Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Dec 18, 2008 at 6:13 PM, Michael Banck <mbanck@debian.org> wrote:
> On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote:
>> On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork <bmork@dod.no> wrote:
>> > Florian Weimer <fw@deneb.enyo.de> writes:
>>
>> > I would very much like this library to become the *only* WPAD
>> > implementation anywhere. Hopefully eventually with some ability to
>> > define local policies, where the default Debian policy could be very
>> > strict. E.g. "Never trust DNS for WPAD", or "Never use WPAD at all".
>>
>> I tend to agree, we have not forbidden root to do rm -arf .
>> It is the same, it is a policy problem. With current libproxy, could root
>> forbid the use of WPAD, even if user ask it?
>
> Dan Winship, one of the libproxy authors, replied:
>
> | - The fact that it's broken doesn't change the fact that lots of
> | sites use it
> |
> | - It's already implemented by other programs in the distro anyway
> | (notably Firefox)
> |
> | - Its use in libproxy can be disabled system-wide by the
> | administrator
> |
> |I think in current libproxy WPAD is enabled by default though. We should
> |make sure that's changed.
I will be interesting also to add a link or copy verbatim (with author
permission) in README.Debian, the poisson pill
of this protocol, see for instance
http://www.mercenary.net/blog/index.php?/archives/42-HOWTO-WPAD.html
and some explanation about (in)security of wpad.
Regards
Bastien
Reply to: