Evolution Mail Users Easily Trackable Part 2

https://www.grepular.com/Evolution%20Mail%20Users%20Easily%20Trackable%20Part%202

21•zdw•4h ago

Comments

like_any_other•3h ago

Most devs are entirely too casual about making network requests. Do they not share users' expectation that the software won't rat them out to random servers?

drdaeman•1h ago

> Evolution probably does not require any changes whatsoever to fix this. This problem is not specific to Evolution; it very probably affects Balsa and Geary at least, and all other applications using WebKitGTK that wish to audit outgoing HTTP requests. The problem is that WebKitGTK is making HTTP requests that bypass its API for blocking HTTP requests, which Evolution relies on.

https://gitlab.gnome.org/GNOME/evolution/-/issues/3095#note_...

tetromino_•1h ago

Summary: there is a long-standing bug in Webkit which causes network connection from (probably?) any tag that sets a `rel` attribute to be non-auditable and non-blockable by client code using Webkit.

Mike Cardwell stumbled on the manifestation of this bug in Evolution (which uses Webkit for rendering html mail). His proposal was for Evolution to filter html content before passing it to Webkit for rendering. Evolution devs' counterproposal was to ask Mike to write a patch to fix the Webkit bug, so not just Evolution but all other applications built on top of Webkit benefit.

Instead of writing a patch for Webkit (or at least further investigating the Webkit bug), Mike responded by writing two blogposts denouncing Evolution devs.

Evolution devs responded by locking the bug thread and threatening to ban Mike.

TL;DR drama due to cultural difference.

veeti•1h ago

This reflects of a failure in security "culture" within the GNOME project. Whether the issue boils down to a bug in WebKit or Evolution code, it is ultimately the Evolution developer's responsibility to not ship an end product with known security issues. Whether that is achieved by changes upstream or in the Evolution project is of no relevance to the end users or general public at large.

tetromino_•1h ago

> it is ultimately the Evolution developer's responsibility to not ship an end product with known security issues

Is it? One could argue that Evolution developers do not ship an end product, and that it's distros - Debian, Fedora, etc. - who ship the end product by combining Evolution at version X with Webkit at version Y, and possibly patching both.

Earn $200 by referring only. FREE

What a bumble bee chooses to eat may not match its ideal diet

Shutting Down Clear Linux OS

Nuxt Joins Vercel

The Kap Programming Language

A Software for One

Women Are Falling Behind in America's Return to the Office

Astronomer launches internal investigation after viral Coldplay video

Build your CV on Subreply as a LinkedIn alternative

Curse Not the King

The Physics of Dissonance (MinutePhysics) [video]

Billionaire Gabe Newell: pitching VCs makes no business sense

Ccusage: A CLI tool for analyzing Claude Code usage from local JSONL files

Fuzzing macOS Userland (For Fun and Pain)

Free Online Minesweeper

DHH – I Hate TypeScript (3 min video)

Show HN: Interactive Bash tutorial that runs in the browser

Show HN: Castream – Native iOS/Android IRL multistreaming app

There Is No Antimemetics Division – A Novel (2025)

First earthquake, then fire: UC San Diego researchers test steel building

Ask HN: What are your favorite open source AI agent implementations?

Node.js 18 is being deprecated

EPA says it will eliminate its scientific reseach arm

Vibe coding? AI assisted coding? I prefer being an AI micromanager [video]

"Pitch in " Anti-Litter PSA (1973) [video]

Agents Built from Alloys

US EPA cutting workforce by 23%, closing research division

I'm Rebelling Against the Algorithm

My worst tech purchase became my best DIY desk lamp

Show HN: Vizr – Ask questions about your marketing data, get real answers