Jan. 23, 2003
What: A recent 'big news' item in some publications revealed that there was a vulnerability in CVS, the source-code repository used by many open-source projects.
FUDFactor: This vulnerability may have led, or may yet lead, to Trojan horses (or worse) introduced directly into the source code of your favorite open-source product.
This is nothing more than sensationalism. The vulnerability was discovered, reported to organizations known to use CVS and reported to the CVS development group before the press was alerted. The problem was fixed by the time the articles were written. More important, the real risk of Trojans comes from team members of small OSS projects, not from outsiders cracking CVS servers. In a large project, with many people going over the code (the Apache Project for example), the risk of Trojans introduced into the source code is minimal. For a project with one or two developers and a small user base, the risk is present. To protect against the tiny chance that one of those developers is a rogue, have another developer look over the source code before you install it.