curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Roadmap 2023 ? -- Enhance security of curl's release

From: Fabian Keil via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 17 Feb 2023 08:09:31 +0100

Diogo Sant'Anna via curl-library <curl-library_at_lists.haxx.se> wrote on 2023-02-16 at 16:33:40:

> One way to achieve this would be:
>
> 1.
>
> Moving your release process (i.e., the packaging of the tarball) to an
> automated script in GitHub Actions (GHA). I suggest this because I see you
> already have some processes as GHAs and you could still reuse part of the
> script you currently use in docs/RELEASE-PROCEDURE.md

Are you suggesting that creating the release on (IMHO) untrustworthy
and proprietary GitHub infrastructure is more secure than using a
system Daniel controls?

Should the OpenPGP key that is used to sign the releases copied
to GitHub infrastructure as well?

In my opinion this would be a step in the wrong direction.

Fabian


-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2023-02-17