Re: Trusting COTS - What's really in the box?

[Sean Donelan <sean () donelan com>]

On Mon, 7 Jun 2004, Randy Bush wrote:
> building from certifiable open source that has been inspected
> by many is the only half-credible scheme of which i am aware.

More flaws foul security of open-source repository
By Robert Lemos
Staff Writer, CNET News.com
http://news.com.com/2100-7344-5229750.html

Security researchers have found at least six more flaws in the
open-software world's most popular program for maintaining code under
development.
[...]
The major projects using the program were notified of the issues May 28.
On Wednesday, the security holes were publicly announced.


Since the topic of pre-notification came up during the NANOG nsp-sec BOF,
should CVS have pre-notified selected major users of the software before
the public announcement?  Did this create favoritism, or should they
have held off and told everyone about the vulnerability at the same time
with the public announcement.