Am Dienstag, 24. Januar 2017, 09:10:42 CET schrieb Blake Hudson via Info- cyrus: > As a security conscious server admin, I am curious whether similar > audits been performed against Cyrus or are future audits on the road map? Hi Blake, from my view (i'm not part of the cyrus team, but long time user) - the (much younger then Cyrus). The Dovecot project seems much more "marketing" / "publissity driven" approach to make their software known in the public and it seems they "know" how to optimize their awareness especially within the press. They was the first email infrastructure open source project in my mind which used press and marketing strategies very consequently. If this leads to a better software - who knows's? By "tradition", cyrus did not does a lot of marketing. my view is: they "just delivered really best quality software" which stand's for it's own. A "strategy" which was typical for most of the "real" quasi-standard open source software projects within the internet. How far such a "pentest" ist really a way to significantly proove or rise the "security" of such a open and still well known and widely professionally used / adapted software like cyrus depends hardly from facts behind. There are large companies which use cyrus for millions of users with geeks adapting the cyrus code for their own needs - and a part of this is coming back into the project. Dovecot - for me - seem's more to target "end users" or "smaller" companies which look for a "integrated, easy to install" product without much interest into the sources. Many software builders used such "tests" in the past to "push" the publissity of their product, while the real security questions wasnt answered by that test. afaik, cyrus was still often part of code or pentest based security analysis from many different parties in the past >20 years - but if it help's someone and the costs for such a tests are covered by "someone" - why not? However: Afaik, cyrus was still often part of code or pentest based security analysis from many different parties in the past >20 years - but if there are new tests available which really could bring significant higher trust into the code / project, it help's someone and the costs for such a tests are covered by "someone" - why not? many thanks and best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc ---
Attachment:
signature.asc
Description: This is a digitally signed message part.
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
