Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

To: debian-devel@lists.debian.org
Subject: Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 21 Dec 2008 22:05:06 +0100
Message-id: <[🔎] 877i5t8cjh.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 494EA773.5060601@ubuntu.com> (Emilio Pozuelo Monfort's message of "Sun, 21 Dec 2008 21:30:43 +0100")
References: <[🔎] 20081218002549.18784.37060.reportbug@saturno> <[🔎] 87d4fpubqa.fsf@mid.deneb.enyo.de> <[🔎] 87wsdxium0.fsf@obelix.mork.no> <[🔎] 195c7a900812180351h1028ad36t9bdf0f7932b24ff9@mail.gmail.com> <[🔎] 20081218171358.GA28528@nighthawk.chemicalconnection.dyndns.org> <[🔎] 87vdtgh4c6.fsf@mid.deneb.enyo.de> <[🔎] 494EA773.5060601@ubuntu.com>

* Emilio Pozuelo Monfort:

> Florian Weimer wrote:
>> Not enabling WPAD with DNS devolution goes a long way towards dealing
>> with this mess.
>
> Would you be fine if libproxy disabled WPAD by default? I think libproxy's
> developers are willing to do that, according to [1].

Well, it's not my package, so you don't have to listen to me.  I'm
also not speaking for the security team.  But I appreciate your
efforts to address my concerns.

>From a PR point of view[1], I strongly suggest to disable it by
default, and implement only the partial form which is present in
Iceweasel (just look up "wpad.", and no DNS devolution).  If you
absolutely must implement full WPAD, do not hard-code the list of
TLDs/public suffixes, but use a separate Debian package which can be
part of volatile.  (Such a package might be useful on its own, even
although the public suffix list concept is subject to fierce debates.)

There might be another security issue in WPAD (I need to look into
this), but it doesn't affect the "wpad." variant.  This variant
suffers from the drawback that DNSSEC will eventually break it,
though.

[1] Otherwise, every couple of months, someone will notice that our
TLD list is incomplete, and make a big fuzz about it.

Reply to:

References:
- Bug#509063: ITP: libproxy -- automatic proxy configuration management library
  - From: Emilio Pozuelo Monfort <pochu@ubuntu.com>
- Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
  - From: Bjørn Mork <bmork@dod.no>
- Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
  - From: "Bastien ROUCARIES" <roucaries.bastien@gmail.com>
- Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
  - From: Michael Banck <mbanck@debian.org>
- Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
  - From: Emilio Pozuelo Monfort <pochu@ubuntu.com>

Prev by Date: Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
Next by Date: Re: problems with the concept of unstable -> testing
Previous by thread: Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
Next by thread: Bug#509094: ITP: libxml-rss-libxml-perl -- create and update RSS files using XML::LibXML
Index(es):
- Date
- Thread