Boost logo

Boost :

Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Andrey Semashev (andrey.semashev_at_[hidden])
Date: 2016-03-22 04:18:53

On 2016-03-22 11:16, Vladimir Prus wrote:
> On 3/22/2016 10:16 AM, Andrey Semashev wrote:
>> On 2016-03-22 09:48, Vladimir Prus wrote:
>>> On 3/21/2016 9:15 PM, Michael Witten wrote:
>>>> In any case, something must be done; this project sits at the core of
>>>> much
>>>> critical software, and its integrity should be ensured with greater
>>>> zeal.
>>> That's true, but it's not clear whether tampered source archives is the
>>> biggest
>>> risk. If you look at other open-source projects, all the huge security
>>> problems
>>> were either genuine bugs, or government-mandated "export crypto", not so
>>> much
>>> of directly evil code. If one wanted to use Boost as attack vector, he'd
>>> probably
>>> try to introduce buffer overflow inside otherwise reasonable patch, for
>>> which the
>>> above solutions would not help.
>> Just recently Transmission (a bittorrent client) packages were
>> tampered with on its official website, so that the
>> packages include malware that encrypts user's data for ransom [1].
> That was a binary package, though?

Yes. But I don't think that source package makes that much of a difference.

Boost list run by bdawes at, gregod at, cpdaniel at, john at