httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: Integrity of Apache source code
Date Tue, 18 Dec 2007 00:24:34 GMT
On Mon, 17 Dec 2007 23:22:37 +0000
Andrew Beverley <andy@andybev.com> wrote:

> Hi,
> 
> I hope that this is the correct mailing list for this question, and
> that you can easily provide a quick response.

Not quickly, beyond what's on the apache webpages, or published
elsewhere (e.g. Chapter 1 of my book).

> I am currently working within the UK Ministry of Defence, and am
> trying to get Apache web server accredited as software able to be
> installed on one of our defence networks. However, one of the
> barriers I am coming up against is the argument that, because it is
> open source, that someone could contribute a Trojan horse to the code
> and that the code could be included in the official product.

And being non-open would protect you how, exactly?  MoD contractors
*certainly* have disgruntled employees, and project management that
wouldn't notice a trojan if it reformatted their hard drives.
A popular open source project, by contrast, gets *real* scrutiny.

> What I would like to know, so that I can dispel this, is what
> procedures are in place to prevent this happening? I know that all
> downloads are digitally signed, but what other procedures are in
> place? For example, how is code signed-off for inclusion in
> production releases?
> 
> I am going to a meeting about this very shortly so would appreciate a
> prompt response!

See above.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message