On Mon, Jun 26, 2006 at 01:09:42PM -0600, Chad Perrin wrote:
On Mon, Jun 26, 2006 at 07:35:00PM +0100, Timwi wrote:
Seriously, security flaws need to be pointed out. *Especially* in open-source software.
One of the big problems I have with a lot of proprietary software is the unwillingness of its vendor to admit flaws and tell us, the users, that there's a problem of which we should be aware. I tend to view open and frank, helpful discussion of security issues to be a net win when I'm evaluating software to determine whether I want to use it, and ominous silences as a sign that if a vulnerability arises, I won't find out until it's too late.
And, FWIW, while I think there's a whole lot of overreaction on this thread, on both sides, I come down a bit right of center as well: I believe that it would be useful to have it documented in the archives that there *was* such a problem, at timestamp X, such that if someone is using SVN and happened to pull that particular rev, they have the opportunity to know.
Remember: while running SVN revs in production is not the recommended approach, there are people who do it.
Cheers, -- jra