[thundarr]

If only he made that much effort to get Chromium to fix the issue. The source of the problem is with a dependency of the email clients, not the email clients themselves.

He is bothering small free software projects so that those small free software projects ask Chromium to fix the issue.

[astrobe_]

Just my opinion, but the dependency on Chromium is a problem in itself. You don't need a full-blown browser to render HTML email. The fact that it is no more viable for a client to ignore HTML nowadays is something unfortunate, to say the least. Real people only need Emoji support at best (or at worst), because nowadays every from your bank to your local security expert tells you "don't click on links in emails", and your local privacy expert tells you to turn off every convenience feature related to HTML.

On another note, TFA talks about a "GNOME toxic development culture", which looks like a blanket statement. Does it really exist?

[SoftTalker]

I use w3m to format HTML email for reading in emacs. It does a pretty good job with tables which are still used a lot in email formatting.

[mike-cardwell]

If only the developers of Evolution Mail made any effort to get the issue fixed in the 15 months they've known about it.

It's unacceptable to sit on a privacy affecting bug like this for 15 months.

This continously repeated bullshit that the source of the problem lies elsehwere is tiring. They're knowingly using a library with a security bug, and they're doing:

1. Nothing to get the devs of that library to fix it

2. Nothing to fix the library themselves

3. Nothing to warn their users

4. Nothing in their local application to protect their users.

This is not how secure development works.

[akerl_]

You’re welcome to submit a request for a refund of the purchase price for Evolution.

Your Gitlab issue is a textbook example of why open source devs quit. And now you’re wandering around trying to drum up a mob to further pressure people to do free work for you.

[mike-cardwell]

I don't care if it's free or paid. If it has privacy flaws, they should be fixed, or people should be informed of them. Evolution Mail isn't interested in doing either of those things. So I'll do it for them. If you think that informing people is, "drumming up a mob", then you are wrong.

[jadamson]

If your response to the idea of sanitizing HTML is a clown emoji, I don't simply not care if you quit open source, I actively want you out of the entire industry.

Hope that helps.

[zettabomb]

This is hardly an unreasonable request. It's exactly the right move in this case. If you don't feel like fixing anything, declare the project unmaintained and close the issue tracker.

[Spivak]

They have done #1 and the library is WebKit and so #2 isn't happening. Not the least of which because of the lack of expertise to patch that code base but because it's dynamically linked and in most deployment scenarios they get the webkit provided by the distro. If Evolution even tried to vendor WebKit downstream packagers would patch it out so that it links to the system lib and gets security patches along with the rest of the system.

[mike-cardwell]

They really haven't done number 1. A bug report was submitted, and then it has stalled for 15 months.

As of this point in time, nobody has explained to me why it would be a bad idea to add a "Do not rely on for privacy. More info" message next to the feature in Evolution Mail.

That is 100% true. Users of Evolution Mail should not rely on that feature for privacy. Because Evolution Mail has chosen to add known flawed software to their application.

And despite lacking the will or ability to fix that software, they are unwilling to take a different path to patch over the problem until it is fixed in the library, by sanitising the html and stripping problematic tags/attributes.

These are all their choices. And all of their choices lead to end users being exposed to a privacy risk, and unaware of it.

[jadamson]

...so strip the offending HTML before passing it to WebKit? What is this, kindergarten?

[ho_schi]

There is no dependency on Chromium. The projects are using WebKitGtk.

PS: I'm thankful that they don't use that thing from Google.

[mardifoufs]

I thought the Evolution issue was related to WebKit. Same for the other one (Geary). Does chromium also have the same issue? Regardless, it seems like these issues are all related to WebKitGTK, not Chromium.

[1over137]

>The source of the problem is with a dependency of the email clients, not the email clients themselves.

For ends users, that's a distinction without a difference. Programmers are responsible for their choice of dependencies. If you've chosen to depend on it, it becomes your problem. Chromium is open source, no? So the email client programmer can fix that bug himself.

[cmiles74]

It’s their product, IMHO it’s their responsibility. They can pressure the upstream library developers (good luck with that) or submit a patch, or switch to another library. The “not my problem” attitude from these projects is likely another good reason to avoid these projects.