Fwiw, I think it's incredibly important to care about supply chain attacks in Boost. We've never had any issues so far, which is good. One thing we could do is look into sandboxing the test running and looking to see if there are malicious actions, for some definition of malicious that we can actually track. It also might be useful to start encouraging library authors whose libraries touch networking components to fuzz and fuzz heavily. While supply chain attacks are a valid thing to look out for, in the wild fuzzing is more likely to catch bugs and potential issues. From what I can tell, libraries like URL and MySQL are fuzzed by libraries like Mqtt and Redis are not. Getting serious about security is a good move and we should at least think about what kind of infrastructure and common abstractions we can apply to help authors reach the bar of quality we want. Google's oss-fuzz project already fuzzes a good number of Boost libraries for us but it'd be nice to rely on ourselves. Actually, Hash2 probably could use some fuzzing... - Christian