curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: The curl nuget story

From: Jeffrey Walton via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 2 Mar 2023 06:40:30 -0500

On Thu, Mar 2, 2023 at 3:44 AM Daniel Stenberg via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> The last few days I've worked with nuget and them offering a curl package from
> 2013. tldr: that package is now delisted.
>
> The longer version of the story:
> https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/

This sounds like the Maven Insecurity problem playing out with Nuget.
How little we learned in all those years...

The next problem is GitHub clones. They take the Maven Insecurity
problem and exponentiate it. Instead of one site providing insecure
software (like Maven or NuGet), forks ensure there are hundreds or
thousands of insecure copies of software available.

cURL has 5.6k forks according to GitHub. I wonder how many of them
have downlevel versions of the library.

Jeff
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2023-03-02