Main Inclusion Report for libproxy

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/libp/libproxy; built everywhere except hppa (needs building) as of January 8th, 2009.

2. Rationale:

   • Build dependency of libsoup, will be required for GNOME 2.26 (already blocking GNOME 2.25).

3. Security:

   • CVE entries: No CVEs.

   • Secunia history: No Secunia matches.

   • No daemons. No suid/guid binaries. Everything running on userspace.

   • Network activity: doesn't open ports. It handles proxy configuration from many sources. Upstream 0.2.3 version has WPAD DNS devolution support. This is risky. Florian Weimer raised some concerns about this, addressed here. We will disable WPAD DNS lookup except for the given domain (which doesn't imply a security risk).

   • Does not handle binary data AFAIK.
   • Package reviewed by Sebastien Bacher and Martin Pitt before being accepted into universe (not sure if source was reviewed though).

4. Quality assurance:

   • libproxy looks at some places for proxy configuration. If it can't find it in one place (e.g. GNOME), it will then look at another place (config file, env variables, WPAD DNS).
   • No debconf questions.

   • Debian bugs: Package is not in Debian yet. Will be uploaded soon.

   • http://code.google.com/p/libproxy/source/list is active.

   • Upstream bug tracker: Issue #20 is important from a security POV (see the Debian ITP and followups, specially this one and its followups. Also see this wikipedia article.

   • The library doesn't interact with hardware.

   • A testsuite is being developed upstream for the next release.

5. UI standards:

   • Not relevant (no strings, no desktop files needed).

6. Standards compliance:

   • FHS, Debian Policy compliant.

   • Debian library packaging guide standards compliant.

   • Packaging: CDBS, maintained in pkg-gnome in Debian. Uses CDBS' simple-patchsys.

7. Dependencies:

   • Depends on libc6. Plugin dependencies are dlopened on runtime so that we don't need to depend on a ton of packages. If you use GNOME, the GNOME plugin will be used for you, if you use KDE the KDE plugin...

   • libc6 is in main, yes

8. Maintenance:

   • Shouldn't take a lot of time to maintain.
   • Emilio Pozuelo Monfort will maintain it, but any help is welcome!

9. Background information:

   • This is and has always been libproxy.

Reviewers

MIR bug: https://launchpad.net/bugs/314945

MIR written by Emilio Pozuelo Monfort.