|
|
Boost Users : |
Subject: Re: [Boost-users] Is it safe to download boost_1_67_0-msvc-14.1-64.exe?
From: degski (degski_at_[hidden])
Date: 2018-06-27 04:48:45
On 27 June 2018 at 00:20, Tom Kent via Boost-users <
boost-users_at_[hidden]> wrote:
> The hashes (for the binaries) are signed with a PGP key as they are
> packaged up for each release. I agree it would be easy to change the hash
> in the SHA256SUMS. However, it would be impossible to create a copy of the
> SHA256SUMS.asc file that can be verified with GPG/PGP without hacking the
> private key that signs that file. This is a *much* higher bar, and does
> provide security.
>
That is indeed much better [than I thought], but those people who download
the .exe will not check that as this requires quite a bit of knowledge.
Just a question of a lay-man in this matter. Can't the server make this
check before serving the file, or does a setup like that actually weaken
the security?
degski
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net