Yeah it was risky. It is quite common for excessive security practices to actually decrease security and that particular example was not nearly the most egregious one in that company.
I don't really get why you did it though. You risked your job, and potentially regulatory issues for the company just to get a build done? I'd have just submitted a request to unblock the official download site. Then it's security's problem.
I've also come across this at a major international company. Came there to install an update. Too big to email so I had a clean USB stick. No way to use it in their workstations though, so the IT guy offered to just walk to the DC and plug it directly into the server.
Pretty sure that was not the intention of that policy. The problem is, that they didn't seem to have considered this usecase at all. More security theater than anything.
Seems like an odd proposition for an attack vector. Maybe, just maybe if I make this look like a misconfigured server, maybe, just maybe, someone will grab the boost files from the server and compile them? I can’t imagine.
The open server does not have to be a deliberate attack setup. It could be compromised itself, or someone could have downloaded a bad artifact to it unknowingly. It could be someone's malware research storage (admittedly this is pretty unlikely). It's the simple fact that the provenance is unknown.
I've heard of people doing similar things before. Maybe people working in high security environments downloading libraries from random websites is common enough that some attackers are actually targeting those people by backdooring common Python packages, C++ libraries, etc. and trying to get their server to bypass enterprise blocking somehow.