Upstream bug about WPAD security issues
As I discovered that libsoup SVN trunk has libproxy as an optional build
dependency, I stumbled upon this ITP, and found out that upstream has
been made aware of this issue:
Based on that bug, I assume that a future release release will offer
Debian these options:
1) Don't ship the offending plugin at all in a/the binary package, or
2) disable the use of the plugin via the default config file
I think admins should be free (and in general are, FWIW ;-)) to shoot
themselves and the users of the boxes they administer in the proverbial
foot, so I'd suggest going with (2).
However, I agree that until this "feature" can be reliably and
mandatorily disabled by the admin (and is disabled by a stock Debian
install), this package should not enter Debian.