|
Boost : |
Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Vladimir Prus (vladimir.prus_at_[hidden])
Date: 2016-03-22 07:54:30
On 3/22/2016 12:34 PM, Peter Dimov wrote:
> Vladimir Prus wrote:
>> Say, you have a github commit by me, which means that somebody in possession of my RSA private key has pushed it.
>
> No, I don't think it means that.
>
> http://www.jayhuang.org/blog/pushing-code-to-github-as-linus-torvalds/
Fair point. Though one still have to have RSA private key, or other credentials, of a team member,
to push into any Boost repository.
>> If you look at other open-source projects, all the huge security problems were either genuine bugs, or
>> government-mandated "export crypto", not so much of directly evil code.
>
> That's not quite true either. There have been source attacks. Although I agree that the risk for a source attack on
> Boost may not be that high.
Yes, I did not mean that source attacks never happen, it's just they are not common, Boost libraries are not
a convenient target, and Sourceforge might be a bigger concern.
-- Vladimir Prus http://vladimirprus.com
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk