httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <>
Subject Re: Integrity of Apache source code
Date Tue, 18 Dec 2007 00:32:31 GMT
On Mon, Dec 17, 2007 at 11:22:37PM +0000, Andrew Beverley wrote:
> I am currently working within the UK Ministry of Defence, and am trying to get
> Apache web server accredited as software able to be installed on one of our
> defence networks. However, one of the barriers I am coming up against is the
> argument that, because it is open source, that someone could contribute a Trojan
> horse to the code and that the code could be included in the official product.

This is true - they could, but the same is true of any software
development methodology. 

> What I would like to know, so that I can dispel this, is what procedures are in
> place to prevent this happening? 

Imo it boils down to;

	0. Committers are only granted commit status after a period of peer
	   review and demonstrated period of competency and trustworthiness.
	   Noone is given commit access merely because they were employed

	1. All committed code changes are mailed to a public list which many
	   people actively monitor and read.

	2. A smaller number, but still enough, committers - likely including
	   the eventual release manager - regularly update their local copy of
	   the source tree and each have reasonable potential to notice a
	   change which was not mailed to the list (e.g. an attacker may
	   manage to commit to the source tree, and disable the mails about
	   commits - but this would probably still be noticed).

> I know that all downloads are digitally signed,
> but what other procedures are in place? For example, how is code signed-off for
> inclusion in production releases?

In the case of modifications to released versions of Apache; at least 3
committers must review the changes and agree to their inclusion,
unreviewed commits to these versions of Apache are virtually guaranteed
to be noticed. At the time of release - once the release manager
nominates a release candidate it is subjected to even wider review and
testing by the Apache community and must be reviewed by at least 3
members of the Project Management Committee.

In the case of pre-release or versions of Apache still in development;
the code is subject to general peer review and there is typically a
period of months to years between time of commit and time of release
during which problems may be noticed.

Colm MacCárthaigh                        Public Key:

View raw message