* Emilio Pozuelo Monfort: > Florian Weimer wrote: >> Not enabling WPAD with DNS devolution goes a long way towards dealing >> with this mess. > > Would you be fine if libproxy disabled WPAD by default? I think libproxy's > developers are willing to do that, according to [1].
Well, it's not my package, so you don't have to listen to me. I'm also not speaking for the security team. But I appreciate your efforts to address my concerns. >From a PR point of view[1], I strongly suggest to disable it by default, and implement only the partial form which is present in Iceweasel (just look up "wpad.", and no DNS devolution). If you absolutely must implement full WPAD, do not hard-code the list of TLDs/public suffixes, but use a separate Debian package which can be part of volatile. (Such a package might be useful on its own, even although the public suffix list concept is subject to fierce debates.) There might be another security issue in WPAD (I need to look into this), but it doesn't affect the "wpad." variant. This variant suffers from the drawback that DNSSEC will eventually break it, though. [1] Otherwise, every couple of months, someone will notice that our TLD list is incomplete, and make a big fuzz about it. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
