Boost logo

Boost :

Subject: Re: [boost] Boost libraries cannot yet be trusted
From: Vladimir Prus (vladimir.prus_at_[hidden])
Date: 2016-03-22 07:54:30

On 3/22/2016 12:34 PM, Peter Dimov wrote:
> Vladimir Prus wrote:
>> Say, you have a github commit by me, which means that somebody in possession of my RSA private key has pushed it.
> No, I don't think it means that.

Fair point. Though one still have to have RSA private key, or other credentials, of a team member,
to push into any Boost repository.

>> If you look at other open-source projects, all the huge security problems were either genuine bugs, or
>> government-mandated "export crypto", not so much of directly evil code.
> That's not quite true either. There have been source attacks. Although I agree that the risk for a source attack on
> Boost may not be that high.

Yes, I did not mean that source attacks never happen, it's just they are not common, Boost libraries are not
a convenient target, and Sourceforge might be a bigger concern.

Vladimir Prus

Boost list run by bdawes at, gregod at, cpdaniel at, john at