On Thu, Jan 8, 2009 at 12:46 AM, Emilio Pozuelo Monfort <po...@ubuntu.com> wrote: > Hi Florian, and sorry for the long delay. > > Florian Weimer wrote: >> Well, it's not my package, so you don't have to listen to me. I'm >> also not speaking for the security team. > > Oh, should you have said that before, I'd have ignored all your comments :P > >> But I appreciate your >> efforts to address my concerns. > > And I appreciate you raising your concerns. I don't want to bring anything to > Debian if it has serious security issues. Specially if it's a library that is > going to be used by lots of projects (including GNOME). > >>>From a PR point of view[1], I strongly suggest to disable it by >> default, and implement only the partial form which is present in >> Iceweasel (just look up "wpad.", and no DNS devolution). > > I've talked with upstream and he's told me he would accept any patch that > disables any portion of the code that may have security implications, > providing > there's an option to enable it (at build time). He also prefers those portions > of code to be disabled by default, so we're good.
Instead of disable code could be made dependant of /etc/ configuration file. It is policy, you could install telnetd even if it is insecure in your local machine. A global configuration file will be nice. And if root want to shoot himself in is foot and allow user to do it why not. Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org