[thelist] News Item: Major Security Flaw in CVS

James Aylard evolt at pixelwright.com
Thu Jan 23 13:54:02 CST 2003

shawn allen wrote:

>> http://news.com.com/2100-1001-981830.html
>> Not to start a flame war, I do hope that this brings a bit of
>> balance to the commercial vs. open source debate.
> Huh? The CVS developers released a patch on the *day* this was
> released. When's the last time any commercial vendor released a
> vulerability patch so quickly?

    The developers were given advanced warning by Stefan Esser before he
released word of the vulnerability publicly. Both Esser and the CVS
developers acted appropriately. In many cases, when a commercial developer
is given advanced notice of a security vulnerability in its software, that
company will also develop a patch prior to public notification. But if no
advanced notification is given the developer, as sometimes happens, then
obviously there will be a delay in the production of a patch.

> And who's to say that there aren't many more such vulnerabilities in
> commercial packages that we don't know about?

    I don't know? Who? I certainly didn't say that. I only said that I hope
this brings some balance to the debate.

James Aylard
jaylard at members.evolt.org

More information about the thelist mailing list