seanmonstar

Nov 19 2024

hyper in curl Needs a Champion

tl;dr - hyper in curl is nearly complete, but it needs a champion. Without a partner actively engaged that wants to enable and ship, it’s now on the path for being deprecated and removed.

It needs a champion, a backing vendor or distro. Will that be you?

Why would you put a hyper in a curl?

Why would you? Memory safety.

Company after company, product after product, report after report. Memory un-safety. Causes. Serious. Issues.

curl is everywhere. Billions of installations. It’s likely all humans accessing the internet use curl.

A self-analysis of curl finds that half of curl’s vulnerabilities are C mistakes. Memory safety.

As I said when when we told the world about it:

Considering how much curl is used, this was an opportunity to make the internet safer.

hyper is the most mature HTTP library written in Rust. By making hyper a possible HTTP backend for curl, the code used for the most ubiquituous protocol could be made safer. Certainly true for HTTP/1, even more so with the much bigger (code-wise) HTTP/2 and HTTP/3.

So, why do this? Oh, right. Ahem. Memory safety.

Most of the work is done

Let me back up a little.

In 2020, we started exploring the idea. I designed and built a C API for hyper. Daniel refactored curl to allow for HTTP backends, and integrated hyper.

We got it nearly complete. Adventurous tinkerers were able to build and use it on their personal machines. Over 95% of curl’s large test suite was passing.

I gave a talk for curl up 2022 about the progress.1

We’re ready to finished, technically.

Over the finish line

Funding for an engineer to complete the work is available.

But the upkeep of the feature isn’t free, in both the curl and hyper repositories. Because of that, and without a commited organization wanting to ship it, it’s planned to be removed at the start of 2025.

So, what exactly could change that? What is needed?

Champion required

A champion, if you want it.2

A backing vendor or distro that wants to enable and actively use the backend. A launch partner. Many people know what it’s like to work on a large new feature, ask people to try it out, and everyone is too busy, assuming someone else will. A launch partner actively tests it and provides feedback.

There’s more incentive to partner than ever, as we see companies successfully make code safer. And this project is so close, adopting now can have a large impact compared to the remaining effort.

Reach out to me if you want this to happen. Sooner rather than later. Let’s make the internet safer!

  1. Recently, a few more things have been improved on hyper’s side. For instance, @nnethercote and @jsha significantly improved the C docs, and @hjr3 added HTTP/1.1 trailers support that curl needed. 

  2. People always end up doing exactly what they want. There’s a loud rewrite-it-in-Rust sub-community. Here’s an opportunity. Actions show what people actually want. 

  • #rust
  • #hyper
  • #curl
  • #memory-safety