Timo, I know that you're taking an effort to make sure that dovecot is written securely, but I was wondering if you've asked any third party to audit the code yet. I don't have the skills necessary to do this but I bet there is someone out there who does and might be willing to do so.
-sv
On Mon, 2003-01-13 at 23:30, seth vidal wrote:
Timo, I know that you're taking an effort to make sure that dovecot is written securely, but I was wondering if you've asked any third party to audit the code yet. I don't have the skills necessary to do this but I bet there is someone out there who does and might be willing to do so.
I don't really know who or where to ask. I'd be interested of getting people to audit Dovecot too.
On Mon, 2003-01-13 at 17:12, Timo Sirainen wrote:
On Mon, 2003-01-13 at 23:30, seth vidal wrote:
Timo, I know that you're taking an effort to make sure that dovecot is written securely, but I was wondering if you've asked any third party to audit the code yet. I don't have the skills necessary to do this but I bet there is someone out there who does and might be willing to do so.
I don't really know who or where to ask. I'd be interested of getting people to audit Dovecot too.
Would it be reasonable to ask on bugtraq?
What about Chris Evans? - he wrote vsftpd and audited a bunch of Red Hat's releases iirc. Maybe worth bugging him to see if he'd be willing to look it over?
-sv
On Mon, 2003-01-13 at 17:16, seth vidal wrote:
On Mon, 2003-01-13 at 17:12, Timo Sirainen wrote:
On Mon, 2003-01-13 at 23:30, seth vidal wrote:
Timo, I know that you're taking an effort to make sure that dovecot is written securely, but I was wondering if you've asked any third party to audit the code yet. I don't have the skills necessary to do this but I bet there is someone out there who does and might be willing to do so.
I don't really know who or where to ask. I'd be interested of getting people to audit Dovecot too.
Would it be reasonable to ask on bugtraq?
What about Chris Evans? - he wrote vsftpd and audited a bunch of Red Hat's releases iirc. Maybe worth bugging him to see if he'd be willing to look it over?
heh the above should read:
He wrote vsftpd and audited a variety of programs, and one of Red Hat's releases iirc.
<sigh> -sv
On Tue, 2003-01-14 at 00:16, seth vidal wrote:
I don't really know who or where to ask. I'd be interested of getting people to audit Dovecot too.
Would it be reasonable to ask on bugtraq?
What about Chris Evans? - he wrote vsftpd and audited a bunch of Red Hat's releases iirc. Maybe worth bugging him to see if he'd be willing to look it over?
I don't think it's a good idea to bug people with auditing requests, unless they've stated they don't mind. I usually audit only software that I use myself.
I don't think it's a good idea to bug people with auditing requests, unless they've stated they don't mind. I usually audit only software that I use myself.
makes sense.
I dunno who/where to ask. I'm sorta surprised the securityfocus folks don't have a mailing list for this sort of request. It might not actually be a useful list but I'm surprised they don't have one :)
-sv
seth vidal wrote:
On Mon, 2003-01-13 at 17:12, Timo Sirainen wrote:
On Mon, 2003-01-13 at 23:30, seth vidal wrote:
Timo, I know that you're taking an effort to make sure that dovecot is written securely, but I was wondering if you've asked any third party to audit the code yet. I don't have the skills necessary to do this but I bet there is someone out there who does and might be willing to do so.
I don't really know who or where to ask. I'd be interested of getting people to audit Dovecot too.
Would it be reasonable to ask on bugtraq?
What about Chris Evans? - he wrote vsftpd and audited a bunch of Red Hat's releases iirc. Maybe worth bugging him to see if he'd be willing to look it over?
if he do that, than everybody accept it as "secure"..
-- Levente http://petition.eurolinux.org/index_html "The only thing worse than not knowing the truth is ruining the bliss of ignorance."
I don't think that's the point. The point is to have some fresh eyes go over code that is thought to be secure. Once audited, it doesn't mean Its any more secure, but at least were on the way to cover any if not most angles. Cheers,
./r
-----Original Message----- From: dovecot-bounce@procontrol.fi [mailto:dovecot-bounce@procontrol.fi] On Behalf Of Farkas Levente Sent: January 13, 2003 6:00 PM To: dovecot@procontrol.fi Subject: [dovecot] Re: security audit of the code
seth vidal wrote:
On Mon, 2003-01-13 at 17:12, Timo Sirainen wrote:
On Mon, 2003-01-13 at 23:30, seth vidal wrote:
Timo, I know that you're taking an effort to make sure that dovecot is written securely, but I was wondering if you've asked any third party to audit the code yet. I don't have the skills necessary to do this but I bet there is someone out there who does and might be willing to do so.
I don't really know who or where to ask. I'd be interested of getting people to audit Dovecot too.
Would it be reasonable to ask on bugtraq?
What about Chris Evans? - he wrote vsftpd and audited a bunch of Red Hat's releases iirc. Maybe worth bugging him to see if he'd be willing to look it over?
if he do that, than everybody accept it as "secure"..
-- Levente http://petition.eurolinux.org/index_html "The only thing worse than not knowing the truth is ruining the bliss of ignorance."
participants (5)
-
Farkas Levente
-
Rick Stewart
-
seth vidal
-
Seth Vidal
-
Timo Sirainen