Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
RE: curl verification
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dick Brooks via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 25 May 2026 17:00:05 -0400
Thanks, Daniel.
I took the liberty of registering a trust declaration for the version of
curl distributed by Microsoft under the Business Cyber Guardian Trust Label:
https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?Produ
ctID=642A07EEEA4D3132426E673FB3C88BE8CEAD3D03CA1F019C7E7D0000ED2122BE&html=1
I did not link to the curl VDR in the label, but that is a small tweak that
can be easily added.
I hope this was not a waste of your time.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership
Lifetime IEEE Member
Never trust software, always verify and report! T
Risk always exists, but trust must be earned and awarded.T
https://businesscyberguardian.com/
Email: dick_at_businesscyberguardian.com
Tel: +1 978-696-1788
-----Original Message-----
From: Daniel Stenberg <daniel_at_haxx.se>
Sent: Monday, May 25, 2026 4:48 PM
To: Dick Brooks <dick_at_businesscyberguardian.com>
Cc: 'curl-users - the curl tool' <curl-users_at_lists.haxx.se>
Subject: RE: curl verification
On Mon, 25 May 2026, Dick Brooks wrote:
> The approach you describe works fine for developers that incorporate
> curl, but what about all the "curl users" that don't have the tarball,
> how do they verify that the curl release installed and running on
> their system is trusted?
The main curl release shipped by the curl project is a tarball with source
code. Thus we document how you verify that release. Our release.
If you get curl any other way, which lots of users do of course, then you
need to do something else - depending on exactly how you get curl onto your
systems.
For example, if you install it on a Linux distro I figure you trust and
assume that the distro packagers already verified it. If you run macOS or
Windows you probably also presume that the giant companies shipping the
operating system and make bits end up on your hard drive did some checks
before they did so.
Date: Mon, 25 May 2026 17:00:05 -0400
Thanks, Daniel.
I took the liberty of registering a trust declaration for the version of
curl distributed by Microsoft under the Business Cyber Guardian Trust Label:
https://softwareassuranceguardian.com/labellink/getTrustedProductLabel?Produ
ctID=642A07EEEA4D3132426E673FB3C88BE8CEAD3D03CA1F019C7E7D0000ED2122BE&html=1
I did not link to the curl VDR in the label, but that is a small tweak that
can be easily added.
I hope this was not a waste of your time.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership
Lifetime IEEE Member
Never trust software, always verify and report! T
Risk always exists, but trust must be earned and awarded.T
https://businesscyberguardian.com/
Email: dick_at_businesscyberguardian.com
Tel: +1 978-696-1788
-----Original Message-----
From: Daniel Stenberg <daniel_at_haxx.se>
Sent: Monday, May 25, 2026 4:48 PM
To: Dick Brooks <dick_at_businesscyberguardian.com>
Cc: 'curl-users - the curl tool' <curl-users_at_lists.haxx.se>
Subject: RE: curl verification
On Mon, 25 May 2026, Dick Brooks wrote:
> The approach you describe works fine for developers that incorporate
> curl, but what about all the "curl users" that don't have the tarball,
> how do they verify that the curl release installed and running on
> their system is trusted?
The main curl release shipped by the curl project is a tarball with source
code. Thus we document how you verify that release. Our release.
If you get curl any other way, which lots of users do of course, then you
need to do something else - depending on exactly how you get curl onto your
systems.
For example, if you install it on a Linux distro I figure you trust and
assume that the distro packagers already verified it. If you run macOS or
Windows you probably also presume that the giant companies shipping the
operating system and make bits end up on your hard drive did some checks
before they did so.
-- / daniel.haxx.se -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-05-25