On 3/22/2016 12:34 PM, Peter Dimov wrote:
Vladimir Prus wrote:
Say, you have a github commit by me, which means that somebody in possession of my RSA private key has pushed it.
No, I don't think it means that.
http://www.jayhuang.org/blog/pushing-code-to-github-as-linus-torvalds/
Fair point. Though one still have to have RSA private key, or other credentials, of a team member, to push into any Boost repository.
If you look at other open-source projects, all the huge security problems were either genuine bugs, or government-mandated "export crypto", not so much of directly evil code.
That's not quite true either. There have been source attacks. Although I agree that the risk for a source attack on Boost may not be that high.
Yes, I did not mean that source attacks never happen, it's just they are not common, Boost libraries are not a convenient target, and Sourceforge might be a bigger concern. -- Vladimir Prus http://vladimirprus.com