> > >So has any expert ever audited qmail or djbdns?
> >
> > No. Any audit worth doing would be prohibitively expensive for a
> > freeware project. $1000 wouldn't even begin to cover it, at
> > least for qmail.
Whoa, sure, it'd cost a load if you paid someone to do it, but open
source has other routes. A team can be formed. I betcha if someone
could get a dozen or so volunteers who were serious programmers who
were willing to invest serious time on the project, that they could
approach the folks at OpenBSD, who have been doing a perpetual
on-going security audit with _great_ results for some years now, and
get a lot of assistence and instruction in exchange for some good
press.
> Not to mention that the whole point of freeware and open source
> software in general is to give everyone the ability to audit the
> software, not just a select few.
So if we want to try and pursue an audit it might be more harmonious
with our whole approach if we did so using a volunteer effort
coordinated over the internet and open to anybody with the necessary
resources to donate.
> It sounds like the author of this book is a M$-type weenie.
I'm afraid that doesn't follow at all. Bruce Schneier has some very
strong opinions, and his long-standing dislike of these "challenges"
is very well defended in its setting. Bruce is also a vocal
proponent of open source in security-critical settings, and a really
vicious critic of Microsoft.
The view that you dispute (that the only way to get a good security
audit is to pay a bazillion dollars to a company for a commercial
one) isn't a view that I'd expect Bruce to advocate, and in fact
really hasn't been expressly advocated by anyone here, it's more of
an implication that you sorta tripped over. Neither Bruce nor dsill
are what you'd call Microsoft drones:-).
-Bennett
PGP signature
