On Thu, Dec 18, 2008 at 6:13 PM, Michael Banck <mba...@debian.org> wrote: > On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote: >> On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork <bm...@dod.no> wrote: >> > Florian Weimer <f...@deneb.enyo.de> writes: >> >> > I would very much like this library to become the *only* WPAD >> > implementation anywhere. Hopefully eventually with some ability to >> > define local policies, where the default Debian policy could be very >> > strict. E.g. "Never trust DNS for WPAD", or "Never use WPAD at all". >> >> I tend to agree, we have not forbidden root to do rm -arf . >> It is the same, it is a policy problem. With current libproxy, could root >> forbid the use of WPAD, even if user ask it? > > Dan Winship, one of the libproxy authors, replied: > > | - The fact that it's broken doesn't change the fact that lots of > | sites use it > | > | - It's already implemented by other programs in the distro anyway > | (notably Firefox) > | > | - Its use in libproxy can be disabled system-wide by the > | administrator > | > |I think in current libproxy WPAD is enabled by default though. We should > |make sure that's changed.
I will be interesting also to add a link or copy verbatim (with author permission) in README.Debian, the poisson pill of this protocol, see for instance http://www.mercenary.net/blog/index.php?/archives/42-HOWTO-WPAD.html and some explanation about (in)security of wpad. Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org