This post discusses how to verify the integrity of the curl package, including checking for backdoors, binary blobs, and hidden payloads in tarballs. It also highlights the importance of signed tarballs and commits, as well as the acceptance of contributions from anonymous and pseudonymous contributors. The post concludes by
Table of contents
No inexplicable binary blobsNo disabled fuzzersNo hidden payloads in tarballsReproducible tarballsSigned tarballsSigned commitsIs the content in git benign?Anonymous contributorsAnonymous maintainersCan curl be targeted?VulnerabilitiesCreditsSort: