curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: The curl nuget story

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Jeffrey Walton via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 2 Mar 2023 06:40:30 -0500

On Thu, Mar 2, 2023 at 3:44 AM Daniel Stenberg via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> The last few days I've worked with nuget and them offering a curl package from
> 2013. tldr: that package is now delisted.
>
> The longer version of the story:
> https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/

This sounds like the Maven Insecurity problem playing out with Nuget.
How little we learned in all those years...

The next problem is GitHub clones. They take the Maven Insecurity
problem and exponentiate it. Instead of one site providing insecure
software (like Maven or NuGet), forks ensure there are hundreds or
thousands of insecure copies of software available.

cURL has 5.6k forks according to GitHub. I wonder how many of them
have downlevel versions of the library.

Jeff

-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Received on 2023-03-02

This message: [ Message body ]
Next message: Kamil Dudka via curl-library: "Re: The curl nuget story"
Previous message: Daniel Stenberg via curl-library: "The curl nuget story"
In reply to: Daniel Stenberg via curl-library: "The curl nuget story"
Next in thread: Kamil Dudka via curl-library: "Re: The curl nuget story"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]