[Dovecot] Support for PolarSSL?

Reindl Harald h.reindl at thelounge.net
Fri Mar 1 02:09:45 EET 2013



Am 01.03.2013 01:02, schrieb Jerry:
> On Thu, 28 Feb 2013 23:26:43 +0000
> Ed W articulated:
> 
>> I believe the high profile user of polarssl is the Dutch government
>> who have approved OpenVPN + PolarSSL for use. (The point being that
>> openssl is just too huge to audit for security)
> 
> Just because a program has a large footprint does not equate to it
> being a security risk. In fact, that might be one of the dumber
> statements I have heard in awhile. Unless you have proof of a specific
> and reproducible security exploit, your statement is pointless

you did not understand the statement or refuse to understand
what auditing means - a code audit is the seek for UNKNOWN
implementation weakness and bugs - you can guess which is
easier to audit: 1000 LOC, 10000 LOC or 1000000 LOC.....

there are common known statistics of hidden errors in a
defined count of codelines - the statistic remains always
the same: having 3 times more code means mostly 3 times
more of unknown bugs

and NO this DOES NOT say anyhting about the quality of
OpenSSL, these are only statistics and facts for audits

not more and not less

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130301/4f7c87de/attachment.bin>


More information about the dovecot mailing list