Antoine Jacoutot <[EMAIL PROTECTED]> wrote: > On Fri, 29 Dec 2006, Joachim Schipper wrote: > > I'll try to give it a spin tomorrow, but I find it hard to reconcile the > > above with > > http://marc.theaimsgroup.com/?l=openbsd-ports&m=116722882621269&w=2 > > (Marc Espie (espie@) says he is 'shuddering about what a full scale > > audit would reveal'). Even if you disagree with Marc, wouldn't it be a > > good idea to have some warning somewhere - perhaps in a SECURITY file? > > While I totally understand Marc's comment, he just wonders "what a full > scale audit would reveal"... maybe nothing! > By the way, this is true for other ports too.
Its not that the software may be insecure that's the issue. Its the current trend of people writing software and putting "secure" into its feature list as if that is all it takes to make it secure. The DESCR should not brag about how secure it is unless its actually true. A little "the author claims its secure, but it hasn't been audited" note or something would be nice. Adam
