Some people would have you believe this is monumental or out of the ordinary -- a group that distributes software experiencing a compromise, then letting everybody know about it and warning of the potential risks. Those that prance about in Penguin-embroidered cheerleader tops and yellow and black tutus suggest between pom-pom waves that no commercial vendor would ever be as candid.. . .
Some people would have you believe this is monumental or out of the ordinary -- a group that distributes software experiencing a compromise, then letting everybody know about it and warning of the potential risks. Those that prance about in Penguin-embroidered cheerleader tops and yellow and black tutus suggest between pom-pom waves that no commercial vendor would ever be as candid.

I think that's wrong. When you get owned, somebody is going to announce it, so there's no reason for anyone -- commercial vendors included -- to try and keep it under wraps. People talk. This is our nature, and inevitably the gossip subway is going to go rumbling down the tracks, out of control, until it breaks through the surface.

Moreover, open projects are in a situation that uniquely requires immediate disclosure of a compromise. A project that does not publicly admit a compromise not only risks the integrity of the project, but also risks the trust that users put in the project. And in current form, open-source projects are built entirely on trust.

This trust in open-source generally springs from the practice of distributing the source code for applications. But users who download from the project can't be assured that the application hasn't been tampered with, unless they actually read through the source code. There's no guarantee that the source is actually the source that was intended.

The link for this article located at SecurityFocus.com is no longer available.