Re: libproxy as external dependency

On Thu, Dec 18, 2008 at 11:25 AM, Dan Winship <danw gnome org> wrote:
Michael Banck wrote:
> FYI, a member of the Debian security team raised concerns:
> "WPAD is a broken protocol with security issues inherent to the DNS
> devolution mechanism (which is also performed by libproxy).  Please
> don't add implementations to the Debian archive."
> Forwarding here without further comments as I have no idea about the
> security implications.

As noted in the followups:

   - The fact that it's broken doesn't change the fact that lots of
     sites use it

   - It's already implemented by other programs in the distro anyway
     (notably Firefox)

   - Its use in libproxy can be disabled system-wide by the

I think in current libproxy WPAD is enabled by default though. We should
make sure that's changed.

Regarding libproxy enabling WPAD by default, this is both true and false.  Since one of the goals of libproxy is to read configurations from other sources, we will use whatever is the default for the highest priority configuration source.  In the case of GNOME, if libproxy is used in GNOME, libproxy will use whatever is the default configuration in gconf.  By default gnome-network-properties disables WPAD.

However, if no configuration is found (which should hopefully never happen) we do fall back to WPAD.  Perhaps this should be changed?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]