Boost logo

Boost :

Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Vladimir Prus (vladimir.prus_at_[hidden])
Date: 2016-03-22 04:32:21


On 3/22/2016 11:22 AM, Oswin Krause wrote:

>>>>> That's true, but it's not clear whether tampered source archives is the
>>>>> biggest
>>>>> risk. If you look at other open-source projects, all the huge security
>>>>> problems
>>>>> were either genuine bugs, or government-mandated "export crypto", not so
>>>>> much
>>>>> of directly evil code. If one wanted to use Boost as attack vector, he'd
>>>>> probably
>>>>> try to introduce buffer overflow inside otherwise reasonable patch, for
>>>>> which the
>>>>> above solutions would not help.
>>>>
>>>> Just recently Transmission (a bittorrent client) packages were
>>>> tampered with on its official website, so that the
>>>> packages include malware that encrypts user's data for ransom [1].
>>>
>>> That was a binary package, though?
>>
>> Yes. But I don't think that source package makes that much of a difference.
>
> One can always replace a zip-file by an installer that packages bloatware together with the source.

On modern Windows, you'll have to explicitly ignore two or three very insistent security checks to run
a random installer.

Anyway, we seem to be not going anywhere. As I've said, signing a file with signatures appears doable.
Are you proposing something else? If so, could you write down what exactly, along with time and money costs?
E.g. if we were to publish SFX archives, signing them would be nice, but involves actual money.

- Volodya

-- 
Vladimir Prus
http://vladimirprus.com

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk