httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Holsman <>
Subject Re: Integrity of Apache source code
Date Thu, 20 Dec 2007 21:49:11 GMT
While open source is fantastic, and provides highly visible means.
It can still be hacked.

I can describe what has happened in this case:

1. joe hacker hacks one of the 'open source groups' machines.

at this point he is assumed to have access to the source code repository.

2. assume he figures out how to change the source code in the repository 
in some weird way, or then modifies the tarball.

a. he modifies the tarball and inserts some trojan.

at this point in time people will be downloading the trojan, and it will 
start infecting people who are lazy. The non-lazy people (and there are 
people out there who do this) will check the MD5 & GPG-Key of the 
tarball, and will verify that the code matches the signatures. when it 
doesn't they complain VERY LOUDLY. They even complain when the GPG key 
is not signed with enough people who have enough trust.

so as long as you and your employer always verify with the GPG-key of 
the tarball that it is signed correctly, then this is not such a big issue.

b. he modifies the source code in the repository directly and in a 
manner that doesn't generate an email/commit message.

when something like this occurs ( I'm not even sure if it is possible in 
SVN, but I think it was in CVS) then the next time one of the core 
developers update their version of the code they will see the code has 
been changed. It is then up to the developer to review the change or the 
file being changed and to see what has happened. Our developers are 
alert, and most will question what is going on... but it is a risk.


Jim Jagielski wrote:
> On Dec 17, 2007, at 6:22 PM, Andrew Beverley wrote:
>> Hi,
>> I hope that this is the correct mailing list for this question, and 
>> that you can
>> easily provide a quick response.
>> I am currently working within the UK Ministry of Defence, and am 
>> trying to get
>> Apache web server accredited as software able to be installed on one 
>> of our
>> defence networks. However, one of the barriers I am coming up against 
>> is the
>> argument that, because it is open source, that someone could 
>> contribute a Trojan
>> horse to the code and that the code could be included in the official 
>> product.
>> What I would like to know, so that I can dispel this, is what 
>> procedures are in
>> place to prevent this happening? I know that all downloads are 
>> digitally signed,
>> but what other procedures are in place? For example, how is code 
>> signed-off for
>> inclusion in production releases?
>> I am going to a meeting about this very shortly so would appreciate a 
>> prompt
>> response!
> In one word "visibility".
> Since all development is done in the open, and since all code
> is vetted by at least 3 committers on the project and all commits
> are viewable via subversion, the risk associated with this
> is pretty pretty small.

View raw message