On Mon, Dec 17, 2007 at 11:22:37PM +0000, Andrew Beverley wrote:
> I am currently working within the UK Ministry of Defence, and am trying to get
> Apache web server accredited as software able to be installed on one of our
> defence networks. However, one of the barriers I am coming up against is the
> argument that, because it is open source, that someone could contribute a
> Trojan
> horse to the code and that the code could be included in the official product.
This is true - they could, but the same is true of any software
development methodology.
> What I would like to know, so that I can dispel this, is what procedures are
> in
> place to prevent this happening?
Imo it boils down to;
0. Committers are only granted commit status after a period of peer
review and demonstrated period of competency and trustworthiness.
Noone is given commit access merely because they were employed
yesterday.
1. All committed code changes are mailed to a public list which many
people actively monitor and read.
2. A smaller number, but still enough, committers - likely including
the eventual release manager - regularly update their local copy of
the source tree and each have reasonable potential to notice a
change which was not mailed to the list (e.g. an attacker may
manage to commit to the source tree, and disable the mails about
commits - but this would probably still be noticed).
> I know that all downloads are digitally signed,
> but what other procedures are in place? For example, how is code signed-off
> for
> inclusion in production releases?
In the case of modifications to released versions of Apache; at least 3
committers must review the changes and agree to their inclusion,
unreviewed commits to these versions of Apache are virtually guaranteed
to be noticed. At the time of release - once the release manager
nominates a release candidate it is subjected to even wider review and
testing by the Apache community and must be reviewed by at least 3
members of the Project Management Committee.
In the case of pre-release or versions of Apache still in development;
the code is subject to general peer review and there is typically a
period of months to years between time of commit and time of release
during which problems may be noticed.
--
Colm MacCárthaigh Public Key: [EMAIL PROTECTED]
