On Fri, Oct 31, 2008 at 6:40 PM, JJB <[EMAIL PROTECTED]> wrote: > > If I was able to read and understand the source, I would probably be > contributing to it. Isn't there usually an oversight process in which source > commits are reviewed by someone before being accepted? Otherwise someone > could be putting back doors or spy-code into the source code? >
Sure, we do have an oversight process. Every commit to our source code is reviewed by multiple people. At a minimum, Scott and I review every commit, and there are I believe 5 of our developers who get an email with every commit, though I don't know how many of the rest thoroughly review every commit. Based on history, I know most of the commits are reviewed by people in addition to Scott and myself. As another example of quality controls, for binaries, we only build those on trusted build servers we have full control over and that are not accessible from the Internet. From time to time, people will send us contributions including binaries, and we always refuse those binaries and build our own from verified authentic source code. That's just part of what we do to ensure the integrity of the software we release. Still, the point stands - you are trusting us as a collective group to do the right things. > With closed source software there is a level of accountability - if > something like that was discovered the companies reputation would suffer, > there could even be lawsuits, loss of revenue, etc. > And the same is mostly true of pfSense. pfSense is a registered trademark and copyright of BSD Perimeter LLC, a Kentucky company in the United States, the company behind the services at https://portal.pfsense.org. Granted the lawsuit angle isn't applicable because of the license of the software (and the same is true of virtually all commercial software licenses - think you can successfully sue Microsoft if you get popped from one of their holes of the month?), but the same reputation risks are there. Scott and I have a vested interest in ensuring the quality and security of the software. It is not our primary source of income at this time, but that is the eventual goal. Also, we know this project protects collectively likely billions of dollars worth of data. We have a responsibility to ensure we really are protecting your networks, and we don't take this lightly. > My understanding (perhaps ignorant) is that there is some kind of process in > most group-effort open source projects, especially of this importance to > screen code before it is committed to cvs or svn or whatever version > tracking software is used. > Each project has its own policies, and while they differ from one project to another, every major project has good procedures in place to ensure code quality, that people can't put in back doors, etc. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
