[thelist] News Item: Major Security Flaw in CVS

Hassan Schroeder hassan at webtuitive.com
Fri Jan 24 11:38:01 CST 2003

Jason Handby wrote:

> My point is really just that you can't rely on volunteer open-source
> programmers to regularly audit and examine all the code in a system if some
> of that code isn't very interesting/cool/sexy as far as they are concerned.
> Probably better to have some way of ensuring it *all* gets looked at.
> Project managers and contracts of employment are one such mechanism :-)

Sounds good in theory :-)

But the reality is that commercial software developers and, far more
importantly, development managers are paid to deliver *new* product,
*not* to slog through old code looking for bugs.

Fixing *reported* bugs is a priority, finding new ones to add to the
list is assuredly not. (Of course the #1 priority that trumps all is
meeting marketing's release date.)

And in a complex product (OS, large application), junior developers
are always assigned the "(not) very interesting/cool/sexy" parts.

Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

                           dream.  code.

More information about the thelist mailing list