Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: curl verification
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 25 May 2026 22:05:32 +0200 (CEST)
On Mon, 25 May 2026, Dick Brooks via curl-users wrote:
> https://daniel.haxx.se/blog/2026/03/26/dont-trust-verify/
>
> I believe there may be a more efficient way to verify trust in curl, without
> needing to download or install any software, by using a "Public Trust
> Infrastructure" (PTI) Trust Registry, as shown in this trust verification
> lookup.
You cannot verify the contents without having it downloaded where the
verification is done. The point with that check is to detect if I have gone
rogue (and planted something in the tarball) or if my dev-tools have been
tampered with and inserts bad stuff somewhere that ends up in the curl release
etc.
I sign the releases so you can use my key to verify that the release was done
by me, but to know that the tarball only contains data that originates from
git contents and proper autotools etc, you need to check reproducibility.
Date: Mon, 25 May 2026 22:05:32 +0200 (CEST)
On Mon, 25 May 2026, Dick Brooks via curl-users wrote:
> https://daniel.haxx.se/blog/2026/03/26/dont-trust-verify/
>
> I believe there may be a more efficient way to verify trust in curl, without
> needing to download or install any software, by using a "Public Trust
> Infrastructure" (PTI) Trust Registry, as shown in this trust verification
> lookup.
You cannot verify the contents without having it downloaded where the
verification is done. The point with that check is to detect if I have gone
rogue (and planted something in the tarball) or if my dev-tools have been
tampered with and inserts bad stuff somewhere that ends up in the curl release
etc.
I sign the releases so you can use my key to verify that the release was done
by me, but to know that the tarball only contains data that originates from
git contents and proper autotools etc, you need to check reproducibility.
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-05-25