See https://incompleteness.me/blog/2005/06/28/security-warning-watch-out-using-cvs-at-javaone/