Given our distro system, if we're really worried about hackers sniffing commit logs, I would rather remove anonymous CVS access.
We can't do that. Many users rely on cvs access to deploy sites. We can in theory shut that down. But what about http://drupal.org/cvs? That way you stop the vulnerability sniffing all together. Like I
said I know I'm in the minority here and don't really expect to change your mind on this one.
If we shut down both, then it is no longer an open source project. Didn't see any major project shut down like that.
I been involved with enough volunteer organizations to know that it's always an uphill battle to manage workload. I don't begrudge that, but I try and keep my expectations tempered.
I really hope no-one on the security team is offended. I mean no such offense. I really do respect and appreciate the service that they provide and yes, I do consult with them when I do my security related fixes.
No offense taken at all, from you or from others. We are always open to suggestions (and even recruiting for the security team!) -- Khalid M. Baheyeldin 2bits.com, Inc. http://2bits.com Drupal optimization, development, customization and consulting.