Return-Path: 
 <dev-return-59609-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 70121 invoked from network); 17 Dec 2007 23:23:10 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 17 Dec 2007 23:23:10 -0000
Received: (qmail 34025 invoked by uid 500); 17 Dec 2007 23:22:56 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 34001 invoked by uid 500); 17 Dec 2007 23:22:56 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 33970 invoked by uid 99); 17 Dec 2007 23:22:56 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Dec 2007 15:22:56 -0800
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of andy@andybev.com designates
 81.3.86.41 as permitted sender)
Received: from [81.3.86.41] (HELO earth.simplelists.com) (81.3.86.41)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Dec 2007 23:22:45 +0000
Received: from earth.simplelists.com (localhost.localdomain [127.0.0.1])
	by earth.simplelists.com (Postfix) with ESMTP id 873C6C3805
	for <dev@httpd.apache.org>; Mon, 17 Dec 2007 23:22:37 +0000 (GMT)
Received: by earth.simplelists.com (Postfix, from userid 1005)
	id 6765BC3806; Mon, 17 Dec 2007 23:22:37 +0000 (GMT)
Received: from dh108.public.mod.uk (dh108.public.mod.uk [82.109.66.144]) by
	www.simplelists.com (Horde MIME library) with HTTP; Mon, 17 Dec 2007
	23:22:37 +0000
Message-ID: <20071217232237.5sq5vx67w0sk0s0o@www.simplelists.com>
Date: Mon, 17 Dec 2007 23:22:37 +0000
From: Andrew Beverley <andy@andybev.com>
To: dev@httpd.apache.org
Subject: Integrity of Apache source code
MIME-Version: 1.0
Content-Type: text/plain;
	charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.0.3)
X-Virus-Checked: Checked by ClamAV on apache.org

Hi,

I hope that this is the correct mailing list for this question, and that you can
easily provide a quick response.

I am currently working within the UK Ministry of Defence, and am trying to get
Apache web server accredited as software able to be installed on one of our
defence networks. However, one of the barriers I am coming up against is the
argument that, because it is open source, that someone could contribute a Trojan
horse to the code and that the code could be included in the official product.

What I would like to know, so that I can dispel this, is what procedures are in
place to prevent this happening? I know that all downloads are digitally signed,
but what other procedures are in place? For example, how is code signed-off for
inclusion in production releases?

I am going to a meeting about this very shortly so would appreciate a prompt
response!

Many thanks,

Andy Beverley