[These are thoughts around this sort of issue, as a discussion starter.
If discussion moves off this topic can people please change to a new
thread]
* Exim is a large (normally) setuid daemon with lots of
privileges.
* No matter how good we are, exim *will* have security issues.
* We need to have processes to:-
* Inspect committed code for security issues
* Ensure released code is not compromised
* Accept security reports in a timely fashion
* Engineer security fixes without (if possible) giving
those who might attack vulnerable installations an
advance attack period.
Does anyone have any information on means to ensure a CVS repository is
not suffering unexpected changes other than producing an overall diff
frequently against a known source and then eyeballing that? [sounds
like a tall order but...]
We also need to think through the ways of handling security issues - we
do not have any good means to ensure that someone is always available
:-/
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
