|
|
Boost : |
Subject: [boost] Providing means to verify integrity and authenticity for releases
From: Daniel Hofmann (daniel_at_[hidden])
Date: 2016-03-14 06:10:28
The current download page at
> http://www.boost.org/users/download/
redirects the user to SourceForge for downloading sources and / or
binary Boost distributions. SourceForge can no longer be trusted as a
hosting platform, as you can for example see following this thread
> http://lists.boost.org/boost-users/2016/02/85662.php
where a user was tricked into downloading some arbitrary binary while
downloading a Boost release.
Unfortunately there does not seem to be a secure and convenient way to
download Boost releases.
Although Github's Boost "releases" can be found at
> https://github.com/boostorg/boost/releases
but those are only repository snapshots, from which you can not even
build a Boost distribution.
And whereas the Boost 1.60 rc1 announcement mail at least provides checksums
> http://lists.boost.org/boost-users/2015/12/85435.php
The official 1.60 release announcement mail does not
> http://lists.boost.org/boost-users/2015/12/85467.php
Correct me if I'm wrong, but there is no way for obtaining a Boost
release and verifying its integrity and authenticity.
The only option I'm seeing is recursively cloning all Boost repositories
from Github and building a release by myself.
Can we please change this situation?
Here are some options that come to mind ordered by amount of effort:
- Providing checksums
- Educating users on the Downloads page
- Signing releases with a trusted Release Team key
- Changing the hosting platform
Cheers,
Daniel J H
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk