Daniel Stenberg, the creator of curl, revisits a problem he reported three years ago: nuget.org continues to host severely outdated and vulnerable curl packages. The most popular offending package, rmt_curl, ships curl 7.51.0 from November 2016, which has 64 known vulnerabilities, yet is still downloaded ~1,000 times per week. After reporting the issue again, Microsoft's security team closed the case within 48 hours, stating it's not their responsibility since the packages aren't Microsoft-owned. Stenberg criticizes nuget's model of allowing perpetually stale third-party packages and argues the platform actively contributes to users downloading insecure software by remaining indifferent to the problem.
Table of contents
Trusting randosI reported this again“This is not a Microsoft problem”Outdated effortsHow to addressConclusion1 Comment
Sort: