Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Roadmap 2023 ? -- Enhance security of curl's release
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Rod Widdowson via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 17 Feb 2023 07:29:02 +0000
Sent from my iPad
> On 17 Feb 2023, at 07:10, Fabian Keil via curl-library <curl-library_at_lists.haxx.se> wrote:
>
> Diogo Sant'Anna via curl-library <curl-library_at_lists.haxx.se> wrote on 2023-02-16 at 16:33
>> Moving your release process (i.e., the packaging of the tarball) to an
>> automated script in GitHub Actions (GHA).
>
> Are you suggesting that creating the release on (IMHO) untrustworthy
> and proprietary GitHub infrastructure is more secure than using a
> system Daniel controls?
> Should the OpenPGP key that is used to sign the releases copied
> to GitHub infrastructure as well?
> In my opinion this would be a step in the wrong direction.
As someone whose has spent a significantly proportion of the last two years trying to secure against supply chain attacks in Java land I would concur that this would be a huge step back. A lot of built artifacts come with a signature assigned to a robot on insecure infrastructure, why should I trust either the artifact or the signing key (particularly since the owners often don’t publish them anywhere and change them on a whim)?
As it stands if we needed to include a curl shipped artifact in our bundle I could have it set up to be trusted in 5 minutes. If this change happened I would be struggling to proceed and instead would build from source
Date: Fri, 17 Feb 2023 07:29:02 +0000
Sent from my iPad
> On 17 Feb 2023, at 07:10, Fabian Keil via curl-library <curl-library_at_lists.haxx.se> wrote:
>
> Diogo Sant'Anna via curl-library <curl-library_at_lists.haxx.se> wrote on 2023-02-16 at 16:33
>> Moving your release process (i.e., the packaging of the tarball) to an
>> automated script in GitHub Actions (GHA).
>
> Are you suggesting that creating the release on (IMHO) untrustworthy
> and proprietary GitHub infrastructure is more secure than using a
> system Daniel controls?
> Should the OpenPGP key that is used to sign the releases copied
> to GitHub infrastructure as well?
> In my opinion this would be a step in the wrong direction.
As someone whose has spent a significantly proportion of the last two years trying to secure against supply chain attacks in Java land I would concur that this would be a huge step back. A lot of built artifacts come with a signature assigned to a robot on insecure infrastructure, why should I trust either the artifact or the signing key (particularly since the owners often don’t publish them anywhere and change them on a whim)?
As it stands if we needed to include a curl shipped artifact in our bundle I could have it set up to be trusted in 5 minutes. If this change happened I would be struggling to proceed and instead would build from source
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-02-17