daniel:// stenberg://

Don’t trust, verify

https://daniel.haxx.se/blog/2026/03/26/dont-trust-verify/

#curl

Don’t trust, verify

Software and digital security should rely on verification, rather than trust. I want to strongly encourage more users and consumers of software to verify curl. And ideally require that you could do at least this level of verification of other software components in your dependency chains. Attacks are omnipresent With every source code commit and … Continue reading Don’t trust, verify →

daniel.haxx.se
Mar 26 at 10:09amWeb
Show threaddiana 🏳️‍⚧️🦋🌱23h ago

@bagder

"Don't trust, verify"

This is so much my mantra at work. It keeps me alive. I don't even trust myself and have to verify three times. When I see work from others, same, I have to verify. Because if I leave a valve open or backwards, it could kill me or require evacuation of the manufacturing plant. The worst case almost took my name, more than once.

Show thread🌈 Lascapi ⁂22h ago
> "This is why users still rely on curl after thirty years in the making." Thank you for that @bagder 🙏👏👏😊
Show threadspinnyspinlock16h ago

@bagder This is a great list for projects to adopt, my only addition would be (not applicable to curl) projects downloading dependencies at build time (either CI, or locally).

It has become scarily common with during runtime *cough VS code*

Show threadJosh Bressers11h ago

@bagder I love this message. Open space was never about trust and will never be about trust

It’s always been about the ability to verify

Show threaddaniel:// stenberg://11h ago
@joshbressers yeps. When we do too much trusting and too little verifying, we open up for badness to strike.
Show threadJosh Bressers10h ago

@bagder I talked to @Foxboron about this a bit at KubeCon a few days ago

The Linux distros figured a lot of this stuff out, then everyone decided they were dumb and slow :)

And now we have <gestures at everything>