He is bothering small free software projects so that those small free software projects ask Chromium to fix the issue.
It's unacceptable to sit on a privacy affecting bug like this for 15 months.
This continously repeated bullshit that the source of the problem lies elsehwere is tiring. They're knowingly using a library with a security bug, and they're doing:
1. Nothing to get the devs of that library to fix it
2. Nothing to fix the library themselves
3. Nothing to warn their users
4. Nothing in their local application to protect their users.
This is not how secure development works.
As of this point in time, nobody has explained to me why it would be a bad idea to add a "Do not rely on for privacy. More info" message next to the feature in Evolution Mail.
That is 100% true. Users of Evolution Mail should not rely on that feature for privacy. Because Evolution Mail has chosen to add known flawed software to their application.
And despite lacking the will or ability to fix that software, they are unwilling to take a different path to patch over the problem until it is fixed in the library, by sanitising the html and stripping problematic tags/attributes.
These are all their choices. And all of their choices lead to end users being exposed to a privacy risk, and unaware of it.
Your Gitlab issue is a textbook example of why open source devs quit. And now you’re wandering around trying to drum up a mob to further pressure people to do free work for you.
Hope that helps.
For ends users, that's a distinction without a difference. Programmers are responsible for their choice of dependencies. If you've chosen to depend on it, it becomes your problem. Chromium is open source, no? So the email client programmer can fix that bug himself.
On another note, TFA talks about a "GNOME toxic development culture", which looks like a blanket statement. Does it really exist?
PS: I'm thankful that they don't use that thing from Google.
That's a non-sequitur. Just because it's common does not mean it's okay.
You would have to manually add the account. Currently only mail is supported. No calendar support.
See https://blog.thunderbird.net/2025/07/thunderbird-monthly-dev...
Probably Thunderbird tries it again with 141.
PS: If your E-Mails are stored on an Exchange-Server (or: worse Azure) the discussed problem is the least issue.
What's a good app for Exchange on Linux? I could use the web app, which my company has available, but I do appreciate having a dedicated email client sometimes, particularly for OS notifications (which will work without having the browser open).
A GNOME foundation member going through the thread to decorate the reporter's posts with clown emoji reactions is not great.
It seems reasonable to say "even if this is caused by one your library dependencies, users are using your application and you should try to find a mitigation."
If you get in a wreck because your brakes fail, imagine the car manufacturer saying "oh that's not a problem with the car, it's a problem with the brakes. Talk to the brake manufacturer."
"No warranty express or implied" and all that, but still.
You are looking for a minority of a minority of a minority - People using Linux, people using an email client, people using Linux that want all the MS Exchange features.
Tons of "general" email clients out there, sure, but you're talking about a largely proprietary system.
If neither of those are doable, the software needs a warning that it's vulnerable to a such a terrible privacy exploit. People over however many years this has been possible deserve to know that their email client has been allowing any random person in the internet to easily get their IP address or know they're on their computer.
If you can't do this why are you maintaining software, it's unmaintained at that point. The replies to the bug report are just terrible attitude even if factually correct.
Evolution is a good mail client in general.
PS: Prefer always text-mail. When sending. When receiving.
I can't imagine someone reporting a bug to one of my repos about some race condition in the kernel. Why the hell are you bothering me with that? Tell the LKML.
That's not to say I'm not sympathetic, it's just, like, what do you expect me to do?
Off the top of my head: you could broadcast it more publicly that there is a known issue (particularly important if this is a security issue). You could change code to avoid whatever kernel features trigger the race. You could print a warning if you detect the kernel version is an unpatched one and/or has Kconfig in whatever state exposes the issue.
Slogan: own your own messages, own a local GMail. We have all the code except the UI
tylerapplebaum•4h ago
theyknowitsxmas•4h ago
hexagonwin•3h ago
esseph•2h ago
Want to understand this more. I know I'm talking from a position of privilege, but it's really hard to find a machine these days with less than 16 or 32GB of RAM from the factory.
Even going back several years, DDR4 has been extremely cheap for a long time, and DDR5 is finally closer to general ram prices.
Are you using mini PCs with soldered ram?
mike-cardwell•4h ago
curt15•4h ago