Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Peter Dimov (lists_at_[hidden])
Date: 2016-03-22 05:34:41
Vladimir Prus wrote:
> Say, you have a github commit by me, which means that somebody in
> possession of my RSA private key has pushed it.
No, I don't think it means that.
> If you look at other open-source projects, all the huge security problems
> were either genuine bugs, or government-mandated "export crypto", not so
> much of directly evil code.
That's not quite true either. There have been source attacks. Although I
agree that the risk for a source attack on Boost may not be that high.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk