Re: libproxy as external dependency
- From: Dan Winship <danw gnome org>
- To: Michael Banck <mbanck debian org>
- Cc: desktop-devel-list gnome org
- Subject: Re: libproxy as external dependency
- Date: Thu, 18 Dec 2008 11:25:04 -0500
Michael Banck wrote:
> FYI, a member of the Debian security team raised concerns:
> "WPAD is a broken protocol with security issues inherent to the DNS
> devolution mechanism (which is also performed by libproxy). Please
> don't add implementations to the Debian archive."
> Forwarding here without further comments as I have no idea about the
> security implications.
As noted in the followups:
- The fact that it's broken doesn't change the fact that lots of
sites use it
- It's already implemented by other programs in the distro anyway
- Its use in libproxy can be disabled system-wide by the
I think in current libproxy WPAD is enabled by default though. We should
make sure that's changed.
] [Thread Prev