Leading Open Source Author Calls for Verification over Trust in Software Supply Chains
InfoQ, Thursday, May 7th, 2026
Daniel Stenberg advocates for software verification over trust in supply chains, citing curl's security practices.
Daniel Stenberg, creator of curl, argues that the software industry must shift from trusting well-known components to actively verifying them, given the potential for compromise at scale. Curl implements extensive controls including code review, CI/CD testing, and signed releases to ensure transparency and provide verifiable proof of authenticity.
Stenberg emphasizes that even a small number of independent verifiers can provide meaningful security checks. Viktor Petersson adds that Software Bill of Materials (SBOMs) with proper signing are critical for supply chain security, with regulatory pressure from the EU Cyber Resilience Act and US Executive Order 14028 driving adoption. The discussion connects verification practices to preventing attacks like the XZ Utils backdoor and securing CI/CD pipelines against compromise.