Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


When: Jan. 23, 2003

What: A recent 'big news' item in some publications revealed that there was a vulnerability in CVS, the source-code repository used by many open-source projects.

FUDFactor: This vulnerability may have led, or may yet lead, to Trojan horses (or worse) introduced directly into the source code of your favorite open-source product.

Discuss Join other NWC readers in discussing this article.

FUDBust: This is nothing more than sensationalism. The vulnerability was discovered, reported to organizations known to use CVS and reported to the CVS development group before the press was alerted. The problem was fixed by the time the articles were written. More important, the real risk of Trojans comes from team members of small OSS projects, not from outsiders cracking CVS servers. In a large project, with many people going over the code (the Apache Project for example), the risk of Trojans introduced into the source code is minimal. For a project with one or two developers and a small user base, the risk is present. To protect against the tiny chance that one of those developers is a rogue, have another developer look over the source code before you install it.