Re: [Gimp-developer] New GIMP configure warning/error

Am 13.05.2017 um 15:50 schrieb Jehan Pagès <jehan marmottard gmail com>:

We have a few issues with our webkit internal browser, one of them is
that we still use an old webkit version (because of GTK+2; newer
versions are for GTK+3), which is therefore deprecated. Security wise,
this is not fine. Though obviously since this browser is made only to
reach our manual, which are static pages, and cannot be used to reach
random pages, the risk is lessened. That's even more a reason to make
sure we have SSL/TLS activated, because if GIMP requests the help
browser to reach, we want to drop the connection in
case of MITM, especially because of the broken webkit.

This issue will disappear with GIMP 3, where we should be able to
update the dependency. This will still be some work to do so. Maybe at
this point, it could be wise to just drop the webkit dependency and
make the browser do all the work. On the other hand, a minimal help
browser is still nice. That's not an easy decision IMO.

We could also drop the help browser even for GTK+2 builds, but then it
needs some minimal patch to not have GIMP consider this as a lesser
GIMP. If not mistaken, when the browser is not built-in, right now
GIMP would complain and display a popup asking you if you want to use
your web browser instead. We would need to get rid of this warning if
we start considering the system browser as the defaults display mode
of the manual. That's probably really easy, but I have more pressing
things I want to do for 2.10. Patches are welcome for discussion
though. I believe it still makes sense in a security point of view
considering the deprecated webkit we use, so I would be in favor of
the patch (even if just as a temporary fix until we get to GIMP 3 and
can migrate to newer webkit).

I’ve just made those patches for OS X and included them into my version on 
It just uses the system defined web browser for accessing online help and I’ve even written 
a plugin which replaces the help browser with the system-wide web browser and still offers 
context sensitive help. 

Just have a look at my patches at my SorceForge SVN repository
They are just a few lines of Cocoa API calls...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]