Skip to main content

Notes

Technical notes. Things investigated, fixed, or figured out. Includes a running series on reading the curl source code internals.

Cutting Boot Time: What systemd-analyze Actually Tells You

·4 mins

The machine was taking over two and a half minutes to reach a usable desktop. Not catastrophic, but long enough to notice every single time. I decided to actually look at it instead of just waiting.

Round One: 10:52 AM #

systemd-analyze
Startup finished in 14.056s (firmware) + 5.690s (loader) + 7.929s (kernel) + 2min 5.335s (userspace) = 2min 33.011s

The firmware and kernel numbers are fine — nothing to do there. Two minutes in userspace is the problem.

Hardening a Static Blog: Headers, CSP, and One Warning I Left Alone

·3 mins

I ran securityheaders.com against mrdee.in recently. The grade was not good. Missing HSTS, no CSP, no framing protection — the usual neglect you accumulate when you’re focused on content and treating the hosting layer as someone else’s problem.

It took about 20 minutes to fix. Here’s what I did and why.

The Fix: a _headers file #

Cloudflare Pages reads a _headers file from the root of your published site and applies the directives to every response. No middleware, no Workers, no config panel. Drop a file, push, done.

First Steps: Static Analysis on the curl Repo

·1 min

Took a first concrete step today — rather than just reading, I ran a static code analysis on the curl repository.

ChatGPT suggested SonarQube, so I went with that. Cloned the curl repo into my account, configured an authentication token, and let the analysis run.

What came up #

The findings were mostly manageable for a first pass:

  • A flag about Python version — easily fixed by specifying python3 explicitly.
  • Several “passwords in plain text” warnings — these turned out to be false positives. The flagged strings were examples in documentation and test fixtures showing syntax like uname and passwd, not actual credentials.

Worth noting: the authentication token I set up is sitting in a config file. That needs to be obfuscated before anything gets pushed anywhere public.

cURL Docs: First Impressions

·1 min

Started exploring the curl documentation today. The honest first reaction: it’s vast. Not in a discouraging way, but in the way that reminds you this tool has been built and maintained by real people over decades, and that depth is visible everywhere you look.

curl ships in billions of devices. It’s one of those pieces of software you use without thinking, and then one day you look at the source and realise how much thought went into it.

Roadmap

·1 min

Roadmap #

  • Regular cadence
  • Roadmap of ideas
  • Incrementally better content

Next Actions #

  • What next?