> Evolution probably does not require any changes whatsoever to fix this. This problem is not specific to Evolution; it very probably affects Balsa and Geary at least, and all other applications using WebKitGTK that wish to audit outgoing HTTP requests. The problem is that WebKitGTK is making HTTP requests that bypass its API for blocking HTTP requests, which Evolution relies on.
Most devs are entirely too casual about making network requests. Do they not share users' expectation that the software won't rat them out to random servers?
tetromino_ · 2h ago
Summary: there is a long-standing bug in Webkit which causes network connection from (probably?) any tag that sets a `rel` attribute to be non-auditable and non-blockable by client code using Webkit.
Mike Cardwell stumbled on the manifestation of this bug in Evolution (which uses Webkit for rendering html mail). His proposal was for Evolution to filter html content before passing it to Webkit for rendering. Evolution devs' counterproposal was to ask Mike to write a patch to fix the Webkit bug, so not just Evolution but all other applications built on top of Webkit benefit.
Instead of writing a patch for Webkit (or at least further investigating the Webkit bug), Mike responded by writing two blogposts denouncing Evolution devs.
Evolution devs responded by locking the bug thread and threatening to ban Mike.
TL;DR drama due to cultural difference.
veeti · 2h ago
This reflects of a failure in security "culture" within the GNOME project. Whether the issue boils down to a bug in WebKit or Evolution code, it is ultimately the Evolution developer's responsibility to not ship an end product with known security issues. Whether that is achieved by changes upstream or in the Evolution project is of no relevance to the end users or general public at large.
tetromino_ · 2h ago
> it is ultimately the Evolution developer's responsibility to not ship an end product with known security issues
Is it? One could argue that Evolution developers do not ship an end product, and that it's distros - Debian, Fedora, etc. - who ship the end product by combining Evolution at version X with Webkit at version Y, and possibly patching both.
https://gitlab.gnome.org/GNOME/evolution/-/issues/3095#note_...
Mike Cardwell stumbled on the manifestation of this bug in Evolution (which uses Webkit for rendering html mail). His proposal was for Evolution to filter html content before passing it to Webkit for rendering. Evolution devs' counterproposal was to ask Mike to write a patch to fix the Webkit bug, so not just Evolution but all other applications built on top of Webkit benefit.
Instead of writing a patch for Webkit (or at least further investigating the Webkit bug), Mike responded by writing two blogposts denouncing Evolution devs.
Evolution devs responded by locking the bug thread and threatening to ban Mike.
TL;DR drama due to cultural difference.
Is it? One could argue that Evolution developers do not ship an end product, and that it's distros - Debian, Fedora, etc. - who ship the end product by combining Evolution at version X with Webkit at version Y, and possibly patching both.