Skip to main content

People often ask me if I ever have detected an attempt to plant a backdoor in #curl. But I have never. I use to say that exploiting a mistake, a security vulnerability, is a MUCH more likely attack scenario because trying to merge a backdoor is super difficult.

But that only goes for outsiders. An insider, a trusted maintainer since years back, of course has a much better opportunity to sneak in malicious code etc. Still not easy though.

#curl
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
Or as someone asked me once: if someone threatened to murder your family, could you ship a backdoor?
in reply to daniel:// stenberg://

Green Cookie
Green Cookie

if I was maintaining an app for free, yes in an instant.

If I was getting paid to maintain an app, yes in an instant.

Basically. Nothing is more important than family

in reply to Green Cookie

daniel:// stenberg://
daniel:// stenberg://
@realsshrestha that is of course the answer, yes
@Green Cookie
in reply to daniel:// stenberg://

Green Cookie
Green Cookie
it’s a scary thought. It opens the door to loads of trust issues. 😂
in reply to daniel:// stenberg://

Andreas Scherbaum
Andreas Scherbaum

@realsshrestha Yes, indeed. But a transparent and automated build process will raise questions the moment someone forces manual changes into the process (like adding extra files, or modifying code which does not come from the repository).

You are right that it still needs multiple sets of eyes.

@Green Cookie
in reply to daniel:// stenberg://

Christos Alexiou
Christos Alexiou
@realsshrestha it’s bound to be discovered eventually. it’s the self healing quality of the open source community
@Green Cookie
in reply to daniel:// stenberg://

Trent Waddington
Trent Waddington
more likely to just threaten you to keep quiet while a trained saboteur does the deed. What's the solution? I think non-human eyeballs need to be involved.
in reply to daniel:// stenberg://

Genders: ♾️, 🟪⬛🟩; Soni L.
Genders: ♾️, 🟪⬛🟩; Soni L.

ideally, we would have a process where it wouldn't make a difference if we did.

getting there is hard tho.

in reply to daniel:// stenberg://

timthelion
timthelion
I understand the sentiment, but giving in to threats of violence isn't always good game theory. Doing something to help someone who threatens your family doesn't do anything much to protect your familly.
in reply to daniel:// stenberg://

Chris Adams
Chris Adams
this has made me a bit sad because I really like open source being, well, open but I think a lot of projects are going to quite reasonably hesitate to accept contributions or maintainers, which makes sense from a security perspective but is going to make it harder for new people to join the community unless they work at one of the big tech companies.
in reply to Chris Adams

daniel:// stenberg://
daniel:// stenberg://
@acdha as a project, we typically can't *know* where they work so that's not really a factor that plays into this
@Chris Adams
in reply to daniel:// stenberg://

Chris Adams
Chris Adams
I was just thinking it’ll be easy for a lot of projects to fall back on heuristics like “the author has a Google.com email address” or “they’re part of the Facebook GitHub group”, which is fair but kind of sucks for a student somewhere trying to start building a professional reputation.
in reply to Chris Adams

daniel:// stenberg://
daniel:// stenberg://
@acdha should we trust people just because a tech giant hired them? I don't.
@Chris Adams
in reply to daniel:// stenberg://

Chris Adams
Chris Adams
I don't, either, but I'm worried that a lot of open source maintainers do not have much time and are going to fall back on proxies like that because they don't have time to properly evaluate a contribution.