|
Boost : |
Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Andrey Semashev (andrey.semashev_at_[hidden])
Date: 2016-03-22 04:18:53
On 2016-03-22 11:16, Vladimir Prus wrote:
> On 3/22/2016 10:16 AM, Andrey Semashev wrote:
>> On 2016-03-22 09:48, Vladimir Prus wrote:
>>>
>>> On 3/21/2016 9:15 PM, Michael Witten wrote:
>>>
>>>> In any case, something must be done; this project sits at the core of
>>>> much
>>>> critical software, and its integrity should be ensured with greater
>>>> zeal.
>>>
>>> That's true, but it's not clear whether tampered source archives is the
>>> biggest
>>> risk. If you look at other open-source projects, all the huge security
>>> problems
>>> were either genuine bugs, or government-mandated "export crypto", not so
>>> much
>>> of directly evil code. If one wanted to use Boost as attack vector, he'd
>>> probably
>>> try to introduce buffer overflow inside otherwise reasonable patch, for
>>> which the
>>> above solutions would not help.
>>
>> Just recently Transmission (a bittorrent client) packages were
>> tampered with on its official website, so that the
>> packages include malware that encrypts user's data for ransom [1].
>
> That was a binary package, though?
Yes. But I don't think that source package makes that much of a difference.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk