curl / Mailing Lists / curl-users / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Discussions on Security Enhancements

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Tue, 8 Nov 2022 19:25:24 +0100 (CET)

On Tue, 8 Nov 2022, Diogo Sant'Anna wrote:

> Yes, dependencies inside the Github Action workflows that are part of your
> CI. Such as the dependency at
> https://github.com/curl/curl/blob/master/.github/workflows/spellcheck.yml#L50
> In this example, if the dependency gets compromised, its code could be
> updated and would also undermine the security of your project. Using
> hash-pinning, you'll be always using the code that you're confident it's
> not compromised.

You mean how a compromised spell-checker could report fake spelling errors?
Our CI jobs are all one-way and then discarded, they cannot infect us with
other things than disinformation or failed jobs.

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-users
Etiquette:   https://curl.se/mail/etiquette.html

Received on 2022-11-08

This message: [ Message body ]
Next message: Daniel Stenberg via curl-users: "Re: What's changing in curl 8"
Previous message: Diogo Sant'Anna via curl-users: "Re: Discussions on Security Enhancements"
In reply to: Diogo Sant'Anna via curl-users: "Re: Discussions on Security Enhancements"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]