Am 01.03.2013 01:02, schrieb Jerry: > On Thu, 28 Feb 2013 23:26:43 +0000 > Ed W articulated: > >> I believe the high profile user of polarssl is the Dutch government >> who have approved OpenVPN + PolarSSL for use. (The point being that >> openssl is just too huge to audit for security) > > Just because a program has a large footprint does not equate to it > being a security risk. In fact, that might be one of the dumber > statements I have heard in awhile. Unless you have proof of a specific > and reproducible security exploit, your statement is pointless
you did not understand the statement or refuse to understand what auditing means - a code audit is the seek for UNKNOWN implementation weakness and bugs - you can guess which is easier to audit: 1000 LOC, 10000 LOC or 1000000 LOC..... there are common known statistics of hidden errors in a defined count of codelines - the statistic remains always the same: having 3 times more code means mostly 3 times more of unknown bugs and NO this DOES NOT say anyhting about the quality of OpenSSL, these are only statistics and facts for audits not more and not less
signature.asc
Description: OpenPGP digital signature