|
|
Boost : |
Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Rene Rivera (grafikrobot_at_[hidden])
Date: 2016-03-21 14:34:03
On Mon, Mar 21, 2016 at 1:15 PM, Michael Witten <mfwitten_at_[hidden]> wrote:
> In short, I request that the maintainers start publishing
> cryptographically signed, strong hashes of:
>
> * downloadable files.
> * git objects (tags, and even commits).
>
> A cryptographic signature should probably be a personal signature of a
> relevant maintainer (rather than some generic project-level signature
> for which nobody has a sufficiently strong incentive to maintain the
> trustworthiness).
>
> Perhaps, each repository should include a collection of relevant public
> keys, so as to compound trustworthiness and ease dissemination.
>
> ------------------------------------------------------------------------
>
> I'm new to this community, so forgive my ignorance if I've missed an
> existing solution.
>
What you've missed is that this is an Open Source project. Maintained by a
group of rather busy volunteers in the industry.
In any case, something must be done; this project sits at the core of much
> critical software, and its integrity should be ensured with greater zeal.
>
Anything that gets done, is done work volunteered by individuals. If you
have specific implemented solutions so solve the verification problem
please contribute them. Otherwise we will take your comments into
consideration and implement as we have time to do so. If you would like
pointers as to how the current packaging and build process works we can
point you in that direction.
-- -- Rene Rivera -- Grafik - Don't Assume Anything -- Robot Dreams - http://robot-dreams.net -- rrivera/acm.org (msn) - grafikrobot/aim,yahoo,skype,efnet,gmail
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk