--- "Gregory F. March" <[EMAIL PROTECTED]> wrote: > > I seem to have successfully pushed Struts in my company (a big Wall > St. bank). However, today, I was asked the following question: > > How can I guarantee that there are no hacks, bombs, etc. in the > Struts code or any OS code for that matter? > > My immediate response was, how can you guarantee it for any code? > However, being a large bank with literally trillions of dollars a day > passing though our systems, I can definitely understand their concern. > > At a minimum, we will obtain the source code and at least do a minimal > code walk-through and then compile our own binaries. > > What other guarantees can I make to my management? What is the process > the Struts team uses to control a rogue contributor?
There are rather few committers than can change the code base (roughly 10-15 people). All commits are mailed to struts-dev for the team to review. Even if Struts were secretly hacked, it isn't all that much code to review anyways (about 14,000 lines of non-test/example code). You could narrow your code review to only the packages you'll actually be using. You will always have access to the source to do security reviews unlike proprietary commercial software :-). David > > Thanks, > > /greg > > -- > Gregory F. March -=- http://www.gfm.net:81/~march -=- > AIM:GfmNet > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
