httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: Integrity of Apache source code
Date Tue, 18 Dec 2007 13:07:37 GMT

On Dec 17, 2007, at 6:22 PM, Andrew Beverley wrote:

> Hi,
> I hope that this is the correct mailing list for this question, and  
> that you can
> easily provide a quick response.
> I am currently working within the UK Ministry of Defence, and am  
> trying to get
> Apache web server accredited as software able to be installed on  
> one of our
> defence networks. However, one of the barriers I am coming up  
> against is the
> argument that, because it is open source, that someone could  
> contribute a Trojan
> horse to the code and that the code could be included in the  
> official product.
> What I would like to know, so that I can dispel this, is what  
> procedures are in
> place to prevent this happening? I know that all downloads are  
> digitally signed,
> but what other procedures are in place? For example, how is code  
> signed-off for
> inclusion in production releases?
> I am going to a meeting about this very shortly so would appreciate  
> a prompt
> response!

In one word "visibility".

Since all development is done in the open, and since all code
is vetted by at least 3 committers on the project and all commits
are viewable via subversion, the risk associated with this
is pretty pretty small.

View raw message