Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Discussions on Security Enhancements
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Diogo Sant'Anna via curl-users <curl-users_at_lists.haxx.se>
Date: Tue, 8 Nov 2022 14:14:46 -0300
Yes, dependencies inside the Github Action workflows that are part of your
CI. Such as the dependency at
https://github.com/curl/curl/blob/master/.github/workflows/spellcheck.yml#L50
In this example, if the dependency gets compromised, its code could be
updated and would also undermine the security of your project. Using
hash-pinning, you'll be always using the code that you're confident it's
not compromised.
On Tue, Nov 8, 2022 at 11:50 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Tue, 8 Nov 2022, Diogo Sant'Anna wrote:
>
> > However, would you be currently interested in PRs or discussions on more
> > straightforward security improvements? As an example, in the previous
> email
> > I gave the suggestion of converting the workflow's dependencies to
> > hash-pinned dependencies.
>
> I don't understand how that would work. What dependencies? For CI jobs?
>
> --
>
> / daniel.haxx.se
> | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://curl.se/support.html
>
Date: Tue, 8 Nov 2022 14:14:46 -0300
Yes, dependencies inside the Github Action workflows that are part of your
CI. Such as the dependency at
https://github.com/curl/curl/blob/master/.github/workflows/spellcheck.yml#L50
In this example, if the dependency gets compromised, its code could be
updated and would also undermine the security of your project. Using
hash-pinning, you'll be always using the code that you're confident it's
not compromised.
On Tue, Nov 8, 2022 at 11:50 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Tue, 8 Nov 2022, Diogo Sant'Anna wrote:
>
> > However, would you be currently interested in PRs or discussions on more
> > straightforward security improvements? As an example, in the previous
> > I gave the suggestion of converting the workflow's dependencies to
> > hash-pinned dependencies.
>
> I don't understand how that would work. What dependencies? For CI jobs?
>
> --
>
> / daniel.haxx.se
> | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://curl.se/support.html
>
-- • *Diogo Teles Sant Anna (he/him)* • Software Engineer (SWE) | SAO-OSC • Google Open Source Security Team (GOSST) • diogoteles_at_google.com <malcarria_at_google.com> | +55 (19) 98215-8522 <+55%2011%2093263-2263>
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-11-08