So the Department of Energy emailed me
The U.S. Department of Energy requested a Secure Software Development Attestation for libcurl from Daniel Stenberg, who was unaware of their use of the software and suggested contacting wolfssl.com for assistance.
Read original article
Daniel Stenberg received an email from the U.S. Department of Energy (DOE) requesting a Secure Software Development Attestation for the software libcurl, which is associated with his company. The email outlined the requirement for software producers to attest to secure software development practices as mandated by the Office of Management and Budget (OMB). The DOE identified libcurl version 8.3 as affected by this request and provided a link to the attestation form. Stenberg noted that he had no prior contact with the DOE and was unaware of their use of libcurl. He found the insistence on compliance amusing, given that he did not recognize the DOE as a customer. In response, he clarified that libcurl is an open-source product and suggested that the DOE contact wolfssl.com for further assistance regarding the attestation process.
- The U.S. Department of Energy requested a Secure Software Development Attestation for libcurl.
- The request is part of compliance with OMB requirements for secure software development.
- Daniel Stenberg, the recipient, was unaware of the DOE's use of libcurl.
- Stenberg clarified that libcurl is open-source and suggested contacting wolfssl.com for further assistance.
- The situation highlights the complexities of software compliance and communication between government agencies and open-source developers.
Related
Wcurl: a curl wrapper to download files
Samuel Henrique introduces "wcurl," a wrapper for curl simplifying file downloads via the terminal. It offers default settings for common use cases, aiming to ease file downloads without complex curl parameters. Available in Debian unstable since July 2, 2024, with plans for wider distribution.
Public GitHub Discovery Raises Concerns About DoD Communication Security
A .mil address on GitHub exposes US Government XMPP code, raising security concerns. DoD's internal communication systems could be compromised, urging caution and reporting to the repository owner for resolution.
Lessons from CrowdStrike's Buggy Update
Recent events underscored the importance of robust release processes in the software industry. A buggy update to CrowdStrike's Falcon security software caused system crashes, emphasizing the need for comprehensive testing, integrity verification, staged rollouts, and transparent communication. Justin Cappos highlighted the necessity of software supply chain validation mechanisms like in-toto for enhanced security.
Open Source in Europe: Facing the regulatory challenge
The Cyber Resilience Act in Europe sets strict security standards for digital products, impacting the Open Source community. Experts discuss compliance challenges and initiatives to support businesses navigating regulations. Open Source faces coordination needs for better engagement in standardization processes.
curl 8.9.0
cURL version 8.9.0 was released on July 24, 2024, featuring 11 changes, 260 bug fixes, and addressing two security vulnerabilities, while introducing new options and enhancing performance for TLS connections.
4 commentsCharge them, and make sure they understand why - they’re benefiting, and have been benefiting, from software developed at no cost to them. If they want anything, it needs to cost them; otherwise, …
I love open source, I love free software. I do actually want my government to front up and acknowledge the risks in building systems to depend on it, and not understanding its precarious nature.
An example from nearly 20 years ago is the CMU SNMP library which was embedded in Cisco routers. Maaaaasive worldwide CVE risk which had to be ameliorated, all because of a rational free s/w inclusion. The code was already 10 years old at that point. I doubt anyone from CMU was in the loop.
I've also seen the other side: I wrote a 2 line patch to some free s/w and I had to invoke lawyers for a sign-off requested by the s/w org. We were happy, but it's not exactly zero-risk to accept inputs now, if you're in the business of giving code away.
Related
Wcurl: a curl wrapper to download files
Samuel Henrique introduces "wcurl," a wrapper for curl simplifying file downloads via the terminal. It offers default settings for common use cases, aiming to ease file downloads without complex curl parameters. Available in Debian unstable since July 2, 2024, with plans for wider distribution.
Public GitHub Discovery Raises Concerns About DoD Communication Security
A .mil address on GitHub exposes US Government XMPP code, raising security concerns. DoD's internal communication systems could be compromised, urging caution and reporting to the repository owner for resolution.
Lessons from CrowdStrike's Buggy Update
Recent events underscored the importance of robust release processes in the software industry. A buggy update to CrowdStrike's Falcon security software caused system crashes, emphasizing the need for comprehensive testing, integrity verification, staged rollouts, and transparent communication. Justin Cappos highlighted the necessity of software supply chain validation mechanisms like in-toto for enhanced security.
Open Source in Europe: Facing the regulatory challenge
The Cyber Resilience Act in Europe sets strict security standards for digital products, impacting the Open Source community. Experts discuss compliance challenges and initiatives to support businesses navigating regulations. Open Source faces coordination needs for better engagement in standardization processes.
curl 8.9.0
cURL version 8.9.0 was released on July 24, 2024, featuring 11 changes, 260 bug fixes, and addressing two security vulnerabilities, while introducing new options and enhancing performance for TLS connections.