[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

On Thu, Jan 8, 2009 at 12:46 AM, Emilio Pozuelo Monfort
<pochu@ubuntu.com> wrote:
> Hi Florian, and sorry for the long delay.
> Florian Weimer wrote:
>> Well, it's not my package, so you don't have to listen to me.  I'm
>> also not speaking for the security team.
> Oh, should you have said that before, I'd have ignored all your comments :P
>> But I appreciate your
>> efforts to address my concerns.
> And I appreciate you raising your concerns. I don't want to bring anything to
> Debian if it has serious security issues. Specially if it's a library that is
> going to be used by lots of projects (including GNOME).
>>>From a PR point of view[1], I strongly suggest to disable it by
>> default, and implement only the partial form which is present in
>> Iceweasel (just look up "wpad.", and no DNS devolution).
> I've talked with upstream and he's told me he would accept any patch that
> disables any portion of the code that may have security implications, providing
> there's an option to enable it (at build time). He also prefers those portions
> of code to be disabled by default, so we're good.

Instead of disable code could be made dependant of /etc/ configuration
file. It is policy, you could install telnetd even if it is insecure
in your local machine.

A global configuration file will be nice. And if root want to shoot
himself in is foot and allow user to do it why not.



Reply to: