On Mon, Jul 01, 2013 at 07:02:03AM -0400, Tom Ritter wrote: > If libpurple/pidgin itself has bugs, that compromises OTR. If an > attacker gets in through a window or your sliding door, he's still in > your house. And libpurple is full of bugs. That's the easy, go-to > answer for this question. > http://web.nvd.nist.gov/view/vuln/search-results?query=libpurple&search_type=all&cves=on
True, but having many CVEs also means that many people are actively finding and doing the right thing with security bugs; it's as much an indicator of developer activity and practises as it is the insecurity of the software. I'm sure we've all seen software with many dodgy security bugs, that because it isn't as widely used as its competitor never bothers with CVEs, or doesn't have the expertise to properly understand or fix the bugs. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
