On Mon, 17 Dec 2007 23:22:37 +0000 Andrew Beverley <[EMAIL PROTECTED]> wrote:
> Hi, > > I hope that this is the correct mailing list for this question, and > that you can easily provide a quick response. Not quickly, beyond what's on the apache webpages, or published elsewhere (e.g. Chapter 1 of my book). > I am currently working within the UK Ministry of Defence, and am > trying to get Apache web server accredited as software able to be > installed on one of our defence networks. However, one of the > barriers I am coming up against is the argument that, because it is > open source, that someone could contribute a Trojan horse to the code > and that the code could be included in the official product. And being non-open would protect you how, exactly? MoD contractors *certainly* have disgruntled employees, and project management that wouldn't notice a trojan if it reformatted their hard drives. A popular open source project, by contrast, gets *real* scrutiny. > What I would like to know, so that I can dispel this, is what > procedures are in place to prevent this happening? I know that all > downloads are digitally signed, but what other procedures are in > place? For example, how is code signed-off for inclusion in > production releases? > > I am going to a meeting about this very shortly so would appreciate a > prompt response! See above. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
