daniel:// stenberg://Mar 2

Three years ago I blogged about #nuget serving outdated #curl packages.

They then removed the packages I found.

I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.

The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/

The curl nuget story

Recently there has been an interesting debate in the Open Source world where people have objected to being called "Suppliers" as in Supply Chain Security when you are but an Open Source developer offering your code to the world for free and at no cost but also without any warranties. That is not a supplier, … Continue reading The curl nuget story →

daniel.haxx.se
Show threaddaniel:// stenberg://Mar 2

"Microsoft is no longer accepting new submissions through [email protected]. Please use the Microsoft Researcher Portal "...

😠

Show threaddaniel:// stenberg://Mar 2
but I took it to the big generic security portal and submitted a report there. Let's see what happens.
Show threaddaniel:// stenberg://Mar 5
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
Show threadChris Mar 5
@bagder Subscription first, Quality second. Works as expected I suppose.
Show threadBringer of Pants
@totenlegionChris @bagder ... second? That's bold of you to assume.
Mar 5 at 7:12amWeb
Show threadChris Mar 5
@Enfors @bagder I am an thick headed optimist, so I will not bow to reality ;-)
Show threadchocobo13ζMar 5
@Enfors
MS won't settle for being second to none, they aspire to none instead
@totenlegionChris @bagder
Show threadChris Mar 5
@chocobo13 @Enfors @bagder If they get money for providing a security-like feature *Recall from governments / agencies ... Security will be a business case and not a target or quality for the software.