[mike-cardwell]

If only the developers of Evolution Mail made any effort to get the issue fixed in the 15 months they've known about it.

It's unacceptable to sit on a privacy affecting bug like this for 15 months.

This continously repeated bullshit that the source of the problem lies elsehwere is tiring. They're knowingly using a library with a security bug, and they're doing:

1. Nothing to get the devs of that library to fix it

2. Nothing to fix the library themselves

3. Nothing to warn their users

4. Nothing in their local application to protect their users.

This is not how secure development works.

[akerl_]

You’re welcome to submit a request for a refund of the purchase price for Evolution.

Your Gitlab issue is a textbook example of why open source devs quit. And now you’re wandering around trying to drum up a mob to further pressure people to do free work for you.

[mike-cardwell]

I don't care if it's free or paid. If it has privacy flaws, they should be fixed, or people should be informed of them. Evolution Mail isn't interested in doing either of those things. So I'll do it for them. If you think that informing people is, "drumming up a mob", then you are wrong.

[jadamson]

If your response to the idea of sanitizing HTML is a clown emoji, I don't simply not care if you quit open source, I actively want you out of the entire industry.

Hope that helps.

[zettabomb]

This is hardly an unreasonable request. It's exactly the right move in this case. If you don't feel like fixing anything, declare the project unmaintained and close the issue tracker.

[Spivak]

They have done #1 and the library is WebKit and so #2 isn't happening. Not the least of which because of the lack of expertise to patch that code base but because it's dynamically linked and in most deployment scenarios they get the webkit provided by the distro. If Evolution even tried to vendor WebKit downstream packagers would patch it out so that it links to the system lib and gets security patches along with the rest of the system.

[mike-cardwell]

They really haven't done number 1. A bug report was submitted, and then it has stalled for 15 months.

As of this point in time, nobody has explained to me why it would be a bad idea to add a "Do not rely on for privacy. More info" message next to the feature in Evolution Mail.

That is 100% true. Users of Evolution Mail should not rely on that feature for privacy. Because Evolution Mail has chosen to add known flawed software to their application.

And despite lacking the will or ability to fix that software, they are unwilling to take a different path to patch over the problem until it is fixed in the library, by sanitising the html and stripping problematic tags/attributes.

These are all their choices. And all of their choices lead to end users being exposed to a privacy risk, and unaware of it.

[jadamson]

...so strip the offending HTML before passing it to WebKit? What is this, kindergarten?