libcurl is probably in lots of commercial software, and they probably will perform this attestation to keep doing business with the government, never having done due diligence on the thousands of open source libraries they use.
This is a cover-your-ass move on the part of the government, because such attestations don't have any teeth. There's no real plan to secure the software they use, so they do this to say they did something.
The Open Source Polylith thing I work on just got its first GitHub sponsor, and that’s one small step towards getting a Letter like the one you got. A new life goal for me 😁
As someone very familiar with government IT (but not with DOE specifically), my hypothesis is that their developers have to create a record of every piece of software they use. And the system where they enter those records requires a vendor contact email address. And someone, lacking a better email address in their rush to fill out the form, found your email address and used it, not understanding the implications.
LangerJan
in reply to daniel:// stenberg:// • • •Paul_IPv6
in reply to daniel:// stenberg:// • • •congrats?
sure hope my tax dollars somehow wind up getting into a software support contract for curl.
daniel:// stenberg://
in reply to Paul_IPv6 • • •ran mak
in reply to daniel:// stenberg:// • • •Tane Piper ⁂
in reply to daniel:// stenberg:// • • •@paul_ipv6 yep, at the moment it's either serious or it's just rigor theater and nothing with go further.
I'd also bet on the latter
Ash Thomas
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Ash Thomas • • •SuperIlu
in reply to daniel:// stenberg:// • • •Florian Weber
in reply to daniel:// stenberg:// • • •Christian Lauf
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Christian Lauf • • •Christian Lauf
in reply to daniel:// stenberg:// • • •Daniel Marks
in reply to daniel:// stenberg:// • • •libcurl is probably in lots of commercial software, and they probably will perform this attestation to keep doing business with the government, never having done due diligence on the thousands of open source libraries they use.
This is a cover-your-ass move on the part of the government, because such attestations don't have any teeth. There's no real plan to secure the software they use, so they do this to say they did something.
Mike
in reply to daniel:// stenberg:// • • •Florian Haas
in reply to daniel:// stenberg:// • • •missed opportunity to sign off with:
Regards,
CURL CYA GTFO Team
David Vujic
in reply to daniel:// stenberg:// • • •Kat
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •So the Department of Energy emailed me | Hacker News
news.ycombinator.comPink
in reply to daniel:// stenberg:// • • •Why Not Zoidberg? 🦑
in reply to daniel:// stenberg:// • • •tTh
in reply to daniel:// stenberg:// • • •From: DOE Attestation - LinuxFr.org
linuxfr.orgOndřej Surý
in reply to daniel:// stenberg:// • • •> If you contact support@wolfssl.com we can remedy this oversight and can then arrange for all the paperwork and attestations you need.
I love that response! :)
daniel:// stenberg://
in reply to Ondřej Surý • • •Log 🪵
in reply to daniel:// stenberg:// • • •Elias Mårtenson
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Elias Mårtenson • • •Jeff Fredrickson
in reply to daniel:// stenberg:// • • •