RE: [boost] Unzipping the Boost distro
From: Richard Peters [mailto:r.a.peters@student.tue.nl]
Another argument that I thought of this morning: suppose we do not publish a self-extracting executable. What is going to stop an attacker from not uploading his own self-extracting look-alike? If he can change existing archives, he probably can add other archives as well.
right, but if some boost authority certifies its released packages, everybody is free to ignore such look-alikes. Isn't that the whole point of certification ? Regards, Stefan
----- Original Message ----- From: "Stefan Seefeld" <sseefeld@art.ca>
From: Richard Peters [mailto:r.a.peters@student.tue.nl]
Another argument that I thought of this morning: suppose we do not publish a self-extracting executable. What is going to stop an attacker from not uploading his own self-extracting look-alike? If he can change existing archives, he probably can add other archives as well.
right, but if some boost authority certifies its released packages, everybody is free to ignore such look-alikes. Isn't that the whole point of certification ?
If some boost authority certifies the released packages, and users correctly verify that the certificate is issued by the boost authority, and the certificate is valid on the package, then certified executables can be trusted as well. best regards, Richard Peters
participants (2)
-
Richard Peters -
Stefan Seefeld