The original application for creation of the TROST Project on SourceForge was submitted and confirmed on Sunday, January 30, 2005. The test for acceptance of project applications is the appearance of the project page on the SourceForge site. That had happened by Tuesday, February 2, 2005.
- Academic Free License 2.1,
- BSD License,
- Creative Commons Attribution 2.0
The TROST Project creates Templates for Raising Open-System Trustworthiness. The templates comprise a framework for demonstration and assertion of software trustworthiness by developers, with verification fully available to administrators and end-users.
- To deliver a framework for development and maintenance of software with demonstrable trustworthiness
- To demonstrate feasibility of the framework by applying it to delivery of open-source software for integration on desktop PCs
- To have procedures and practices that end-users can apply to confirm the level of trustworthiness asserted for a program
Computer end-users find they must trust in the software that they use, having few means to directly appraise the steps taken to assure the trustworthiness of software that they employ. Although trust is a factor in the adoption of any software components for use, commercial adopters express concern about the authenticity, legality, and quality of software obtained from open-source distributions, especially when there is no distinct commercial organization that bears producer's risks and stands behind the software.
TROST consists of a framework and procedures used to incorporate trustworthiness assurance in the development and delivery of open-system software. With TROST, adopters can confidently establish:
- Whether the software distribution is authentic, and what that means
- Whether the software is certified to be derived from the "official" public source code, and how that can be independently verified
- Whether there are assessments of the security, reliability, and integrity of individual source code constituents, how authoritative those assessments are, and the availability of details for independent review
- Whether the covered subject-matter of the open-source license has been asserted to be free of conflicting intellectual-property restrictions by its contributors
- Whether a security threat model is defined for the software and how it can be reconciled in an overall threat model for the application in which the software is to be used
- When modifications and even revocation of assessments come to light, and any remedies that are available for discovered deficiencies
The framework also identifies available tools for use in verification and assessment-confirmation procedures. A key principle is having each installable component be linked with the latest certifications asserted for it, accounting for the dynamic nature of trustworthiness.
TROST materials are delivered as on-line documentation in web pages, help files, and printable documents (Microsoft Word or Adobe Acrobat).
The packaging of the software delivered in demonstration of the framework templates includes links to instructions for verifying the software and for locating all materials required to confirm the various certifications. There are on-line documents and help files that describe the certification and its limitations for each component of the delivered software.
A worked case will be applied to delivery of a reference implementation for an ODMA integration. This will be a production-quality reference implementation delivered under the ActiveODMA project on SourceForge. Specific application of TROST principles to that reference implementation will be carried out as a focused proof-of-concept. Other cases, with suitable customization of the overall framework, are expected to be applied by other developers as dictated by their interests.
created 2005-05-06-22:58 -0700 (pdt) by