|
|
Boost : |
Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Vladimir Prus (vladimir.prus_at_[hidden])
Date: 2016-03-22 04:16:49
On 3/22/2016 10:16 AM, Andrey Semashev wrote:
> On 2016-03-22 09:48, Vladimir Prus wrote:
>>
>> On 3/21/2016 9:15 PM, Michael Witten wrote:
>>
>>> In any case, something must be done; this project sits at the core of
>>> much
>>> critical software, and its integrity should be ensured with greater zeal.
>>
>> That's true, but it's not clear whether tampered source archives is the
>> biggest
>> risk. If you look at other open-source projects, all the huge security
>> problems
>> were either genuine bugs, or government-mandated "export crypto", not so
>> much
>> of directly evil code. If one wanted to use Boost as attack vector, he'd
>> probably
>> try to introduce buffer overflow inside otherwise reasonable patch, for
>> which the
>> above solutions would not help.
>
> Just recently Transmission (a bittorrent client) packages were tampered with on its official website, so that the
> packages include malware that encrypts user's data for ransom [1].
That was a binary package, though?
- Volodya
-- Vladimir Prus http://vladimirprus.com
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk