Re: WebKitGTK+ in Balsa
- From: Jack Ostroff <ostroffjh users sourceforge net>
- To: balsa-list gnome org
- Subject: Re: WebKitGTK+ in Balsa
- Date: Sun, 28 Aug 2016 19:21:08 -0400
On 8/28/2016 6:55 PM, Peter Bloomfield wrote:
Hi All!
Balsa has for some years offered WebKitGTK+ widgets for viewing HTML
message parts. Current WebKitGTK+ development, including response to
security issues, is only in the webkit2 API, meaning that the original
widget may have vulnerabilities.
The new widget presents some problems for an email client: unlike the
original, it is intrinsically scrollable. Consequently, you get a
scrolled window containing the headers and the widget, and a second set
of scroll bars for the widget itself. Blocking the loading of images
from outside hosts is also less dependable.
In a recent bug[1], Jeremy Bicha has asked that we remove support for
the original webkit widget in Balsa. I've been using the new widget in
builds from git (gtk3 branch) for a year or two with no issues other
than those described above. I'm inclined to follow Jeremy's advice, and
remove support for the old widget, at least in the gtk3 branch. Would
this cause problems for anyone?
Thanks for any thoughts!
[1] <URL:https://bugzilla.gnome.org/show_bug.cgi?id=770500>
I must say that the version numbering of of webkitgtk (and which version
of gtk+ it works with) has been somewhat confusing, which doesn't help.
Gentoo separates by slots. Slot 2 and slot 3 both have 2.4.11 but
different builds. Slot 4 has 2.10.9 (stable) and 2.12.3 (currently
marked testing).
Would it be reasonable (and reasonably possible) as a first step, to add
a warning if you choose the older version that it is considered
deprecated and probably has un-patched security vulnerabilities,
especially depending on the distribution? Also to make the gtk3 branch
default to webkit2.
It seems to me there are two sorts of folks who compile balsa from
source. First is those who are compiling for inclusion in a
distribution. Hopefully, they will pay more attention to security
issues, and if that distribution has an old original webkit, they will
use the new one with the gtk3 branch. Of course that might depend on
when we release the gtk3 version as master, and relegate the old master
to either deprecated or bugs only. The other folks who compile, are
likely looking for the latest and greatest (or on a distro like Gentoo)
and will likely already be on gtk3 branch with webkit2.
However, if nobody else has any reason to keep the old option around any
longer, then go ahead and just remove it. (I still need to recompile
webkit2 (I somehow think it has a different name on Gentoo, but I'm on
vacation, and don't have access to my main PC) since I accidentally
deleted it, and am for the interim actually using the old webkit.
Jack
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
