On Mon, Dec 17, 2007 at 11:22:37PM +0000, Andrew Beverley wrote: > I am currently working within the UK Ministry of Defence, and am trying to get > Apache web server accredited as software able to be installed on one of our > defence networks. However, one of the barriers I am coming up against is the > argument that, because it is open source, that someone could contribute a > Trojan > horse to the code and that the code could be included in the official product.
This is true - they could, but the same is true of any software development methodology. > What I would like to know, so that I can dispel this, is what procedures are > in > place to prevent this happening? Imo it boils down to; 0. Committers are only granted commit status after a period of peer review and demonstrated period of competency and trustworthiness. Noone is given commit access merely because they were employed yesterday. 1. All committed code changes are mailed to a public list which many people actively monitor and read. 2. A smaller number, but still enough, committers - likely including the eventual release manager - regularly update their local copy of the source tree and each have reasonable potential to notice a change which was not mailed to the list (e.g. an attacker may manage to commit to the source tree, and disable the mails about commits - but this would probably still be noticed). > I know that all downloads are digitally signed, > but what other procedures are in place? For example, how is code signed-off > for > inclusion in production releases? In the case of modifications to released versions of Apache; at least 3 committers must review the changes and agree to their inclusion, unreviewed commits to these versions of Apache are virtually guaranteed to be noticed. At the time of release - once the release manager nominates a release candidate it is subjected to even wider review and testing by the Apache community and must be reviewed by at least 3 members of the Project Management Committee. In the case of pre-release or versions of Apache still in development; the code is subject to general peer review and there is typically a period of months to years between time of commit and time of release during which problems may be noticed. -- Colm MacCárthaigh Public Key: [EMAIL PROTECTED]