David Honig wrote: > > At 12:07 PM 1/27/02 -0500, Arnold G. Reinhold wrote: > > if > >an attacker had an agent working inside the organization that > >produced the package, the agent could simply insert the Trojan > >software patch in the original package. However such an insertion is > >very risky. A sophisticated software company would likely have code > >reviews that would make introduction of the Trojan code difficult. > > Um, right. A good company would have *design* reviews, but would it really > spend time having skilled engineers review *all* the actual codelines
One of the duties of a person with commit access to an Apache Software Foundation project is, indeed, to review _all_ commits to that package. Admittedly any particular individual will sometimes only glance at the commit, but bugs are picked up at this stage with such regularity that I am confident that the vast majority of commits are, in fact, reviewed. I believe this practice is pretty common in free software. Oh, I should note that commits are emailed to all committers, so it does not require the committers to actively seek out commits to review. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]