curl author Daniel Stenberg announced in a blog that he will no longer send advance notices about cURL security vulnerabilities to the mailing lists of various Linux distributions.

Daniel Stenberg started in 2011 sending “advance notifications” about “discovered but unresolved” curl security vulnerabilities to the distro mailing list (then called linux-distros). Give distributions a head start on fixing the curl package by notifying them in advance. This allows releases to provide simultaneous curl upgrades and fixes while curl resolves and announces security vulnerabilities.

But recently the curl project has updated its security process. In the past, curl would merge fixes into common public PRs within 48 hours of the release date. 48 hours is enough to complete testing of all known issues and CI verification fixes. But if a new security issue arises, 48 ​​hours is a very short time window to test and fix the new issue before the version is released.

To allow more time to process bug fixes, the new curl security process will allow earlier submission of fixes into public PRs if the security issue is “low or medium severity”. Moreover, the details of security issues cannot be discussed in detail in the PR, only which vulnerability is used for.

Of course, there are also risks in doing so. Some people with ulterior motives will exploit loopholes during the vacuum period of “submit security PR – release version fix”, so this method can only be used for low- and medium-severity security issues. High-risk security vulnerabilities cannot be disclosed at all.

A week before curl’s 8.0.0 release, Daniel still sent another email to the distribution’s mailing list, informing them of six vulnerabilities in curl that were about to be disclosed to the world. But this time the rules of the two parties conflicted: curl’s new policy resulted in, by the time distros were notified, fixes for these security issues had been submitted in the public git repository, while according to the policies of the distro mailing lists, Public security issues are “embargoed” topics.

Many distros have an “embargo” rule where security questions can only be sent to the public mailing list within 10 days of the “publish date” of the security bug, and public security bugs are not allowed if the bug is more than ten days old .

Also, if a security issue already has a publicly committed fix code, they will consider the security issue to be public and also an “embargoed” security issue.

After their policies clashed, the distro’s team asked curl to stop sending such public security questions to its mailing list. For Daniel, this purely reduces the workload, because curl basically has no security issues with a level above medium, and most security issues will be merged into PRs in advance, which violates the “embargo” rule of the distribution.

For curl users, this change means that future releases of curl with security patches will take a little longer.