[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cvs: temporary file handling fixes
|
From: |
Mark D. Baushke |
|
Subject: |
Re: cvs: temporary file handling fixes |
|
Date: |
Mon, 26 May 2003 13:55:53 -0700 |
Hi Alexander,
You write:
> In particular, I was looking for a (security) bug reporting address
> that wouldn't automatically reach a public mailing list, -- but it
> seems you find unsafe temporary file handling to be a minor enough
> issue to be discussed in public. This is OK with me, but I thought
> that some vendor-sec members could prefer to handle it differently.
I do not know anyone on the development team that believes that cvs is a
'secure' program today. It should be improved, but it was not designed
with security in mind and is often too trusting of the data is has on
hand.
I personally would find it desirable to remove as many of the 'known'
security holes as possible in cvs. For now, this means that you need to
air them on the bug-cvs@gnu.org list.
If you feel that you have found something that is particularly evil that
should not be aired in public, you could consider sending e-mail to the
project members who have a "Developer" role. In theory, any of us could
apply and or vet an emergency patch to the master cvs repository sources.
You can take the User entry from the "Members" page and add @cvshome.org
if you need to get e-mail to any of us.
Of course, only Derek can release a new version of cvs to the public...
Thanks,
-- Mark