Am 01.03.2013 01:02, schrieb Jerry:
On Thu, 28 Feb 2013 23:26:43 +0000 Ed W articulated:
I believe the high profile user of polarssl is the Dutch government who have approved OpenVPN + PolarSSL for use. (The point being that openssl is just too huge to audit for security)
Just because a program has a large footprint does not equate to it being a security risk. In fact, that might be one of the dumber statements I have heard in awhile. Unless you have proof of a specific and reproducible security exploit, your statement is pointless
you did not understand the statement or refuse to understand what auditing means - a code audit is the seek for UNKNOWN implementation weakness and bugs - you can guess which is easier to audit: 1000 LOC, 10000 LOC or 1000000 LOC.....
there are common known statistics of hidden errors in a defined count of codelines - the statistic remains always the same: having 3 times more code means mostly 3 times more of unknown bugs
and NO this DOES NOT say anyhting about the quality of OpenSSL, these are only statistics and facts for audits
not more and not less