From 3801c9857acaf38b9e387c2d62f167c9615624db Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 31 Jul 2024 23:58:40 +0200 Subject: [PATCH] project/security.md: combat backdoors --- project/security.md | 46 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/project/security.md b/project/security.md index 45edc7ef34..1542728717 100644 --- a/project/security.md +++ b/project/security.md @@ -26,3 +26,49 @@ chart](https://curl.se/docs/vulnerabilities.html) showing how all vulnerabilities affect which curl versions and we have this complete list of all known security problems since the birth of this project. +## Backdoors and supply chain risks + +With libcurl being installed and running in billions of installations all over +the world and in countless different environments, we recognize that it is an +ideal target for someone who wants a backdoor somewhere. + +A new or old maintainer might at any point propose a change that sounds +innocent and well-meaning but has a disguised malicious intent. + +To mitigate such risks, we apply established procedures and techniques: + +- **2FA required**. We require all maintainers with push access to git to have + two-factor authentication enabled, to reduce the risk that attackers can + impersonate them and use their credentials to push source code changes. +- **Reviews**. Every contribution that are proposed for inclusion in the + project is reviewed by a maintainer. It is also automatically checked, + tested and scanned by numerous tools. +- **Readable code**. We believe in readable code that follows our code style. + Easy to read makes it easy to debug. If code is hard to read it should be + improved until it gets easy to read. With easy to read code, smuggling + malicious payloads or hiding nefarious functionality is excruciatingly hard. +- **Tests**. We have a large test suite that is always growing and we do not + accept changes that break existing tests and new functionality need to bring + new tests for the new functionality. We run *several hundred thousands* + tests on each proposed changed to make sure existing functionality remains. + This includes fuzzers, static code analyzers, fault injectors and more. +- **No binary blobs**. All files stored in version control, in the git + repository is readable or is otherwise small and documented. There is no + place anywhere for any hidden encrypted payload. +- **Reproducible builds**. curl releases are shipped as tarballs that are + hosted on the curl website. We provide documentation, docker setups and + setups etc that allows anyone wanting to easily reproduce our release builds + to generate identical images - proving that what we ship is only contents + taken from the git repository plus other correct and properly generated + contents. +- **Signed commits**. Some - not all - of the committers sign commits to help + prove provenance. +- **Signed releases**. Every release, every uploaded tarball, is signed by + Daniel. This helps to prove that the files have not been tampered with since + they were produced. +- **Fix all vulnerabilities quickly**. Whenever we receive a security + vulnerability report, we create and ship a fix in the next pending release. + Sometimes sooner than previously planned. With every fixed security + vulnerability we release a detailed description of the flaw including exact + commit that introduced the problem, recommendations for users and more. And + we announce them to the world.