BUGS 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302
  1. _ _ ____ _
  2. ___| | | | _ \| |
  3. / __| | | | |_) | |
  4. | (__| |_| | _ <| |___
  5. \___|\___/|_| \_\_____|
  6. BUGS
  7. 1. Bugs
  8. 1.1 There are still bugs
  9. 1.2 Where to report
  10. 1.3 Security bugs
  11. 1.4 What to report
  12. 1.5 libcurl problems
  13. 1.6 Who will fix the problems
  14. 1.7 How to get a stack trace
  15. 1.8 Bugs in libcurl bindings
  16. 1.9 Bugs in old versions
  17. 2. Bug fixing procedure
  18. 2.1 What happens on first filing
  19. 2.2 First response
  20. 2.3 Not reproducible
  21. 2.4 Unresponsive
  22. 2.5 Lack of time/interest
  23. 2.6 KNOWN_BUGS
  24. 2.7 TODO
  25. 2.8 Closing off stalled bugs
  26. ==============================================================================
  27. 1.1 There are still bugs
  28. Curl and libcurl keep being developed. Adding features and changing code
  29. means that bugs will sneak in, no matter how hard we try not to.
  30. Of course there are lots of bugs left. And lots of misfeatures.
  31. To help us make curl the stable and solid product we want it to be, we need
  32. bug reports and bug fixes.
  33. 1.2 Where to report
  34. If you can't fix a bug yourself and submit a fix for it, try to report an as
  35. detailed report as possible to a curl mailing list to allow one of us to
  36. have a go at a solution. You can optionally also post your bug/problem at
  37. curl's bug tracking system over at
  38. https://github.com/curl/curl/issues
  39. Please read the rest of this document below first before doing that!
  40. If you feel you need to ask around first, find a suitable mailing list and
  41. post there. The lists are available on https://curl.haxx.se/mail/
  42. 1.3 Security bugs
  43. If you find a bug or problem in curl or libcurl that you think has a
  44. security impact, for example a bug that can put users in danger or make them
  45. vulnerable if the bug becomes public knowledge, then please report that bug
  46. using our security development process.
  47. Security related bugs or bugs that are suspected to have a security impact,
  48. should be reported on the curl security tracker at HackerOne:
  49. https://hackerone.com/curl
  50. This ensures that the report reaches the curl security team so that they
  51. first can be deal with the report away from the public to minimize the harm
  52. and impact it will have on existing users out there who might be using the
  53. vulnerable versions.
  54. The curl project's process for handling security related issues is
  55. documented here:
  56. https://curl.haxx.se/dev/secprocess.html
  57. 1.4 What to report
  58. When reporting a bug, you should include all information that will help us
  59. understand what's wrong, what you expected to happen and how to repeat the
  60. bad behavior. You therefore need to tell us:
  61. - your operating system's name and version number
  62. - what version of curl you're using (curl -V is fine)
  63. - versions of the used libraries that libcurl is built to use
  64. - what URL you were working with (if possible), at least which protocol
  65. and anything and everything else you think matters. Tell us what you
  66. expected to happen, tell use what did happen, tell us how you could make it
  67. work another way. Dig around, try out, test. Then include all the tiny bits
  68. and pieces in your report. You will benefit from this yourself, as it will
  69. enable us to help you quicker and more accurately.
  70. Since curl deals with networks, it often helps us if you include a protocol
  71. debug dump with your bug report. The output you get by using the -v or
  72. --trace options.
  73. If curl crashed, causing a core dump (in unix), there is hardly any use to
  74. send that huge file to anyone of us. Unless we have an exact same system
  75. setup as you, we can't do much with it. Instead we ask you to get a stack
  76. trace and send that (much smaller) output to us instead!
  77. The address and how to subscribe to the mailing lists are detailed in the
  78. MANUAL file.
  79. 1.5 libcurl problems
  80. When you've written your own application with libcurl to perform transfers,
  81. it is even more important to be specific and detailed when reporting bugs.
  82. Tell us the libcurl version and your operating system. Tell us the name and
  83. version of all relevant sub-components like for example the SSL library
  84. you're using and what name resolving your libcurl uses. If you use SFTP or
  85. SCP, the libssh2 version is relevant etc.
  86. Showing us a real source code example repeating your problem is the best way
  87. to get our attention and it will greatly increase our chances to understand
  88. your problem and to work on a fix (if we agree it truly is a problem).
  89. Lots of problems that appear to be libcurl problems are actually just abuses
  90. of the libcurl API or other malfunctions in your applications. It is advised
  91. that you run your problematic program using a memory debug tool like
  92. valgrind or similar before you post memory-related or "crashing" problems to
  93. us.
  94. 1.6 Who will fix the problems
  95. If the problems or bugs you describe are considered to be bugs, we want to
  96. have the problems fixed.
  97. There are no developers in the curl project that are paid to work on bugs.
  98. All developers that take on reported bugs do this on a voluntary basis. We
  99. do it out of an ambition to keep curl and libcurl excellent products and out
  100. of pride.
  101. But please do not assume that you can just lump over something to us and it
  102. will then magically be fixed after some given time. Most often we need
  103. feedback and help to understand what you've experienced and how to repeat a
  104. problem. Then we may only be able to assist YOU to debug the problem and to
  105. track down the proper fix.
  106. We get reports from many people every month and each report can take a
  107. considerable amount of time to really go to the bottom with.
  108. 1.7 How to get a stack trace
  109. First, you must make sure that you compile all sources with -g and that you
  110. don't 'strip' the final executable. Try to avoid optimizing the code as
  111. well, remove -O, -O2 etc from the compiler options.
  112. Run the program until it cores.
  113. Run your debugger on the core file, like '<debugger> curl core'. <debugger>
  114. should be replaced with the name of your debugger, in most cases that will
  115. be 'gdb', but 'dbx' and others also occur.
  116. When the debugger has finished loading the core file and presents you a
  117. prompt, enter 'where' (without the quotes) and press return.
  118. The list that is presented is the stack trace. If everything worked, it is
  119. supposed to contain the chain of functions that were called when curl
  120. crashed. Include the stack trace with your detailed bug report. It'll help a
  121. lot.
  122. 1.8 Bugs in libcurl bindings
  123. There will of course pop up bugs in libcurl bindings. You should then
  124. primarily approach the team that works on that particular binding and see
  125. what you can do to help them fix the problem.
  126. If you suspect that the problem exists in the underlying libcurl, then
  127. please convert your program over to plain C and follow the steps outlined
  128. above.
  129. 1.9 Bugs in old versions
  130. The curl project typically releases new versions every other month, and we
  131. fix several hundred bugs per year. For a huge table of releases, number of
  132. bug fixes and more, see: https://curl.haxx.se/docs/releases.html
  133. The developers in the curl project do not have bandwidth or energy enough to
  134. maintain several branches or to spend much time on hunting down problems in
  135. old versions when chances are we already fixed them or at least that they've
  136. changed nature and appearance in later versions.
  137. When you experience a problem and want to report it, you really SHOULD
  138. include the version number of the curl you're using when you experience the
  139. issue. If that version number shows us that you're using an out-of-date
  140. curl, you should also try out a modern curl version to see if the problem
  141. persists or how/if it has changed in appearance.
  142. Even if you cannot immediately upgrade your application/system to run the
  143. latest curl version, you can most often at least run a test version or
  144. experimental build or similar, to get this confirmed or not.
  145. At times people insist that they cannot upgrade to a modern curl version,
  146. but instead they "just want the bug fixed". That's fine, just don't count on
  147. us spending many cycles on trying to identify which single commit, if that's
  148. even possible, that at some point in the past fixed the problem you're now
  149. experiencing.
  150. Security wise, it is almost always a bad idea to lag behind the current curl
  151. versions by a lot. We keeping discovering and reporting security problems
  152. over time see you can see in this table:
  153. https://curl.haxx.se/docs/vulnerabilities.html
  154. 2. Bug fixing procedure
  155. 2.1 What happens on first filing
  156. When a new issue is posted in the issue tracker or on the mailing list, the
  157. team of developers first need to see the report. Maybe they took the day
  158. off, maybe they're off in the woods hunting. Have patience. Allow at least a
  159. few days before expecting someone to have responded.
  160. In the issue tracker you can expect that some labels will be set on the
  161. issue to help categorize it.
  162. 2.2 First response
  163. If your issue/bug report wasn't perfect at once (and few are), chances are
  164. that someone will ask follow-up questions. Which version did you use? Which
  165. options did you use? How often does the problem occur? How can we reproduce
  166. this problem? Which protocols does it involve? Or perhaps much more specific
  167. and deep diving questions. It all depends on your specific issue.
  168. You should then respond to these follow-up questions and provide more info
  169. about the problem, so that we can help you figure it out. Or maybe you can
  170. help us figure it out. An active back-and-forth communication is important
  171. and the key for finding a cure and landing a fix.
  172. 2.3 Not reproducible
  173. For problems that we can't reproduce and can't understand even after having
  174. gotten all the info we need and having studied the source code over again,
  175. are really hard to solve so then we may require further work from you who
  176. actually see or experience the problem.
  177. 2.4 Unresponsive
  178. If the problem haven't been understood or reproduced, and there's nobody
  179. responding to follow-up questions or questions asking for clarifications or
  180. for discussing possible ways to move forward with the task, we take that as
  181. a strong suggestion that the bug is not important.
  182. Unimportant issues will be closed as inactive sooner or later as they can't
  183. be fixed. The inactivity period (waiting for responses) should not be
  184. shorter than two weeks but may extend months.
  185. 2.5 Lack of time/interest
  186. Bugs that are filed and are understood can unfortunately end up in the
  187. "nobody cares enough about it to work on it" category. Such bugs are
  188. perfectly valid problems that *should* get fixed but apparently aren't. We
  189. try to mark such bugs as "KNOWN_BUGS material" after a time of inactivity
  190. and if no activity is noticed after yet some time those bugs are added to
  191. KNOWN_BUGS and are closed in the issue tracker.
  192. 2.6 KNOWN_BUGS
  193. This is a list of known bugs. Bugs we know exist and that have been pointed
  194. out but that haven't yet been fixed. The reasons for why they haven't been
  195. fixed can involve anything really, but the primary reason is that nobody has
  196. considered these problems to be important enough to spend the necessary time
  197. and effort to have them fixed.
  198. The KNOWN_BUGS are always up for grabs and we will always love the ones who
  199. bring one of them back to live and offers solutions to them.
  200. The KNOWN_BUGS document has a sibling document known as TODO.
  201. 2.7 TODO
  202. Issues that are filed or reported that aren't really bugs but more missing
  203. features or ideas for future improvements and so on are marked as
  204. 'enhancement' or 'feature-request' and will be added to the TODO document
  205. instead and the issue is closed. We don't keep TODO items in the issue
  206. tracker.
  207. The TODO document is full of ideas and suggestions of what we can add or fix
  208. one day. You're always encouraged and free to grab one of those items and
  209. take up a discussion with the curl development team on how that could be
  210. implemented or provided in the project so that you can work on ticking it
  211. odd that document.
  212. If the issue is rather a bug and not a missing feature or functionality, it
  213. is listed in KNOWN_BUGS instead.
  214. 2.8 Closing off stalled bugs
  215. The issue and pull request trackers on https://github.com/curl/curl will
  216. only hold "active" entries (using a non-precise definition of what active
  217. actually is, but they're at least not completely dead). Those that are
  218. abandoned or in other ways dormant will be closed and sometimes added to
  219. TODO and KNOWN_BUGS instead.
  220. This way, we only have "active" issues open on github. Irrelevant issues and
  221. pull requests will not distract developers or casual visitors.