22 Mar
2016
22 Mar
'16
9:34 a.m.
Vladimir Prus wrote:
Say, you have a github commit by me, which means that somebody in possession of my RSA private key has pushed it.
No, I don't think it means that. http://www.jayhuang.org/blog/pushing-code-to-github-as-linus-torvalds/
If you look at other open-source projects, all the huge security problems were either genuine bugs, or government-mandated "export crypto", not so much of directly evil code.
That's not quite true either. There have been source attacks. Although I agree that the risk for a source attack on Boost may not be that high.