I don't think that's the point. The point is to have some fresh eyes go over code that is thought to be secure. Once audited, it doesn't mean Its any more secure, but at least were on the way to cover any if not most angles. Cheers,
./r
-----Original Message----- From: dovecot-bounce@procontrol.fi [mailto:dovecot-bounce@procontrol.fi] On Behalf Of Farkas Levente Sent: January 13, 2003 6:00 PM To: dovecot@procontrol.fi Subject: [dovecot] Re: security audit of the code
seth vidal wrote:
On Mon, 2003-01-13 at 17:12, Timo Sirainen wrote:
On Mon, 2003-01-13 at 23:30, seth vidal wrote:
Timo, I know that you're taking an effort to make sure that dovecot is written securely, but I was wondering if you've asked any third party to audit the code yet. I don't have the skills necessary to do this but I bet there is someone out there who does and might be willing to do so.
I don't really know who or where to ask. I'd be interested of getting people to audit Dovecot too.
Would it be reasonable to ask on bugtraq?
What about Chris Evans? - he wrote vsftpd and audited a bunch of Red Hat's releases iirc. Maybe worth bugging him to see if he'd be willing to look it over?
if he do that, than everybody accept it as "secure"..
-- Levente http://petition.eurolinux.org/index_html "The only thing worse than not knowing the truth is ruining the bliss of ignorance."