----- Original Message ----- From: "Magesh Umasankar" <[EMAIL PROTECTED]> To: "Ant Developers List" <[EMAIL PROTECTED]> Sent: Monday, April 14, 2003 17:35 Subject: Re: cvs commit: ant/src/main/org/apache/tools/ant/taskdefs/optional/clearcase CCLock.java CCMkbl.java CCMklabel.java CCMklbtype.java CCRmtype.java CCUnlock.java ClearCase.java
> Point taken. > > In the future, if it will help, I will attach the actual diff > that was used to patch to the bug report, before marking it as > fixed. > > Cheers, > Magesh no, I wasnt expecting any changes -ant isnt a security issue, its more an observation that we have a loophole in the process, one that matters more where you have -complex code that doesnt get looked at often -network accessible -widely deployed. Something like Axis or Tomcate would be vulnerable here, if not to anyone malicious, then to someone planning to write a paper titled 'process failures in open source security' on how they added a back door & how long it took for someone reading the code to find it. But I wont, because so many people do use these things it'd be irresponsible, 'cept maybe for an easter-egg-class of back door. -steve
