[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

Hi Florian, and sorry for the long delay.

Florian Weimer wrote:
> Well, it's not my package, so you don't have to listen to me.  I'm
> also not speaking for the security team.

Oh, should you have said that before, I'd have ignored all your comments :P

> But I appreciate your
> efforts to address my concerns.

And I appreciate you raising your concerns. I don't want to bring anything to
Debian if it has serious security issues. Specially if it's a library that is
going to be used by lots of projects (including GNOME).

>>From a PR point of view[1], I strongly suggest to disable it by
> default, and implement only the partial form which is present in
> Iceweasel (just look up "wpad.", and no DNS devolution).

I've talked with upstream and he's told me he would accept any patch that
disables any portion of the code that may have security implications, providing
there's an option to enable it (at build time). He also prefers those portions
of code to be disabled by default, so we're good.

I've made a patch to disable WPAD DNS devolution, you can have a look at it at
[1]. I'll wait for Nathaniel (upstream) to review it, and if it's fine will
include it in my initial upload to Debian.

Best wishes,

[1] http://code.google.com/p/libproxy/issues/detail?id=20

Reply to: