Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: The curl nuget story
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 2 Mar 2023 06:40:30 -0500
On Thu, Mar 2, 2023 at 3:44 AM Daniel Stenberg via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> The last few days I've worked with nuget and them offering a curl package from
> 2013. tldr: that package is now delisted.
>
> The longer version of the story:
> https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
This sounds like the Maven Insecurity problem playing out with Nuget.
How little we learned in all those years...
The next problem is GitHub clones. They take the Maven Insecurity
problem and exponentiate it. Instead of one site providing insecure
software (like Maven or NuGet), forks ensure there are hundreds or
thousands of insecure copies of software available.
cURL has 5.6k forks according to GitHub. I wonder how many of them
have downlevel versions of the library.
Jeff
Date: Thu, 2 Mar 2023 06:40:30 -0500
On Thu, Mar 2, 2023 at 3:44 AM Daniel Stenberg via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> The last few days I've worked with nuget and them offering a curl package from
> 2013. tldr: that package is now delisted.
>
> The longer version of the story:
> https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
This sounds like the Maven Insecurity problem playing out with Nuget.
How little we learned in all those years...
The next problem is GitHub clones. They take the Maven Insecurity
problem and exponentiate it. Instead of one site providing insecure
software (like Maven or NuGet), forks ensure there are hundreds or
thousands of insecure copies of software available.
cURL has 5.6k forks according to GitHub. I wonder how many of them
have downlevel versions of the library.
Jeff
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-03-02