December 30, 2025
AI snitches vs string stitches
no strpy either
Curl dumps risky string copying, fans clap while AI gets dragged
TLDR: Curl banned risky string-copy moves and introduced a safer helper to prevent mistakes—and to stop AI bots from crying wolf. Comments praised the safety push while roasting “AI slop,” though some noted good AI tools already caught hundreds of real bugs, plus a random font-size rant for flavor.
Curl just hit “delete” on its old string-copying tricks and rolled out a safer helper, ditching the problem-prone functions developers love to argue about. The blog post even throws shade at AI tools that auto-flag anything with “strcpy,” calling it a magnet for fake vulnerability reports. The crowd? Split but loud. One camp is cheering that curl is tightening up its code and keeping future bugs on a short leash. Another is side-eyeing the bots, with snvzz dreading unsolicited AI alerts and Scubabear68 asking why anyone trusts scanners that panic at the sight of a word.
Then comes the twist: stabbles points out that a new wave of AI-powered analyzers has already helped fix “several hundred bugs.” So it’s not AI bad, it’s AI messy—and the debate heats up. Meanwhile, pama celebrates the safety win and derails into a delightful side rant about tiny fonts on mobile graphs, joking they’ve “never seen too large an axis label yet.” Even the headline becomes a mini-meme, with senthil_rajasek flagging the title itself (“No strcpy either”) like a moderator summons. The vibes: applause for curl’s caution, roasting for AI slop, and bonus UI snark. Drama level: spicy, with a side of typography humor.
Key Points
- •curl previously removed all uses of strncpy() due to its unsafe and confusing API behavior.
- •The project now bans strcpy() to avoid risks from separated or outdated size checks over time.
- •curl introduced curlx_strcopy, which requires destination size and source length, copying only if both fit including the null terminator.
- •The new function uses memcpy for copying and explicitly sets the null terminator; if not enough space, it writes an empty string when possible.
- •The change also reduces false AI chatbot vulnerability reports tied to the presence of strcpy() in the codebase.