Andrew Beverley wrote:
I am currently working within the UK Ministry of Defence, and am trying to get Apache web server accredited as software able to be installed on one of our defence networks. However, one of the barriers I am coming up against is the argument that, because it is open source, that someone could contribute a Trojan horse to the code and that the code could be included in the official product.
In reality this is the other way around: because it is open source, it is extremely difficult for someone to contribute a Trojan horse to the code and that the code could be included in the official product. (By way of comparison, this risk is significant in any closed source project or product).
Some of the specific measures in place that make it difficult to sneak code in are:
- The source code history is tracked in a source code system (subversion) that by design does not permit the modification of history. In other words, changes cannot be hidden.
- All changes to the source code result in email messages with full details of the change to be emailed to all developers via public, and archived mailing lists.
- Developers actively track these messages to ensure changes meet or exceed quality standards, and developers have the power to veto changes that do not meet standards.
- Third party organisations are empowered to audit the code, both for integrity and level of safety before deploying the code.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
