On Thu, Mar 2, 2023 at 3:44 AM Daniel Stenberg via curl-library <[email protected]> wrote: > > The last few days I've worked with nuget and them offering a curl package from > 2013. tldr: that package is now delisted. > > The longer version of the story: > https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
This sounds like the Maven Insecurity problem playing out with Nuget. How little we learned in all those years... The next problem is GitHub clones. They take the Maven Insecurity problem and exponentiate it. Instead of one site providing insecure software (like Maven or NuGet), forks ensure there are hundreds or thousands of insecure copies of software available. cURL has 5.6k forks according to GitHub. I wonder how many of them have downlevel versions of the library. Jeff -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
