[thelist] News Item: Major Security Flaw in CVS

Jason Handby jasonh at pavilion.co.uk
Fri Jan 24 09:04:01 CST 2003


> But of course, everyone knew that telnet is *inherently insecure*, so
> never used it for anything mission critical.

But vendors were still shipping it! And if you ship something then some
naieve user out there is going to use it... And it's not very comforting to
turn to the vendor when you get hacked only to be told "oh, well even though
we *shipped* telnetd as part of our operating system we didn't actually want
anyone to *use* it..."

My point is really just that you can't rely on volunteer open-source
programmers to regularly audit and examine all the code in a system if some
of that code isn't very interesting/cool/sexy as far as they are concerned.
Probably better to have some way of ensuring it *all* gets looked at.
Project managers and contracts of employment are one such mechanism :-)

It's also a good idea not to ship things as part of your OS that you don't
actually want people to use. And maybe the commercial pressure of not
wanting to provide support for more things than absolutely necessary means
that non-open-source software companies are less likely to do this. It's a
thought.



Jason




More information about the thelist mailing list