Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Andrey Semashev (andrey.semashev_at_[hidden])
Date: 2016-03-22 03:16:06
On 2016-03-22 09:48, Vladimir Prus wrote:
> On 3/21/2016 9:15 PM, Michael Witten wrote:
>> In any case, something must be done; this project sits at the core of
>> critical software, and its integrity should be ensured with greater zeal.
> That's true, but it's not clear whether tampered source archives is the
> risk. If you look at other open-source projects, all the huge security
> were either genuine bugs, or government-mandated "export crypto", not so
> of directly evil code. If one wanted to use Boost as attack vector, he'd
> try to introduce buffer overflow inside otherwise reasonable patch, for
> which the
> above solutions would not help.
Just recently Transmission (a bittorrent client) packages were tampered
with on its official website, so that the packages include malware that
encrypts user's data for ransom .
I mean, it's just an example, and likely not the only one, of what can
happen if the distributed packages are not protected enough.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk