Boost :

Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Vladimir Prus (vladimir.prus_at_[hidden])
Date: 2016-03-22 07:54:30

• Next message: Paul Fultz II: "Re: [boost] [Fit] formal review ends 20th March."
• Previous message: Paul A. Bristow: "Re: [boost] Boost libraries cannot yet be trusted"
• In reply to: Peter Dimov: "Re: [boost] Boost libraries cannot yet be trusted"
• Next in thread: Daniel Hofmann: "Re: [boost] Boost libraries cannot yet be trusted"

On 3/22/2016 12:34 PM, Peter Dimov wrote:
> Vladimir Prus wrote:
>> Say, you have a github commit by me, which means that somebody in possession of my RSA private key has pushed it.
>
> No, I don't think it means that.
>
> http://www.jayhuang.org/blog/pushing-code-to-github-as-linus-torvalds/

Fair point. Though one still have to have RSA private key, or other credentials, of a team member,
to push into any Boost repository.

>> If you look at other open-source projects, all the huge security problems were either genuine bugs, or
>> government-mandated "export crypto", not so much of directly evil code.
>
> That's not quite true either. There have been source attacks. Although I agree that the risk for a source attack on
> Boost may not be that high.

Yes, I did not mean that source attacks never happen, it's just they are not common, Boost libraries are not
a convenient target, and Sourceforge might be a bigger concern.

-- 
Vladimir Prus
http://vladimirprus.com

• Next message: Paul Fultz II: "Re: [boost] [Fit] formal review ends 20th March."
• Previous message: Paul A. Bristow: "Re: [boost] Boost libraries cannot yet be trusted"
• In reply to: Peter Dimov: "Re: [boost] Boost libraries cannot yet be trusted"
• Next in thread: Daniel Hofmann: "Re: [boost] Boost libraries cannot yet be trusted"

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk