> -----Original Message----- > From: Shachar Shemesh [mailto:[EMAIL PROTECTED] > Sent: Monday, November 17, 2003 8:38 AM > To: Tal, Shachar > Cc: Guy Teverovsky; Linux-IL mailing list > Subject: Re: Fw: What's wrong with this code? > > > Tal, Shachar wrote: > > >While agreeing with most of your post, I can testify to > previously working > >for a company with a state-of-the-art ClearCase > implementation. Each R&D > >team has it's own branch to work on, and only the > integration team merged > >files from these branches to our /main branch. > > > Would you say that this prevents a single developer, on a whim, from > introducing a backdoor?
It makes it harder, as diffs are examined (by a single person or two people) before introducing code to the main branch. It's possible to obfuscate a backdoor, of course, but harder than when no one is watching. > > Furthermore, each feature had > >its own branch, which was merged to relevant team branches > once matured and > >tested. Yes, this definitely isn't ClearCase 101, but I > agree with Shachar > >that the companies (in Israel, anyway) using a good version > control system > >and matching procedures can be counted on one hand of former > army Engineer. > > > > > > > I was also making the point that, even if all procedures were > in place, > a backdoor can still be introduced. See my next sentance from my > original mail. I'll grant you that. > >>In any case, assuming the developer is qualified to write > production > >>code, they can write code that gets CPU time on a client's > >>machine. As > >>such, they can backdoor the product. > >> > >>In short - there is plenty room for a single developer to > backdoor a > >>commercial product. This goes for any commercial environment. > >> > >> > ... > > >>As such, it is worth noting that I am yet to see a > commercial company > >>where, as a rule, one developer does not have source code > >>access to the > >>entire company's product suite. There are exceptions (a release the > >>company is trying to keep a secret, government contracts, > clean room > >>reverse engineering), but they are just that - exceptions. > >> > >> > > > >Again, here you're wrong. The company I work for currently > does not allow > >engineers access to code they have no business reading in > the first place. > >Of course, a malicious programmer can always social engineer > his way into > >getting access to the code. > > > > > > > Hmm. Doesn't your company fall under the second case in my > "exceptions" > list? A part of the company does. I'm not talking about that specific part, since I don't work for that part. Shachar Tal Verint Systems This electronic message contains information from Verint Systems, which may be privileged and confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by replying to this email. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
