Boost logo

Boost :

Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Andrey Semashev (andrey.semashev_at_[hidden])
Date: 2016-03-22 04:31:44

On 2016-03-22 11:22, Oswin Krause wrote:
> On 2016-03-22 09:18, Andrey Semashev wrote:
>> On 2016-03-22 11:16, Vladimir Prus wrote:
>>> On 3/22/2016 10:16 AM, Andrey Semashev wrote:
>>>> On 2016-03-22 09:48, Vladimir Prus wrote:
>>>>> On 3/21/2016 9:15 PM, Michael Witten wrote:
>>>>>> In any case, something must be done; this project sits at the core of
>>>>>> much
>>>>>> critical software, and its integrity should be ensured with greater
>>>>>> zeal.
>>>>> That's true, but it's not clear whether tampered source archives is
>>>>> the
>>>>> biggest
>>>>> risk. If you look at other open-source projects, all the huge security
>>>>> problems
>>>>> were either genuine bugs, or government-mandated "export crypto",
>>>>> not so
>>>>> much
>>>>> of directly evil code. If one wanted to use Boost as attack vector,
>>>>> he'd
>>>>> probably
>>>>> try to introduce buffer overflow inside otherwise reasonable patch,
>>>>> for
>>>>> which the
>>>>> above solutions would not help.
>>>> Just recently Transmission (a bittorrent client) packages were
>>>> tampered with on its official website, so that the
>>>> packages include malware that encrypts user's data for ransom [1].
>>> That was a binary package, though?
>> Yes. But I don't think that source package makes that much of a
>> difference.
> One can always replace a zip-file by an installer that packages
> bloatware together with the source.

That would be easilly detectable. If I were to perform an attack, I
would have tampered with the sources in the package. For ones able to
perform an attack through hacking binaries, this would have been an even
easier task.

That said, we also distribute prebuilt binaries. From the discussion it
seems they are better protected than the source packages, but I'm not
qualified to judge.

Boost list run by bdawes at, gregod at, cpdaniel at, john at