On Sun, Sep 14, 2025 at 1:52 PM Andrey Semashev via Boost <boost@lists.boost.org> wrote:
I may be mistaken, but I don't think running tests is part of the release process. Building documentation is, though, and that may involve some scripts and XSLTs provided by libraries.
I'm not sure about high security concern about compromising Boost distribution as a whole. Hacking individual libraries seems more likely. But it is possible to break entire Boost build by an erroneous change in a single library, and it would be nice if this was mitigated.
Yes, I mean the release should be done on a fresh machine that has not been used for running unit tests. The concern is that even without building anything from a library, their Jmafiles can execute code on a machine. Therefore, it might be advisable for developers to clone only what they need and not every library in the superproject.