daniel:// stenberg://

I'm putting together a list of big and small issues that makes us (the curl project) considering switching away from GitHub for security reporting/advisories again:

https://gist.github.com/bagder/ed3268e8745452a53a999d23b7fa1273

*considering* being the operative word, nothing has been decided and I think it's fair to give it some more time first. And some communication to see what can be done, fixed or adjusted.

To be continued.

GitHub Security Advisory wishlist from the curl project

GitHub Security Advisory wishlist from the curl project - GSA-wishlist.md

Gist
Feb 5 at 3:20pmWeb
Show threadecharlieFeb 5
@bagder Another reason to add: lack of #IPv6 support.
Show threadilmariFeb 5
@bagder Where are you not seeing the number of advisories next to the "Security" tab? I can see it (5) on the sudo-rs repository, for example.
GitHub - trifectatechfoundation/sudo-rs: A memory safe implementation of sudo and su.

A memory safe implementation of sudo and su. Contribute to trifectatechfoundation/sudo-rs development by creating an account on GitHub.

GitHub
Show threaddaniel:// stenberg://Feb 5
@ilmari I currently have 1 in triage and 2 in draft but the tab says "Security" (no counter)
Show threadilmariFeb 5
@bagder Ah, I guess it only shows published advisories, even if you are logged in as a user who can se more?
Show threaddaniel:// stenberg://Feb 5
@ilmari right, that's exactly my point. With issues and PRs we see a count of the list of "open" items, with advisories we do not
Show threadPoul-Henning KampFeb 5

@bagder

Reason number N: I bet it will break a lot of github automation :-)

Show threadDan BrownFeb 5

@bagder Related to this, I really wish for a platform, abstract from code hosting solution, which provides a place for open source projects to manage security reports and CVEs, that's not "gamified" for reporters.

I've been moving away from GitHub, but reporting via the Mitre form is slow and cumbersome. I've been searching for something better but not found anything yet!

Show threaddaniel:// stenberg://Feb 5
@danb maybe one problem is that we all want slightly different things even when we are open source...
Show threadPoolitzerFeb 5
@bagder @danb but I mean how hard can it really be to build a platform customizable for those wishes... xD
Show threadDan BrownFeb 5
@bagder @poolitzer easily done in one weekend I'd expect 😅
Show threadDźwiedziuFeb 5
@bagder
I'm at best a “security aware person”, and yet it seems that half of those are valid reasons to be knee-deep in hell^Wmigration plans.
Show threaddrakeervFeb 5
@bagder @Codeberg is calling lol
Show threadthe initra mfFeb 5
@[email protected]: As much as I love @[email protected] , I don't think it fits this use case.
#codeberg/#forgejo is a code forge that—to the best of my knowledge—does not provide a dedicated mechanism for "for security reporting/advisories." At least not presently.

Still, Codeberg is awesome :))

CC: @[email protected]
Show threadThibaultFeb 5
@bagder Only tangentially related, but are you stil mirroring curl to Codeberg ? Any plans for a migration in case Microsoft decides to double-double-double down on AI-everywhere-as-a-feature ?
Show threaddaniel:// stenberg://Feb 5
@thibault Yeps, the codeberg mirror is kept in sync: https://codeberg.org/curl/curl-mirror/
curl-mirror

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl offers a myriad of powerful f...

Codeberg.org