He is bothering small free software projects so that those small free software projects ask Chromium to fix the issue.
It's unacceptable to sit on a privacy affecting bug like this for 15 months.
This continously repeated bullshit that the source of the problem lies elsehwere is tiring. They're knowingly using a library with a security bug, and they're doing:
1. Nothing to get the devs of that library to fix it
2. Nothing to fix the library themselves
3. Nothing to warn their users
4. Nothing in their local application to protect their users.
This is not how secure development works.
As of this point in time, nobody has explained to me why it would be a bad idea to add a "Do not rely on for privacy. More info" message next to the feature in Evolution Mail.
That is 100% true. Users of Evolution Mail should not rely on that feature for privacy. Because Evolution Mail has chosen to add known flawed software to their application.
And despite lacking the will or ability to fix that software, they are unwilling to take a different path to patch over the problem until it is fixed in the library, by sanitising the html and stripping problematic tags/attributes.
These are all their choices. And all of their choices lead to end users being exposed to a privacy risk, and unaware of it.
Your Gitlab issue is a textbook example of why open source devs quit. And now you’re wandering around trying to drum up a mob to further pressure people to do free work for you.
Hope that helps.
For ends users, that's a distinction without a difference. Programmers are responsible for their choice of dependencies. If you've chosen to depend on it, it becomes your problem. Chromium is open source, no? So the email client programmer can fix that bug himself.
On another note, TFA talks about a "GNOME toxic development culture", which looks like a blanket statement. Does it really exist?
PS: I'm thankful that they don't use that thing from Google.
That's a non-sequitur. Just because it's common does not mean it's okay.
You would have to manually add the account. Currently only mail is supported. No calendar support.
See https://blog.thunderbird.net/2025/07/thunderbird-monthly-dev...
Probably Thunderbird tries it again with 141.
PS: If your E-Mails are stored on an Exchange-Server (or: worse Azure) the discussed problem is the least issue.
What's a good app for Exchange on Linux? I could use the web app, which my company has available, but I do appreciate having a dedicated email client sometimes, particularly for OS notifications (which will work without having the browser open).
A GNOME foundation member going through the thread to decorate the reporter's posts with clown emoji reactions is not great.
It seems reasonable to say "even if this is caused by one your library dependencies, users are using your application and you should try to find a mitigation."
If you get in a wreck because your brakes fail, imagine the car manufacturer saying "oh that's not a problem with the car, it's a problem with the brakes. Talk to the brake manufacturer."
"No warranty express or implied" and all that, but still.
* opens up his bug report passive-aggressively complaining about not getting a response to his emailed report, which he sent to a completely unrelated domain
* immediately fished for a bug bounty payout
* submitted his report against a 2.5 year old release, wasting maintainer time and then pushes back that because it came with his preferred distribution[0] that made it the Evolution maintainer’s problem.
* when the maintainers pointed out this was a dependency problem, accuses them of “buck passing” and demands they warn users of specific distributions about the problem he reported, which is, of course, completely impractical for them to do.
* does not engage at all with the Webkit developer who is trying to explain what the problem is and why fixing in Webkit is the right thing.
* demands one of a selected list of fixes from the maintainers. Note: if his suggested fixes are so simple, a PR at this point implementing one of them would have probably been more productive than what he did post:
I understand that this is completely out of your power to do anything about, and that it is also completely out of your power to put a notice in the UI about the functionality not working for privacy purposes. Please add clown and face-palm emojis to this comment as per my other comments, to indicate you have read it.
0 - a distribution, by the way, that is notorious for distributing hacked up out of date software. See: the OpenSSH key saga as well as projects like XScreensaver that have Debian-specific FAQ entries telling their users how to get reasonably up to date software (https://www.jwz.org/xscreensaver/faq.html#upgrade)
You are looking for a minority of a minority of a minority - People using Linux, people using an email client, people using Linux that want all the MS Exchange features.
Tons of "general" email clients out there, sure, but you're talking about a largely proprietary system.
If neither of those are doable, the software needs a warning that it's vulnerable to a such a terrible privacy exploit. People over however many years this has been possible deserve to know that their email client has been allowing any random person in the internet to easily get their IP address or know they're on their computer.
If you can't do this why are you maintaining software, it's unmaintained at that point. The replies to the bug report are just terrible attitude even if factually correct.
Evolution is a good mail client in general.
PS: Prefer always text-mail. When sending. When receiving.
I can't imagine someone reporting a bug to one of my repos about some race condition in the kernel. Why the hell are you bothering me with that? Tell the LKML.
That's not to say I'm not sympathetic, it's just, like, what do you expect me to do?
Off the top of my head: you could broadcast it more publicly that there is a known issue (particularly important if this is a security issue). You could change code to avoid whatever kernel features trigger the race. You could print a warning if you detect the kernel version is an unpatched one and/or has Kconfig in whatever state exposes the issue.
On the other hand: As a user, the takeaway isn't "well that's not their fault", the takeaway is "if I use this software, then I am vulnerable to this problem". The question of who's responsible or where the fault lies is irrelevant.
Slogan: own your own messages, own a local GMail. We have all the code except the UI
tylerapplebaum•6mo ago
theyknowitsxmas•6mo ago
hexagonwin•6mo ago
esseph•6mo ago
Want to understand this more. I know I'm talking from a position of privilege, but it's really hard to find a machine these days with less than 16 or 32GB of RAM from the factory.
Even going back several years, DDR4 has been extremely cheap for a long time, and DDR5 is finally closer to general ram prices.
Are you using mini PCs with soldered ram?
yjftsjthsd-h•6mo ago
* Not everyone is using a new machine.
* Right now, if I go to https://www.bestbuy.com/ and scroll down until I hit a laptop, the first 2 have 16GB, and the third is https://www.bestbuy.com/site/hp-victus-15-6-144hz-full-hd-ga... with 8GB. It's not even cheap.
* On my desk right now is a mini PC with 12GB, which I bought earlier this year.
* Even if we pretend everyone has 16GB+, it would be nice if we could use that memory for other stuff instead of an email client hogging it.
esseph•6mo ago
yjftsjthsd-h•6mo ago
esseph•6mo ago
mike-cardwell•6mo ago
curt15•6mo ago