On Dec 17, 2007, at 6:22 PM, Andrew Beverley wrote:
Hi,
I hope that this is the correct mailing list for this question, and
that you can
easily provide a quick response.
I am currently working within the UK Ministry of Defence, and am
trying to get
Apache web server accredited as software able to be installed on
one of our
defence networks. However, one of the barriers I am coming up
against is the
argument that, because it is open source, that someone could
contribute a Trojan
horse to the code and that the code could be included in the
official product.
What I would like to know, so that I can dispel this, is what
procedures are in
place to prevent this happening? I know that all downloads are
digitally signed,
but what other procedures are in place? For example, how is code
signed-off for
inclusion in production releases?
I am going to a meeting about this very shortly so would appreciate
a prompt
response!
In one word "visibility".
Since all development is done in the open, and since all code
is vetted by at least 3 committers on the project and all commits
are viewable via subversion, the risk associated with this
is pretty pretty small.