Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Discussions on Security Enhancements
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 7 Nov 2022 23:47:38 +0100 (CET)
On Mon, 7 Nov 2022, Diogo Sant'Anna wrote:
> For a better view on what the Scorecards evaluates, I'm sending at the end
> of this email the result of an evaluation of curl using Scorecards command
> line CLI, which analyzes the public portion of any public repo, and also
> carry the documentation that describes what the check is verifying and why.
> The suggested Scorecard GitHub Actions would get those information to your
> security tab, keeping them always updated, and also considering some private
> setting information.
Thanks, but I don't see the utility with this. We already know we use code
analyzers, tests, fuzzing and have a security policy. I don't think we need a
tool to tell us this. I don't think it helps our security.
That tool looks like more designed and intended for outsiders to *verify* or
to *check* that a random given project has those things.
Date: Mon, 7 Nov 2022 23:47:38 +0100 (CET)
On Mon, 7 Nov 2022, Diogo Sant'Anna wrote:
> For a better view on what the Scorecards evaluates, I'm sending at the end
> of this email the result of an evaluation of curl using Scorecards command
> line CLI, which analyzes the public portion of any public repo, and also
> carry the documentation that describes what the check is verifying and why.
> The suggested Scorecard GitHub Actions would get those information to your
> security tab, keeping them always updated, and also considering some private
> setting information.
Thanks, but I don't see the utility with this. We already know we use code
analyzers, tests, fuzzing and have a security policy. I don't think we need a
tool to tell us this. I don't think it helps our security.
That tool looks like more designed and intended for outsiders to *verify* or
to *check* that a random given project has those things.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-11-07