Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Roadmap 2023 ? -- Enhance security of curl's release
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Diogo Sant'Anna via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 9 Feb 2023 12:09:27 -0300
>
> Tell me what you want or wish we do/add/implement/remove in the curl
> project
> this year!
>
Hello Daniel,
I'm Diogo Sant'Anna — I recently contributed to curl through
https://github.com/curl/curl/pull/9928.
One great addition to the project this year could be enhancing the security
aspect of curl's release process.
Checking https://curl.se/dev/release-procedure.html, it seems the project's
release is still managed manually. Have you considered migrating it to an
automated release — e.g., through GitHub Actions, Google Cloud Build, or
any other hosted build environment? This would protect against human error
and potentially building with incorrect dependencies. There’s also the Open
Source Security Foundation’s SLSA framework
<https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html>,
which can offer progressive steps to harden your release process and build
artifacts. Happy to discuss the benefits of both options, if it's helpful.
I'm available to develop or contribute these changes if you’re interested.
Alternatively, given the importance of curl to the open source ecosystem, I
believe the improvements would be eligible for financial rewards through
the Linux Foundation’s Secure Open Source Rewards program <http://sos.dev>,
if the project prefers to take the lead. I'd also be available to support
if help is needed.
Best!
• *Diogo Teles Sant Anna (he/him)*
• Software Engineer (SWE) | SAO-OSC
• Google Open Source Security Team
(GOSST)
• diogoteles_at_google.com <malcarria_at_google.com> | +55 (19) 98215-8522
<+55%2011%2093263-2263>
Date: Thu, 9 Feb 2023 12:09:27 -0300
>
> Tell me what you want or wish we do/add/implement/remove in the curl
> project
> this year!
>
Hello Daniel,
I'm Diogo Sant'Anna — I recently contributed to curl through
https://github.com/curl/curl/pull/9928.
One great addition to the project this year could be enhancing the security
aspect of curl's release process.
Checking https://curl.se/dev/release-procedure.html, it seems the project's
release is still managed manually. Have you considered migrating it to an
automated release — e.g., through GitHub Actions, Google Cloud Build, or
any other hosted build environment? This would protect against human error
and potentially building with incorrect dependencies. There’s also the Open
Source Security Foundation’s SLSA framework
<https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html>,
which can offer progressive steps to harden your release process and build
artifacts. Happy to discuss the benefits of both options, if it's helpful.
I'm available to develop or contribute these changes if you’re interested.
Alternatively, given the importance of curl to the open source ecosystem, I
believe the improvements would be eligible for financial rewards through
the Linux Foundation’s Secure Open Source Rewards program <http://sos.dev>,
if the project prefers to take the lead. I'd also be available to support
if help is needed.
Best!
• *Diogo Teles Sant Anna (he/him)*
• Software Engineer (SWE) | SAO-OSC
• Google Open Source Security Team
(GOSST)
• diogoteles_at_google.com <malcarria_at_google.com> | +55 (19) 98215-8522
<+55%2011%2093263-2263>
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-02-09