|
|
Boost : |
Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Oswin Krause (Oswin.Krause_at_[hidden])
Date: 2016-03-22 04:22:02
On 2016-03-22 09:18, Andrey Semashev wrote:
> On 2016-03-22 11:16, Vladimir Prus wrote:
>> On 3/22/2016 10:16 AM, Andrey Semashev wrote:
>>> On 2016-03-22 09:48, Vladimir Prus wrote:
>>>>
>>>> On 3/21/2016 9:15 PM, Michael Witten wrote:
>>>>
>>>>> In any case, something must be done; this project sits at the core
>>>>> of
>>>>> much
>>>>> critical software, and its integrity should be ensured with greater
>>>>> zeal.
>>>>
>>>> That's true, but it's not clear whether tampered source archives is
>>>> the
>>>> biggest
>>>> risk. If you look at other open-source projects, all the huge
>>>> security
>>>> problems
>>>> were either genuine bugs, or government-mandated "export crypto",
>>>> not so
>>>> much
>>>> of directly evil code. If one wanted to use Boost as attack vector,
>>>> he'd
>>>> probably
>>>> try to introduce buffer overflow inside otherwise reasonable patch,
>>>> for
>>>> which the
>>>> above solutions would not help.
>>>
>>> Just recently Transmission (a bittorrent client) packages were
>>> tampered with on its official website, so that the
>>> packages include malware that encrypts user's data for ransom [1].
>>
>> That was a binary package, though?
>
> Yes. But I don't think that source package makes that much of a
> difference.
One can always replace a zip-file by an installer that packages
bloatware together with the source.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk