[thelist] News Item: Major Security Flaw in CVS

Jason Handby jasonh at pavilion.co.uk
Sat Jan 25 09:15:01 CST 2003

Hi David,

> as has been pointed out elsewhere in this thread, the very *use* of telnet
> has been deprecated for quite some time.  if one has few if any users, one
> gets no bug reports, one does no fixes.

Oh, so it's the number of user bug reports that dictate how quickly things
get fixed? I thought the whole point was that things got repaired more
quickly if the source code was available. So why does the number of user bug
reports make any difference?

> this is analogous to microsoft suspending support for a product when they
> decide it's obsolete, like they did for Windows 95 and NT 3.5
> last month, is
> it not?

No, I don't think it is. Microsoft aren't still *shipping* Windows 95 and NT
3.5. AFAIK all major Linux vendors are still shipping telnetd.

> also, this is yet another example you've tried to put forth as
> evidence that
> open source is less secure than commercial software

It's the first example I remember putting forth. What were the others?

And I didn't say that open source is less secure than commercial software.
James Aylard said

> when it comes to overall product security
> and the speed at which vulnerabilities are repaired, OSS has the
> commercial world beat by a long shot. Remote exploits go unfixed for
> *months* in the world of big, expensive applications. Rarely (if ever)
> is that the case with OSS.

And I raised the telnetd exploit as a counter-example; something which went
unfixed for years and had an adverse effect on "overall product security".
I'm not making any claim about whether this happens more, less, or about the
same in the open-source community as in the commercial world; just that it

By the way, I use Microsoft products, and I also quite happily use
open-source products. I don't particularly have an axe to grind either way.
That also means I'm happy to examine the pros and cons of each!


More information about the thelist mailing list