On Tue, Apr 8, 2025 at 06:42:19PM +0200, Daniel Gustafsson wrote: > > On 8 Apr 2025, at 18:33, Bruce Momjian <br...@momjian.us> wrote: > > > Would we have to put out minor releases for curl CVEs? I don't think we > > have to for OpenSSL so would curl be the same? > > Why do you envision this being different from all other dependencies we have? > For OpenSSL we also happily build against a version (and until recently, > several versions) which is EOL and don't even receive security fixes.
I don't know. I know people scan our downloads and report when the scanners detect something, but I am unclear what those scanners are doing. Would they see some new risks with curl? -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.
