daniel:// stenberg:// in Elk: "chicken nugetInsecure #curl p..."

chicken nuget

Insecure #curl packages hosted by Microsoft. They think it's fine.

https://daniel.haxx.se/blog/2026/03/12/chicken-nuget/

daniel.haxx.se

Background: nuget.org is a Microsoft owned and run service that allows users to package software and upload it to nuget so that other users can download it. It is targeted for .Net developers but there is really no filter in what you can offer through their service. Three years ago I reported on how nuget … Continue reading chicken nuget →

March 12, 2026 at 10:06:35 PM

Web

I might be thinking the wrong thing but can curl project upload curl packages to the chickencoop so that 'at least' some packages are from known source?

I know that's not your problem to fix, but still...

sure, in theory that could possibly be done. But to me that would feel like giving in to them and accepting this as how it needs to be so I will not participate in that.

so they don't care about serving malware-laden ads for decades, their app store hosting tons of copycat crap and all sorts of dodgy apps, and now this. I'm am less and less surprised by their malconduct with every passing year.

I think this isn't a nuget problem, but just package managers in general? For example, the central maven repository has loads of libraries that ship some ancient curl versions: https://central.sonatype.com/search?q=curl

I would assume the same for every other ecosystem as well

Maven Central

Maven Central: Search

Search and discover Java packages with our advanced search functionality.

It is a nuget problem for sure, but it is absolutely not exclusive to them