How do you know the neon library maintainers didn't do just what you suggest, but being human, still managed to make mistakes? Are you arguing against the use of libraries that you yourself don't write? You know OpenOffice uses neon, right? Are you saying that the OpenOffice developers are idiots because they also use neon?
As long as people write software, no matter how good they are, no matter what OS they write for, there will always be security flaws. To assume otherwise is folly.
But the original argument was: CLA-2004:883 is a reason not to use Subversion. I just pointed out that it is in fact a very good reason not to use an older version of Subversion... it's not a specific argument against Subversion itself.
If you are using a version earlier than 1.0.8, you should certainly upgrade. You should be keeping track of securify fixes for any product you use on a regular basis, of course.
Of course, CAN-2004-0179 (and CAN-2004-0398) are neon (webdav library) security flaws, which were both fixed in July 2004. ( http://www.webdav.org/neon/ ) And the fixed (0.24.7) version of neon was required by Subversion 1.0.6... also released last July. ( http://svn.collab.net/repos/svn/trunk/CHANGES )
So, yes, if you are using a older version (less than 1.0.6), Subversion does have those particular security flaws. But the current version (1.1.1) certainly doesn't. And you should be keeping track of security fixes no matter what product you are using.
Slashdot Mirror
How do you know the neon library maintainers didn't do just what you suggest, but being human, still managed to make mistakes? Are you arguing against the use of libraries that you yourself don't write? You know OpenOffice uses neon, right? Are you saying that the OpenOffice developers are idiots because they also use neon?
As long as people write software, no matter how good they are, no matter what OS they write for, there will always be security flaws. To assume otherwise is folly.
But the original argument was: CLA-2004:883 is a reason not to use Subversion. I just pointed out that it is in fact a very good reason not to use an older version of Subversion... it's not a specific argument against Subversion itself.
You statement, on the other hand, is a basic ad hominem fallacy ( http://www.datanation.com/fallacies/attack.htm ) , and doesn't really refute anything.
If you are using a version earlier than 1.0.8, you should certainly upgrade. You should be keeping track of securify fixes for any product you use on a regular basis, of course.
So, yes, if you are using a older version (less than 1.0.6), Subversion does have those particular security flaws. But the current version (1.1.1) certainly doesn't. And you should be keeping track of security fixes no matter what product you are using.