Niels Dettenbach wrote on 1/25/2017 4:43 AM:
Am Dienstag, 24. Januar 2017, 09:10:42 CET schrieb Blake Hudson via Info-
cyrus:
As a security conscious server admin, I am curious whether similar
audits been performed against Cyrus or are future audits on the road map?
Hi Blake,
from my view (i'm not part of the cyrus team, but long time user) - the (much
younger then Cyrus). The Dovecot project seems much more "marketing" /
"publissity driven" approach to make their software known in the public and it
seems they "know" how to optimize their awareness especially within the
press.
They was the first email infrastructure open source project in my mind which
used press and marketing strategies very consequently. If this leads to a
better software - who knows's?
By "tradition", cyrus did not does a lot of marketing. my view is: they "just
delivered really best quality software" which stand's for it's own. A
"strategy" which was typical for most of the "real" quasi-standard open source
software projects within the internet.
How far such a "pentest" ist really a way to significantly proove or rise the
"security" of such a open and still well known and widely professionally used
/ adapted software like cyrus depends hardly from facts behind. There are
large companies which use cyrus for millions of users with geeks adapting the
cyrus code for their own needs - and a part of this is coming back into the
project. Dovecot - for me - seem's more to target "end users" or "smaller"
companies which look for a "integrated, easy to install" product without much
interest into the sources.
Many software builders used such "tests" in the past to "push" the publissity
of their product, while the real security questions wasnt answered by that
test.
afaik, cyrus was still often part of code or pentest based security analysis
from many different parties in the past >20 years - but if it help's someone
and the costs for such a tests are covered by "someone" - why not?
However:
Afaik, cyrus was still often part of code or pentest based security analysis
from many different parties in the past >20 years - but if there are new tests
available which really could bring significant higher trust into the code /
project, it help's someone and the costs for such a tests are covered by
"someone" - why not?
many thanks and best regards,
niels.
Thanks for your thoughts Niels. While some might see this as advertising
on the part of Dovecot (and why shouldn't they advertise favorable
news?), I simply see it as peer review to provide a better product. I am
not planning on switching away from Cyrus because of the success of
another project, but I believe that all projects have room for
improvement and that Cyrus IMAP users probably share the desire for
Cyrus to be as successful as possible. Sometimes review by an outside
source can be illuminating; If resources are available from those like
Mozilla to perform reviews, I think the Cyrus IMAP project should try to
take advantage of these opportunities.
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
