Hi Florian, and sorry for the long delay. Florian Weimer wrote: > Well, it's not my package, so you don't have to listen to me. I'm > also not speaking for the security team.
Oh, should you have said that before, I'd have ignored all your comments :P > But I appreciate your > efforts to address my concerns. And I appreciate you raising your concerns. I don't want to bring anything to Debian if it has serious security issues. Specially if it's a library that is going to be used by lots of projects (including GNOME). >>From a PR point of view[1], I strongly suggest to disable it by > default, and implement only the partial form which is present in > Iceweasel (just look up "wpad.", and no DNS devolution). I've talked with upstream and he's told me he would accept any patch that disables any portion of the code that may have security implications, providing there's an option to enable it (at build time). He also prefers those portions of code to be disabled by default, so we're good. I've made a patch to disable WPAD DNS devolution, you can have a look at it at [1]. I'll wait for Nathaniel (upstream) to review it, and if it's fine will include it in my initial upload to Debian. Best wishes, Emilio [1] http://code.google.com/p/libproxy/issues/detail?id=20 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
