|
|
Boost : |
From: Marshall Clow (mclow.lists_at_[hidden])
Date: 2024-05-23 23:15:41
Sorry - forgot to include the list in my reply.
> Begin forwarded message:
>
> From: Marshall Clow <mclow.lists_at_[hidden]>
> Subject: Re: [boost] OSTIF Boost security audit report
> Date: May 23, 2024 at 4:15:14 PM PDT
> To: boost_at_[hidden]
>
> On May 23, 2024, at 4:10 PM, Andrey Semashev via Boost <boost_at_[hidden] <mailto:boost_at_[hidden]>> wrote:
>>
>> On 5/24/24 02:07, Marshall Clow wrote:
>>> On May 23, 2024, at 3:50 PM, Andrey Semashev via Boost
>>> <boost_at_[hidden]> wrote:
>>>>
>>>> Also, release tarballs on GitHub don't have hashsums or signatures
>>>> attached.
>>>>
>>>> https://github.com/boostorg/boost/issues/838
>>>> <https://github.com/boostorg/boost/issues/838>
>>>
>>> As I wrote in that issue:
>>> The archives on GitHub are not official releases.
>>>
>>> Please stop pretending/telling people that they are.
>>>
>>> If I could remove them entirely, I would do so.
>>> But they appear to be an artifact of the tagging process.
>>
>> They are not a mere artifact of tagging. They were purposely added -
>> first, to help CMake users (CMake-targeted tarballs have a different
>> file layout), then to fix issues with jfrog (the b2 archives are similar
>> to those published on jfrog, but lack documentation).
>
> Unless they’re identical to the published tarballs that we provide SHAs for, they should not be used.
> They’re not tested (among other things)
>
>> My understanding is that we're moving towards releases on GitHub.
>
> That’s as may be, but we’ll deal with that then.
>
> — Marshall
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk