Who would you trust to guarantee that an application behaves as you expect it to?

Who would you trust to guarantee that an application doesn't expose your environment?

If anyone can submit an application to OpenNTF, and have that application automatically signed with an OpenNTF ID, who are you supposed to trust?

Who should be appointed to check every line of code, in every application, before signing it with a OpenNTF ID?

In any case, you should have your own signing ID, for applications you trust, for applications you have checked.

Peter,
My thought was that each administrator would decide if they wanted to actually implement this in their domain, but this would at least be an option. Personally I would look at the application (and already do this currently) before I would put it in production.
Also, this could work in conjunction with some of the changes that are being discussed with how OpenNTF is going to work moving forward (i.e. having peer review of applications).

Understand where you're coming from Bruce, but I think this is a bit iffy to implement on OpenNTF. For every conscientious dev / admin like you, there are oodles out in the wild who would deploy any old signed code without a second thought.

I'd like this from a contributor standpoint. For example, my previous employer didn't like me submitting code that was stamped with my work ID. They didn't mind me submitting code, they just didn't like it having 'company name' stamped all over it, for legal reasons. Since IBM doesn't provide a server license for opensource development (GRRR!), it became a PITA to have someone re-sign my apps before I could put them on the old sandbox.

I have a much more supportive employer now (everyone go buy Hershey candy!), but I imagine others still have this issue. It would be nice to have a background agent sign dbs after they were submitted to openNTF.org. Just a thought.

Personally, I wouldn't recommend users running code on their servers that they haven't fully inspected or obtained from a trusted author, but I know it happens.

Ben,
My first thought on this is if an admin is dumb enough to just put stuff in production without knowing what it is, then they deserve what they get. However, before anyone bites my head off, that only works in companies that have some form of IT governance. I know there are plenty of places where anyone who shows any aptitude for computers is shoved into doing admin, and this is where this would bite hard.
The good news is that I think this could be put in place with because this is an opt-in system. Each administrator has to decide to allow this and manually do something to make it happen.
Just my two cents worth.

The real danger would be from other users.

For example lets say you allow a database to run on the server with the signature. A user could then download a different app from openNtf which could potentially have full access to your server. At the very least the user would be able to run an app that hasn't been tested.

Safest route is to always have your own internal special ID to sign databases with and keep it locked up away from everyone except the main admins.

There is a common signer id on openntf but I think it is only used on the mail template.

We could apply that to projects that choose (ie we do not give the id away its a signing process where the id is not actually available).

Each environment then chooses whether to trust the id or not.