|
|
Boost Users : |
Subject: Re: [Boost-users] Is it safe to download boost_1_67_0-msvc-14.1-64.exe?
From: Tom Kent (lists_at_[hidden])
Date: 2018-06-26 21:20:21
On Tue, Jun 26, 2018 at 12:00 AM, degski via Boost-users <
boost-users_at_[hidden]> wrote:
> On 26 June 2018 at 01:05, Tom Kent via Boost-users <
> boost-users_at_[hidden]> wrote:
>
>> Please don't take it on trust. If you get a warning for the binaries,
>> check the hashes, then check the signature on the hashes!
>>
>
> I don't think that hacker would be smart enough to change the boost code,
> hack into the web-site and replace the binary, while at the same time being
> so stupid as not to change the hashes as well. The hashes serve to verify
> that your download was correct, it's not a security.
>
The hashes (for the binaries) are signed with a PGP key as they are
packaged up for each release. I agree it would be easy to change the hash
in the SHA256SUMS. However, it would be impossible to create a copy of the
SHA256SUMS.asc file that can be verified with GPG/PGP without hacking the
private key that signs that file. This is a *much* higher bar, and does
provide security.
Tom
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net