I wasn't aware of Balsa or Geary, but it's interesting to note that the author has mentioned that they are affected by GNOME's culture. I also have found the GNOME devs to have issues with admitting any fault at all, security or otherwise, but I wasn't aware of them being linked to any email clients other than Evolution - which I have been using.
What's a good app for Exchange on Linux? I could use the web app, which my company has available, but I do appreciate having a dedicated email client sometimes, particularly for OS notifications (which will work without having the browser open).
marcusb · 6h ago
Not defending the GNOME devs as being perfect, but I'd suggest reading this from the start: https://gitlab.gnome.org/GNOME/evolution/-/issues/3095 and then deciding if the author is really being affected by a "toxic development culture" at GNOME.
chucksmash · 5h ago
Reading the thread, I don't see how that's much of a defense.
A GNOME foundation member going through the thread to decorate the reporter's posts with clown emoji reactions is not great.
It seems reasonable to say "even if this is caused by one your library dependencies, users are using your application and you should try to find a mitigation."
If you get in a wreck because your brakes fail, imagine the car manufacturer saying "oh that's not a problem with the car, it's a problem with the brakes. Talk to the brake manufacturer."
"No warranty express or implied" and all that, but still.
zettabomb · 4h ago
Yeah ultimately the user doesn't install the dependencies, they install Evolution. So if there's a security issue, that's where they'll see it. There are also potential mitigation for this, for instance scrubbing the HTML (which it seems Geary actually does, just not for this).
dooglius · 5h ago
No one here comes out looking particularly good, but at the end of the day the issue is still unpatched and OP is doing a good thing spreading that information.
zettabomb · 4h ago
That issue does not really work in GNOME's favor, based on reading that I'd say they're being pretty toxic.
marcusb · 2h ago
We’ll have to agree to disagree about that. The clown-emoji guy is out of line (at least, I wouldn’t respond to a user that way,) but the reporter:
* opens up his bug report passive-aggressively complaining about not getting a response to his emailed report, which he sent to a completely unrelated domain
* immediately fished for a bug bounty payout
* submitted his report against a 2.5 year old release, wasting maintainer time and then pushes back that because it came with his preferred distribution[0] that made it the Evolution maintainer’s problem.
* when the maintainers pointed out this was a dependency problem, accuses them of “buck passing” and demands they warn users of specific distributions about the problem he reported, which is, of course, completely impractical for them to do.
* does not engage at all with the Webkit developer who is trying to explain what the problem is and why fixing in Webkit is the right thing.
* demands one of a selected list of fixes from the maintainers. Note: if his suggested fixes are so simple, a PR at this point implementing one of them would have probably been more productive than what he did post:
I understand that this is completely out of your power to do anything about, and that it is also completely out of your power to put a notice in the UI about the functionality not working for privacy purposes. Please add clown and face-palm emojis to this comment as per my other comments, to indicate you have read it.
He didn’t do himself any favors and, IMO, doesn’t have much of a leg to stand on to complain about the tone of the response he got. He got back what he put out.
0 - a distribution, by the way, that is notorious for distributing hacked up out of date software. See: the OpenSSH key saga as well as projects like XScreensaver that have Debian-specific FAQ entries telling their users how to get reasonably up to date software (https://www.jwz.org/xscreensaver/faq.html#upgrade)
ryandrake · 5h ago
Honestly, I think the GNOME devs in that thread were really patient with a bug filer who kept escalating and inserting little taunting quips, and ultimately was barking up the wrong tree (project). He could have easily just accepted that the bug was in a different project, and go press that team instead. You're not going to get anywhere with such an argumentative tone.
dotancohen · 6h ago
A few years ago while working at a company that required Exchange, I was using Thunderbird with an addon called Owl. It was a paid addon, I think in the neighborhood of $10 to $20, and very much worth it. Full calendar integration and everything. Outlook users would be interested in my setup.
KetoManx64 · 5h ago
I'm using this at the moment, works very smoothly.
$10/year, with full support for calendar, shared mailboxes and accepting teams event invites.
esseph · 5h ago
"Exchange on Linux"?
You are looking for a minority of a minority of a minority - People using Linux, people using an email client, people using Linux that want all the MS Exchange features.
Tons of "general" email clients out there, sure, but you're talking about a largely proprietary system.
zettabomb · 4h ago
Have to disagree, having worked at multiple companies using Exchange for their email servers but with Linux workstations. It's not so uncommon for software devs to request a Linux system, depending on the field. I'll agree that it's less common, but the issue is more the small number of people using Linux rather than Exchange.
esseph · 3h ago
Sounds like we actually don't disagree at all, then!
npodbielski · 5h ago
I like using edge for that. Desktop notifications works and I can log off from work by closing entire window. When I change company I am getting rid of profile.
Sophia95 · 7h ago
Evolution is the only client on Linux (that I’m aware of) that fully supports Microsoft exchange and Google out of the box without any plugins. I used thunderbird for a long time, however I got frustrated so many times after things broke after every update because essential plugins stopped working. Yes, you may say Evolution UI is old, but the software is rock solid and softwares in general are more than their GUI. It’s good to bring awareness about the tracking but I’m not so bothered by it, as its hard to find software that doesn’t track you these days
nehal3m · 7h ago
>It’s good to bring awareness about the tracking but I’m not so bothered by it, as its hard to find software that doesn’t track you these days
That's a non-sequitur. Just because it's common does not mean it's okay.
fsckboy · 4h ago
they didn't say it was ok, they said it was good to be informed about it, they were not personally bothered by it, and they added that it's difficult to find software that doesn't do it. there is no non sequitor
nehal3m · 3h ago
They said they're not bothered by it as it's difficult to find software that doesn't spy on you. I interpret that as 'I am not bothered by this because there are no alternatives'. So there is a non sequitur.
ho_schi · 6h ago
Same here. Nowadays we've switched from Exchange and use IMAP. I stay with Evolution because the client and integration is good. I like some design decisions in the UI. Evolution allows to use client-side decorations and a traditional menu bar, at the same time. And they've added integrated Markdown support lately. While an upgrade to Gtk4 is hopefully coming. I would love to see support for notes via IMAP, similar to how iOS does for many years.
PS: If your E-Mails are stored on an Exchange-Server (or: worse Azure) the discussed problem is the least issue.
zettabomb · 7h ago
I feel like I should note that Exchange support is indeed a plugin, and isn't installed by default on (for example) Fedora. However, I believe it's a first party plugin.
forlorn · 6h ago
Thunderbird has reportedly added experimental Exchange support in 140. Though I haven't figured out how to enable and test it :)
newscracker · 6h ago
The support is only for the EWS protocol (MS Graph will probably come next year). You can enable it in beta by going to Config Editor (this is primarily for advanced users), searching for the preference "experimental.mail.ews.enabled" and setting it to true.
You would have to manually add the account. Currently only mail is supported. No calendar support.
Thunderbird users who need full Exchange support today, including mail, are encouraged to try the Owl addon. I used it a few years ago, very happy with it. I think it costs between $10 and $20, not a big expense for business software.
ho_schi · 6h ago
It was postponed. The release page is wrong :)
Probably Thunderbird tries it again with 141.
thundarr · 7h ago
If only he made that much effort to get Chromium to fix the issue. The source of the problem is with a dependency of the email clients, not the email clients themselves.
He is bothering small free software projects so that those small free software projects ask Chromium to fix the issue.
astrobe_ · 6h ago
Just my opinion, but the dependency on Chromium is a problem in itself. You don't need a full-blown browser to render HTML email. The fact that it is no more viable for a client to ignore HTML nowadays is something unfortunate, to say the least.
Real people only need Emoji support at best (or at worst), because nowadays every from your bank to your local security expert tells you "don't click on links in emails", and your local privacy expert tells you to turn off every convenience feature related to HTML.
On another note, TFA talks about a "GNOME toxic development culture", which looks like a blanket statement. Does it really exist?
SoftTalker · 6h ago
I use w3m to format HTML email for reading in emacs. It does a pretty good job with tables which are still used a lot in email formatting.
mike-cardwell · 7h ago
If only the developers of Evolution Mail made any effort to get the issue fixed in the 15 months they've known about it.
It's unacceptable to sit on a privacy affecting bug like this for 15 months.
This continously repeated bullshit that the source of the problem lies elsehwere is tiring. They're knowingly using a library with a security bug, and they're doing:
1. Nothing to get the devs of that library to fix it
2. Nothing to fix the library themselves
3. Nothing to warn their users
4. Nothing in their local application to protect their users.
This is not how secure development works.
akerl_ · 5h ago
You’re welcome to submit a request for a refund of the purchase price for Evolution.
Your Gitlab issue is a textbook example of why open source devs quit. And now you’re wandering around trying to drum up a mob to further pressure people to do free work for you.
mike-cardwell · 5h ago
I don't care if it's free or paid. If it has privacy flaws, they should be fixed, or people should be informed of them. Evolution Mail isn't interested in doing either of those things. So I'll do it for them. If you think that informing people is, "drumming up a mob", then you are wrong.
jadamson · 5h ago
If your response to the idea of sanitizing HTML is a clown emoji, I don't simply not care if you quit open source, I actively want you out of the entire industry.
Hope that helps.
zettabomb · 4h ago
This is hardly an unreasonable request. It's exactly the right move in this case. If you don't feel like fixing anything, declare the project unmaintained and close the issue tracker.
Spivak · 7h ago
They have done #1 and the library is WebKit and so #2 isn't happening. Not the least of which because of the lack of expertise to patch that code base but because it's dynamically linked and in most deployment scenarios they get the webkit provided by the distro. If Evolution even tried to vendor WebKit downstream packagers would patch it out so that it links to the system lib and gets security patches along with the rest of the system.
mike-cardwell · 6h ago
They really haven't done number 1. A bug report was submitted, and then it has stalled for 15 months.
As of this point in time, nobody has explained to me why it would be a bad idea to add a "Do not rely on for privacy. More info" message next to the feature in Evolution Mail.
That is 100% true. Users of Evolution Mail should not rely on that feature for privacy. Because Evolution Mail has chosen to add known flawed software to their application.
And despite lacking the will or ability to fix that software, they are unwilling to take a different path to patch over the problem until it is fixed in the library, by sanitising the html and stripping problematic tags/attributes.
These are all their choices. And all of their choices lead to end users being exposed to a privacy risk, and unaware of it.
jadamson · 6h ago
...so strip the offending HTML before passing it to WebKit? What is this, kindergarten?
ho_schi · 6h ago
There is no dependency on Chromium. The projects are using WebKitGtk.
PS: I'm thankful that they don't use that thing from Google.
1over137 · 7h ago
>The source of the problem is with a dependency of the email clients, not the email clients themselves.
For ends users, that's a distinction without a difference. Programmers are responsible for their choice of dependencies. If you've chosen to depend on it, it becomes your problem. Chromium is open source, no? So the email client programmer can fix that bug himself.
mardifoufs · 6h ago
I thought the Evolution issue was related to WebKit. Same for the other one (Geary). Does chromium also have the same issue? Regardless, it seems like these issues are all related to WebKitGTK, not Chromium.
cmiles74 · 6h ago
It’s their product, IMHO it’s their responsibility. They can pressure the upstream library developers (good luck with that) or submit a patch, or switch to another library. The “not my problem” attitude from these projects is likely another good reason to avoid these projects.
ChocolateGod · 6h ago
If the library they depend on isnt getting fixed then it needs to be worked around (doable with HTML sanitisation) or use another library that's usable for the purpose of an email client.
If neither of those are doable, the software needs a warning that it's vulnerable to a such a terrible privacy exploit. People over however many years this has been possible deserve to know that their email client has been allowing any random person in the internet to easily get their IP address or know they're on their computer.
If you can't do this why are you maintaining software, it's unmaintained at that point. The replies to the bug report are just terrible attitude even if factually correct.
shamiln · 7h ago
Of course, no commercial ones like Outlook are on the list…
mike-cardwell · 7h ago
The list is brand new. I will be updating it as I have time to test clients.
ipcress_file · 7h ago
Will you add a list of Known Good Email Clients? Or just "Tested Clients"? Since you can't possibly test them all, it would be nice to know which ones have been evaluated.
mike-cardwell · 7h ago
Yes. I will do that. Good idea.
gruez · 5h ago
FWIW I tested with gmail a few weeks ago and it was fine.
e-dant · 6h ago
What's all this controversy with GNOME? I must be missing something. Isn't it perfectly reasonable to say that some security issue in a dependency (which is maintained and open and funded, like WebKit or Linux) is not the fault of someone down the line to fix?
I can't imagine someone reporting a bug to one of my repos about some race condition in the kernel. Why the hell are you bothering me with that? Tell the LKML.
That's not to say I'm not sympathetic, it's just, like, what do you expect me to do?
dooglius · 5h ago
> what do you expect me to do?
Off the top of my head: you could broadcast it more publicly that there is a known issue (particularly important if this is a security issue). You could change code to avoid whatever kernel features trigger the race. You could print a warning if you detect the kernel version is an unpatched one and/or has Kconfig in whatever state exposes the issue.
tylerapplebaum · 7h ago
Geary has been crashing with some regularity over the past few weeks anyway. Guess I’ll migrate to Thunderbird.
mike-cardwell · 7h ago
I noticed that during my testing. Was difficult to keep it running for more than a few seconds at times. Thunderbird is a good choice.
curt15 · 7h ago
Isn't Geary basically a one-person show? I remember evaluating Geary a couple years ago and it looked like there was only one active developer. I ended up going with Thunderbird + Davmail.
theyknowitsxmas · 7h ago
I have that problem. Too bad there is no html client that isn't a massive RAM hog.
esseph · 5h ago
Do you often run out of memory?
Want to understand this more. I know I'm talking from a position of privilege, but it's really hard to find a machine these days with less than 16 or 32GB of RAM from the factory.
Even going back several years, DDR4 has been extremely cheap for a long time, and DDR5 is finally closer to general ram prices.
Are you using mini PCs with soldered ram?
hexagonwin · 6h ago
seamonkey mail seems to work well for me
ho_schi · 6h ago
So much text instead of mentioning the WebKitGtk doesn't provides that feature (currently). WebKitGtk is a good engine but somebody should to address that issue. Feels like a developer had only Epiphany as web-browser in consideration and forgot, that mail-clients prefer to not load images.
Evolution is a good mail client in general.
PS: Prefer always text-mail. When sending. When receiving.
kkfx · 4h ago
What I fails to understand it's why no one seems to offer the most logic MUE which is essentially offering the full download/sync of all accounts maildirs, like with OfflineIMAP, than offer powerful local indexing like notmuch/mu with a pre-made UI nice for end users.
Slogan: own your own messages, own a local GMail. We have all the code except the UI
What's a good app for Exchange on Linux? I could use the web app, which my company has available, but I do appreciate having a dedicated email client sometimes, particularly for OS notifications (which will work without having the browser open).
A GNOME foundation member going through the thread to decorate the reporter's posts with clown emoji reactions is not great.
It seems reasonable to say "even if this is caused by one your library dependencies, users are using your application and you should try to find a mitigation."
If you get in a wreck because your brakes fail, imagine the car manufacturer saying "oh that's not a problem with the car, it's a problem with the brakes. Talk to the brake manufacturer."
"No warranty express or implied" and all that, but still.
* opens up his bug report passive-aggressively complaining about not getting a response to his emailed report, which he sent to a completely unrelated domain
* immediately fished for a bug bounty payout
* submitted his report against a 2.5 year old release, wasting maintainer time and then pushes back that because it came with his preferred distribution[0] that made it the Evolution maintainer’s problem.
* when the maintainers pointed out this was a dependency problem, accuses them of “buck passing” and demands they warn users of specific distributions about the problem he reported, which is, of course, completely impractical for them to do.
* does not engage at all with the Webkit developer who is trying to explain what the problem is and why fixing in Webkit is the right thing.
* demands one of a selected list of fixes from the maintainers. Note: if his suggested fixes are so simple, a PR at this point implementing one of them would have probably been more productive than what he did post:
He didn’t do himself any favors and, IMO, doesn’t have much of a leg to stand on to complain about the tone of the response he got. He got back what he put out.0 - a distribution, by the way, that is notorious for distributing hacked up out of date software. See: the OpenSSH key saga as well as projects like XScreensaver that have Debian-specific FAQ entries telling their users how to get reasonably up to date software (https://www.jwz.org/xscreensaver/faq.html#upgrade)
You are looking for a minority of a minority of a minority - People using Linux, people using an email client, people using Linux that want all the MS Exchange features.
Tons of "general" email clients out there, sure, but you're talking about a largely proprietary system.
That's a non-sequitur. Just because it's common does not mean it's okay.
PS: If your E-Mails are stored on an Exchange-Server (or: worse Azure) the discussed problem is the least issue.
You would have to manually add the account. Currently only mail is supported. No calendar support.
See https://blog.thunderbird.net/2025/07/thunderbird-monthly-dev...
Probably Thunderbird tries it again with 141.
He is bothering small free software projects so that those small free software projects ask Chromium to fix the issue.
On another note, TFA talks about a "GNOME toxic development culture", which looks like a blanket statement. Does it really exist?
It's unacceptable to sit on a privacy affecting bug like this for 15 months.
This continously repeated bullshit that the source of the problem lies elsehwere is tiring. They're knowingly using a library with a security bug, and they're doing:
1. Nothing to get the devs of that library to fix it
2. Nothing to fix the library themselves
3. Nothing to warn their users
4. Nothing in their local application to protect their users.
This is not how secure development works.
Your Gitlab issue is a textbook example of why open source devs quit. And now you’re wandering around trying to drum up a mob to further pressure people to do free work for you.
Hope that helps.
As of this point in time, nobody has explained to me why it would be a bad idea to add a "Do not rely on for privacy. More info" message next to the feature in Evolution Mail.
That is 100% true. Users of Evolution Mail should not rely on that feature for privacy. Because Evolution Mail has chosen to add known flawed software to their application.
And despite lacking the will or ability to fix that software, they are unwilling to take a different path to patch over the problem until it is fixed in the library, by sanitising the html and stripping problematic tags/attributes.
These are all their choices. And all of their choices lead to end users being exposed to a privacy risk, and unaware of it.
PS: I'm thankful that they don't use that thing from Google.
For ends users, that's a distinction without a difference. Programmers are responsible for their choice of dependencies. If you've chosen to depend on it, it becomes your problem. Chromium is open source, no? So the email client programmer can fix that bug himself.
If neither of those are doable, the software needs a warning that it's vulnerable to a such a terrible privacy exploit. People over however many years this has been possible deserve to know that their email client has been allowing any random person in the internet to easily get their IP address or know they're on their computer.
If you can't do this why are you maintaining software, it's unmaintained at that point. The replies to the bug report are just terrible attitude even if factually correct.
I can't imagine someone reporting a bug to one of my repos about some race condition in the kernel. Why the hell are you bothering me with that? Tell the LKML.
That's not to say I'm not sympathetic, it's just, like, what do you expect me to do?
Off the top of my head: you could broadcast it more publicly that there is a known issue (particularly important if this is a security issue). You could change code to avoid whatever kernel features trigger the race. You could print a warning if you detect the kernel version is an unpatched one and/or has Kconfig in whatever state exposes the issue.
Want to understand this more. I know I'm talking from a position of privilege, but it's really hard to find a machine these days with less than 16 or 32GB of RAM from the factory.
Even going back several years, DDR4 has been extremely cheap for a long time, and DDR5 is finally closer to general ram prices.
Are you using mini PCs with soldered ram?
Evolution is a good mail client in general.
PS: Prefer always text-mail. When sending. When receiving.
Slogan: own your own messages, own a local GMail. We have all the code except the UI