Andrew, On Dec 17, 2007, at 3:22 PM, Andrew Beverley wrote:
What I would like to know, so that I can dispel this, is what procedures are in place to prevent this happening? I know that all downloads are digitally signed, but what other procedures are in place? For example, how is code signed-off forinclusion in production releases?
http://httpd.apache.org/download.cgi#verify http://httpd.apache.org/dev/verification.html http://httpd.apache.org/dev/release.htmlOn a day-to-day basis, the contents and log message of all commits to httpd are broadcast to a publicly archived mailinglist and are available for all to see and review. Commits are only made by trusted developers (committers), and any commit is visible on this mailinglist. The development trunk is kept in Commit-Then-Review mode, and the release branches for Apache HTTP Server 1.3.x, 2.0.x and 2.2.x are under the Review-Then-Commit model where any change proposal needs three votes from committers before it gets incorporated into the tree.
Hope this helps, S. -- Sander Temme [EMAIL PROTECTED] PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
smime.p7s
Description: S/MIME cryptographic signature
