Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Discussions on Security Enhancements
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Diogo Sant'Anna via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 7 Nov 2022 12:26:23 -0300
Hello!
I'm Diogo and I'm writing this email to present myself and my job, make
myself available to discuss any security-related improvements applicable to
curl project, and to suggest an security framework that might be useful =)
So, given the current scenario of increasing attacks on supply chain
projects
<https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021>,
I'm part of a joint effort from Google and the Open Source Security
Foundation <https://openssf.org/> to work around important open-source
projects and help increase security, in any aspect or concern that might be
relevant. You can read a bit more about my job here
<https://github.com/diogoteles08#about-gosst-ghost>.
I've given a quick look over curl project, also the video of its last
release, and I could notice that you are already very concerned about
security and that is amazing! In case there are any known security
pendencies that I could help with, please let me know. If not, I'd like to
know if you are interested in suggestions of enhancements that I can
propose and possibly implement through PRs.
One first suggestion I can give, is the adoption of the GitHub Action of
Scorecards <https://securityscorecards.dev/#using-the-github-action>. It
would automatically run the Scorecards checks
<https://github.com/ossf/scorecard#scorecard-checks> over your project,
triggered by merges on its main branch, and have the results exposed at a
new view on the security tab of GitHub. The view would be accessible only
by the maintainers and would track possible vulnerabilities and security
pendencies on the repo, also displaying suggestions on how to fix them.
I'm available to create the PR if you are interested. Also please let me
know if you have any further questions.
Thanks for the attention,
Best regards,
Diogo
Date: Mon, 7 Nov 2022 12:26:23 -0300
Hello!
I'm Diogo and I'm writing this email to present myself and my job, make
myself available to discuss any security-related improvements applicable to
curl project, and to suggest an security framework that might be useful =)
So, given the current scenario of increasing attacks on supply chain
projects
<https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021>,
I'm part of a joint effort from Google and the Open Source Security
Foundation <https://openssf.org/> to work around important open-source
projects and help increase security, in any aspect or concern that might be
relevant. You can read a bit more about my job here
<https://github.com/diogoteles08#about-gosst-ghost>.
I've given a quick look over curl project, also the video of its last
release, and I could notice that you are already very concerned about
security and that is amazing! In case there are any known security
pendencies that I could help with, please let me know. If not, I'd like to
know if you are interested in suggestions of enhancements that I can
propose and possibly implement through PRs.
One first suggestion I can give, is the adoption of the GitHub Action of
Scorecards <https://securityscorecards.dev/#using-the-github-action>. It
would automatically run the Scorecards checks
<https://github.com/ossf/scorecard#scorecard-checks> over your project,
triggered by merges on its main branch, and have the results exposed at a
new view on the security tab of GitHub. The view would be accessible only
by the maintainers and would track possible vulnerabilities and security
pendencies on the repo, also displaying suggestions on how to fix them.
I'm available to create the PR if you are interested. Also please let me
know if you have any further questions.
Thanks for the attention,
Best regards,
Diogo
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-11-07