"Software and digital security should rely on verification, rather than trust. I want to strongly encourage more users and consumers of software to verify curl. And ideally require that you could do at least this level of verification of other software components in your dependency chains."
"Stenberg lists a range of scenarios in which a project at that scale could be compromised, including a malicious contributor merging tainted code, a breached committer unknowingly distributing modified releases, an extorted team member making unwanted changes, or a hacked distribution server serving altered tarballs. He notes that these scenarios can occur independently or in rapid sequence, and that the consequences of a successful attack on a project of curl's reach could be severe."
Daniel Stenberg, curl's creator, argues that trusting well-known software components is insufficient for security. Curl runs on tens of billions of devices, making it a prime target for compromise through malicious contributors, breached committers, extorted team members, or hacked distribution servers. Stenberg advocates for active verification of software consumption rather than passive trust. Curl implements comprehensive security controls including enforced code style, banned unsafe C functions, function complexity limits, mandatory human and automated pull request reviews, prohibition of binary blobs and base64-encoded content, and over 200 continuous integration jobs per commit using strict compiler settings.
#software-security #supply-chain-verification #code-review-practices #curl-project #trust-vs-verification
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]