daniel:// stenberg://

7 months ago

daniel:// stenberg://
7 months ago

#curl has been a CNA for a year now daniel.haxx.se/blog/2024/01/16…

curl is a CNA

The curl project has been accepted as a CVE Numbering Authority (CNA) for vulnerabilities in all products directly made or managed by the project. If I'm counting correctly, we are the 351st CNA.

^{daniel.haxx.se}

#curl

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 7 months ago

The short summary of if it has been worth the hassle: yeah I think so. It is now easy and fast to get new CVE IDs. We have a seat at a table where I can complain loudly on the system and what I say actually might have a (small) impact.

We have yet to deny someone else's crazy CVE attempts against curl.

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 7 months ago

It is an added bonus that the Linux kernel with @gregkh at the wheel also became a CNA around the same time, as they are pushing for good things in the ecosystem and do it at such a much bigger volume and scale than we do. And it's fun to sit next to this and learn.

@Greg K-H