help a
167  lot.
168
1691.8 Bugs in libcurl bindings
170
171  There will of course pop up bugs in libcurl bindings. You should then
172  primarily approach the team that works on that particular binding and see
173  what you can do to help them fix the problem.
174
175  If you suspect that the problem exists in the underlying libcurl, then
176  please convert your program over to plain C and follow the steps outlined
177  above.
178
1791.9 Bugs in old versions
180
181  The curl project typically releases new versions every other month, and we
182  fix several hundred bugs per year. For a huge table of releases, number of
183  bug fixes and more, see: https://curl.haxx.se/docs/releases.html
184
185  The developers in the curl project do not have bandwidth or energy enough to
186  maintain several branches or to spend much time on hunting down problems in
187  old versions when chances are we already fixed them or at least that they've
188  changed nature and appearance in later versions.
189
190  When you experience a problem and want to report it, you really SHOULD
191  include the version number of the curl you're using when you experience the
192  issue. If that version number shows us that you're using an out-of-date
193  curl, you should also try out a modern curl version to see if the problem
194  persists or how/if it has changed in appearance.
195
196  Even if you cannot immediately upgrade your application/system to run the
197  latest curl version, you can most often at least run a test version or
198  experimental build or similar, to get this confirmed or not.
199
200  At times people insist that they cannot upgrade to a modern curl version,
201  but instead they "just want the bug fixed". That's fine, just don't count on
202  us spending many cycles on trying to identify which single commit, if that's
203  even possible, that at some point in the past fixed the problem you're now
204  experiencing.
205
206  Security wise, it is almost always a bad idea to lag behind the current curl
207  versions by a lot. We keeping discovering and reporting security problems
208  over time see you can see in this table:
209  https://curl.haxx.se/docs/vulnerabilities.html
210
2112. Bug fixing procedure
212
2132.1 What happens on first filing
214
215  When a new issue is posted in the issue tracker or on the mailing list, the
216  team of developers first need to see the report. Maybe they took the day
217  off, maybe they're off in the woods hunting. Have patience. Allow at least a
218  few days before expecting someone to have responded.
219
220  In the issue tracker you can expect that some labels will be set on the
221  issue to help categorize it.
222
2232.2 First response
224
225  If your issue/bug report wasn't perfect at once (and few are), chances are
226  that someone will ask follow-up questions. Which version did you use? Which
227  options did you use? How often does the problem occur? How can we reproduce
228  this problem? Which protocols does it involve? Or perhaps much more specific
229  and deep diving questions. It all depends on your specific issue.
230
231  You should then respond to these follow-up questions and provide more info
232  about the problem, so that we can help you figure it out. Or maybe you can
233  help us figure it out. An active back-and-forth communication is important
234  and the key for finding a cure and landing a fix.
235
2362.3 Not reproducible
237
238  For problems that we can't reproduce and can't understand even after having
239  gotten all the info we need and having studied the source code over again,
240  are really hard to solve so then we may require further work from you who
241  actually see or experience the problem.
242
2432.4 Unresponsive
244
245  If the problem haven't been understood or reproduced, and there's nobody
246  responding to follow-up questions or questions asking for clarifications or
247  for discussing possible ways to move forward with the task, we take that as
248  a strong suggestion that the bug is not important.
249
250  Unimportant issues will be closed as inactive sooner or later as they can't
251  be fixed. The inactivity period (waiting for responses) should not be
252  shorter than two weeks but may extend months.
253
2542.5 Lack of time/interest
255
256  Bugs that are filed and are understood can unfortunately end up in the
257  "nobody cares enough about it to work on it" category. Such bugs are
258  perfectly valid problems that *should* get fixed but apparently aren't. We
259  try to mark such bugs as "KNOWN_BUGS material" after a time of inactivity
260  and if no activity is noticed after yet some time those bugs are added to
261  KNOWN_BUGS and are closed in the issue tracker.
262
2632.6 KNOWN_BUGS
264
265  This is a list of known bugs. Bugs we know exist and that have been pointed
266  out but that haven't yet been fixed. The reasons for why they haven't been
267  fixed can involve anything really, but the primary reason is that nobody has
268  considered these problems to be important enough to spend the necessary time
269  and effort to have them fixed.
270
271  The KNOWN_BUGS are always up for grabs and we will always love the ones who
272  bring one of them back to live and offers solutions to them.
273
274  The KNOWN_BUGS document has a sibling document known as TODO.
275
2762.7 TODO
277
278  Issues that are filed or reported that aren't really bugs but more missing
279  features or ideas for future improvements and so on are marked as
280  'enhancement' or 'feature-request' and will be added to the TODO document
281  instead and the issue is closed. We don't keep TODO items in the issue
282  tracker.
283
284  The TODO document is full of ideas and suggestions of what we can add or fix
285  one day. You're always encouraged and free to grab one of those items and
286  take up a discussion with the curl development team on how that could be
287  implemented or provided in the project so that you can work on ticking it
288  odd that document.
289
290  If the issue is rather a bug and not a missing feature or functionality, it
291  is listed in KNOWN_BUGS instead.
292
2932.8 Closing off stalled bugs
294
295  The issue and pull request trackers on https://github.com/curl/curl will
296  only hold "active" entries (using a non-precise definition of what active
297  actually is, but they're at least not completely dead). Those that are
298  abandoned or in other ways dormant will be closed and sometimes added to
299  TODO and KNOWN_BUGS instead.
300
301  This way, we only have "active" issues open on github. Irrelevant issues and
302  pull requests will not distract developers or casual visitors.
303