Boost logo

Boost :

Subject: [boost] Providing means to verify integrity and authenticity for releases
From: Daniel Hofmann (daniel_at_[hidden])
Date: 2016-03-14 06:10:28

The current download page at


redirects the user to SourceForge for downloading sources and / or
binary Boost distributions. SourceForge can no longer be trusted as a
hosting platform, as you can for example see following this thread


where a user was tricked into downloading some arbitrary binary while
downloading a Boost release.

Unfortunately there does not seem to be a secure and convenient way to
download Boost releases.

Although Github's Boost "releases" can be found at


but those are only repository snapshots, from which you can not even
build a Boost distribution.

And whereas the Boost 1.60 rc1 announcement mail at least provides checksums


The official 1.60 release announcement mail does not


Correct me if I'm wrong, but there is no way for obtaining a Boost
release and verifying its integrity and authenticity.

The only option I'm seeing is recursively cloning all Boost repositories
from Github and building a release by myself.

Can we please change this situation?

Here are some options that come to mind ordered by amount of effort:

- Providing checksums
- Educating users on the Downloads page
- Signing releases with a trusted Release Team key
- Changing the hosting platform

Daniel J H

Boost list run by bdawes at, gregod at, cpdaniel at, john at