Subject: [boost] Providing means to verify integrity and authenticity for releases
From: Daniel Hofmann (daniel_at_[hidden])
Date: 2016-03-14 06:10:28
The current download page at
redirects the user to SourceForge for downloading sources and / or
binary Boost distributions. SourceForge can no longer be trusted as a
hosting platform, as you can for example see following this thread
where a user was tricked into downloading some arbitrary binary while
downloading a Boost release.
Unfortunately there does not seem to be a secure and convenient way to
download Boost releases.
Although Github's Boost "releases" can be found at
but those are only repository snapshots, from which you can not even
build a Boost distribution.
And whereas the Boost 1.60 rc1 announcement mail at least provides checksums
The official 1.60 release announcement mail does not
Correct me if I'm wrong, but there is no way for obtaining a Boost
release and verifying its integrity and authenticity.
The only option I'm seeing is recursively cloning all Boost repositories
from Github and building a release by myself.
Can we please change this situation?
Here are some options that come to mind ordered by amount of effort:
- Providing checksums
- Educating users on the Downloads page
- Signing releases with a trusted Release Team key
- Changing the hosting platform
Daniel J H
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk