Don’t trust, verify

Daniel Stenberg, curl's creator, outlines the comprehensive security and verification practices the curl project employs to protect one of the world's most widely used software components. He enumerates realistic attack vectors — from insider threats and credential breaches to CI pipeline compromises and supply chain attacks — and explains how curl counters them through 21 specific practices: strict code style enforcement, banning binary blobs and Unicode obfuscation, mandatory 2FA, 200+ CI jobs, fuzzing via OSS-Fuzz, valgrind/sanitizer runs, torture tests, external audits, and a public verification page. He urges users to independently verify curl releases and to demand similar transparency from all software dependencies.