On Mon, 7 Jun 2004, Randy Bush wrote:
building from certifiable open source that has been inspected by many is the only half-credible scheme of which i am aware.
More flaws foul security of open-source repository By Robert Lemos Staff Writer, CNET News.com http://news.com.com/2100-7344-5229750.html Security researchers have found at least six more flaws in the open-software world's most popular program for maintaining code under development. [...] The major projects using the program were notified of the issues May 28. On Wednesday, the security holes were publicly announced. Since the topic of pre-notification came up during the NANOG nsp-sec BOF, should CVS have pre-notified selected major users of the software before the public announcement? Did this create favoritism, or should they have held off and told everyone about the vulnerability at the same time with the public announcement.