daniel.haxx.se

Daniel Stenberg, the creator of curl, revisits a problem he reported three years ago: nuget.org continues to host severely outdated and vulnerable curl packages. The most popular offending package, rmt_curl, ships curl 7.51.0 from November 2016, which has 64 known vulnerabilities, yet is still downloaded ~1,000 times per week. After reporting the issue again, Microsoft's security team closed the case within 48 hours, stating it's not their responsibility since the packages aren't Microsoft-owned. Stenberg criticizes nuget's model of allowing perpetually stale third-party packages and argues the platform actively contributes to users downloading insecure software by remaining indifferent to the problem.

chicken nuget

<p>While I Like dotnet net and Nuget works well (looking at you pip). The Public Feed has the usuall issues of a public feed and it’s a shame Micrososft is so Indifferent about t, although what would one expect from microslop…</p>
