Boost logo

Boost :

From: Alexander Nasonov (alnsn_at_[hidden])
Date: 2007-06-07 14:43:02

Bobby Ward wrote:
> Hey I've got this great program I've just compiled. Please download it and
> run it using only my non-existent reputation that it contains no malicious
> code.

Many people run bulk builds of entire pkgsrc tree. Installing malicious
apache is MUCH more dangerous than running boost tests yet some people use
those binaries on their own risk.

I think we can make runnning tests a safe process.

1. Compile farms should be run by people with a good reputation.
2. Upload of binaries should be secure.
3. Binaries should be PGP signed and have md5 checksums.
4. Boost script should check that binaries are signed by a valid compile farm
owner before running them.
5. Script may chroot/jail the test framework on OSes where these features are
available (well, it doesn't completely protect).

BTW, how do you know that some developer submitted a code/patch
with buffer overflow by an accident. He/she might be doing a preparion
work to attack a next version of OpenOffice. This problem is more
subtle and dangerous than "someone, somewhere ran malicious boost

Alexander Nasonov
Only the sinner has the right to preach. -- Christopher Morley --
This quote is generated by: 
	/usr/pkg/bin/curl -L         \
	  | sed -e 's/^document\.write(.//' -e 's/.);$/ --/'  \
	        -e 's/<[^>]*>//g' -e 's/^More quotes from //' \
	  | fmt | tee ~/.signature-quote

Boost list run by bdawes at, gregod at, cpdaniel at, john at