Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author of this post is the maintainer of CURL. Their goal is to get users and consumers to verify CURL's software before using it. Why? Because attacks are everywhere and happening all the time.

A skilled member of the project team can deliberately add malicious code, such as with the XZ backdoor. A maintainer may be compromised, allowing malicious code to be pushed. A rando may merge a "bugfix" that is actually a small step to a larger chain of pieces planted for a backdoor. A real maintainer may accidentally add code that creates a security vulnerability. Tarballs that cost the code could get hacked. The CI of a third party on the project is hacked and used to exploit the project.

Here's the point: you can verify. As the author, they do everything they can each week to improve CURL's code quality. You can review the code for bugs, review the release contents to ensure they are not tainted from the original, and much more.

Within the git repo itself, there are many things that can be done, including a list of 21 items the author mentions. Code styling, banning functions that are footguns, code review, banning binary blobs/unicode characters, documentation, fuzzing the code, security audits... There are a lot of things to be done.

They finish by saying that this is NOT paranoia; this is what allows them to sleep well at night. They take CURL's code quality and security seriously.