Andrew Beverley wrote: > Hi, > > I hope that this is the correct mailing list for this question, and that you > can > easily provide a quick response. > > I am currently working within the UK Ministry of Defence, and am trying to get > Apache web server accredited as software able to be installed on one of our > defence networks. However, one of the barriers I am coming up against is the > argument that, because it is open source, that someone could contribute a > Trojan > horse to the code and that the code could be included in the official product. > > What I would like to know, so that I can dispel this, is what procedures are > in > place to prevent this happening? I know that all downloads are digitally > signed, > but what other procedures are in place? For example, how is code signed-off > for > inclusion in production releases? >
The trojan horse argument is a flawed argument commonly used against open source projects, a Google search on the subject will pop up a lot of articles on this subject. Example, this fine article: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html On a personal note, I think that the distributed development nature of the Apache HTTPD (and other open source projects) are what makes me more confident to trust it and given it's 50+% market share I'm pretty sure other people trust it too. On a side note, the NSA (National Security Agency) has taken the open source route and they don't seem to be worried :-) Regards, Davi Arnaut