Collin Funk wrote: > I'll need some time to look at the rest of this, but just wanted to > mention that building CVS from the upstream repository will produce a > binary with some nasty vulnerabilities. Distributions have lots of > patches they apply for their repositories, see Fedora for example [1]. > > [1] https://src.fedoraproject.org/rpms/cvs/tree/rawhide
These patches don't fix the long-standing privacy violation of 'cvs status', acknowledged by Mark Baushke in https://lists.gnu.org/archive/html/bug-cvs/2007-01/msg00019.html Bruno
