httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <>
Subject Re: Integrity of Apache source code
Date Tue, 18 Dec 2007 01:14:50 GMT

On Dec 17, 2007, at 3:22 PM, Andrew Beverley wrote:

> What I would like to know, so that I can dispel this, is what  
> procedures are in
> place to prevent this happening? I know that all downloads are  
> digitally signed,
> but what other procedures are in place? For example, how is code  
> signed-off for
> inclusion in production releases?

On a day-to-day basis, the contents and log message of all commits to  
httpd are broadcast to a publicly archived mailinglist and are  
available for all to see and review.  Commits are only made by  
trusted developers (committers), and any commit is visible on this  
mailinglist.  The development trunk is kept in Commit-Then-Review  
mode, and the release branches for Apache HTTP Server 1.3.x, 2.0.x  
and 2.2.x are under the Review-Then-Commit model where any change  
proposal needs three votes from committers before it gets  
incorporated into the tree.

Hope this helps,


Sander Temme
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

View raw message