Re: [Gimp-developer] New GIMP configure warning/error


On Sat, May 13, 2017 at 3:15 PM, Pat David <patdavid gmail com> wrote:
Is it not possible to invoke the default browser and hand off the https
responsibility to it?

That's definitely a possibility, and even a good one IMO.

We have a few issues with our webkit internal browser, one of them is
that we still use an old webkit version (because of GTK+2; newer
versions are for GTK+3), which is therefore deprecated. Security wise,
this is not fine. Though obviously since this browser is made only to
reach our manual, which are static pages, and cannot be used to reach
random pages, the risk is lessened. That's even more a reason to make
sure we have SSL/TLS activated, because if GIMP requests the help
browser to reach, we want to drop the connection in
case of MITM, especially because of the broken webkit.

This issue will disappear with GIMP 3, where we should be able to
update the dependency. This will still be some work to do so. Maybe at
this point, it could be wise to just drop the webkit dependency and
make the browser do all the work. On the other hand, a minimal help
browser is still nice. That's not an easy decision IMO.

We could also drop the help browser even for GTK+2 builds, but then it
needs some minimal patch to not have GIMP consider this as a lesser
GIMP. If not mistaken, when the browser is not built-in, right now
GIMP would complain and display a popup asking you if you want to use
your web browser instead. We would need to get rid of this warning if
we start considering the system browser as the defaults display mode
of the manual. That's probably really easy, but I have more pressing
things I want to do for 2.10. Patches are welcome for discussion
though. I believe it still makes sense in a security point of view
considering the deprecated webkit we use, so I would be in favor of
the patch (even if just as a temporary fix until we get to GIMP 3 and
can migrate to newer webkit).

Finally it does not totally deal with the glib-networking need. We
still need support for https for opening remote files. Nowadays not
having support for https while pretending having support for remote
file access is not ok. The web is slowly getting into a full https
state, and all the web browser companies are pushing toward this.
Fighting this is useless (and also wrong; full https is good IMO).
So even with this one use case, we would still need glib-networking.

Kris' idea though totally makes sense if developers of other platform
don't want of gnutls (which I can understand, especially if they
platform have — I don't know — a default local implementation for
TLS). Patches welcome. :-)


On Sat, May 13, 2017 at 8:05 AM Kristian Rietveld <kris loopnest org> wrote:

On 13 May 2017, at 14:52, Jehan Pagès <jehan marmottard gmail com>

You realize that for platforms other than Linux, that if you wish to
glib-networking, you have to install

Yes I realize that dependencies have often dependencies themselves.
Unless there is something which proves to be impossible to compile on
other platforms, I don't see the problem.

A possible problem is that all of these extra dependencies have to be
shipped in macOS and Windows packages. If in any of these dependencies
serious bugs (e.g. security) are found, we need to ship updated packages. A
problem like this does not exist on Linux since you would typically simply
update the distribution packages (although not sure how that will work for

A potential solution could be to write a Mac-specific GIO TLS backend that
depends on macOS system libraries which can be shipped instead of the
default TLS backend that depends on gnutls.



gimp-developer-list mailing list
List address:    gimp-developer-list gnome org
List membership:
List archives:

GPG: 66D1 7CA6 8088 4874 946D  18BD 67C7 6219 89E9 57AC

ZeMarmot open animation film

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]