Evolution Mail Users Easily Trackable Part 2

https://www.grepular.com/Evolution%20Mail%20Users%20Easily%20Trackable%20Part%202

23•zdw•6h ago

Comments

like_any_other•5h ago

Most devs are entirely too casual about making network requests. Do they not share users' expectation that the software won't rat them out to random servers?

drdaeman•3h ago

> Evolution probably does not require any changes whatsoever to fix this. This problem is not specific to Evolution; it very probably affects Balsa and Geary at least, and all other applications using WebKitGTK that wish to audit outgoing HTTP requests. The problem is that WebKitGTK is making HTTP requests that bypass its API for blocking HTTP requests, which Evolution relies on.

https://gitlab.gnome.org/GNOME/evolution/-/issues/3095#note_...

tetromino_•3h ago

Summary: there is a long-standing bug in Webkit which causes network connection from (probably?) any tag that sets a `rel` attribute to be non-auditable and non-blockable by client code using Webkit.

Mike Cardwell stumbled on the manifestation of this bug in Evolution (which uses Webkit for rendering html mail). His proposal was for Evolution to filter html content before passing it to Webkit for rendering. Evolution devs' counterproposal was to ask Mike to write a patch to fix the Webkit bug, so not just Evolution but all other applications built on top of Webkit benefit.

Instead of writing a patch for Webkit (or at least further investigating the Webkit bug), Mike responded by writing two blogposts denouncing Evolution devs.

Evolution devs responded by locking the bug thread and threatening to ban Mike.

TL;DR drama due to cultural difference.

veeti•3h ago

This reflects of a failure in security "culture" within the GNOME project. Whether the issue boils down to a bug in WebKit or Evolution code, it is ultimately the Evolution developer's responsibility to not ship an end product with known security issues. Whether that is achieved by changes upstream or in the Evolution project is of no relevance to the end users or general public at large.

tetromino_•3h ago

> it is ultimately the Evolution developer's responsibility to not ship an end product with known security issues

Is it? One could argue that Evolution developers do not ship an end product, and that it's distros - Debian, Fedora, etc. - who ship the end product by combining Evolution at version X with Webkit at version Y, and possibly patching both.

Mr Browser – Macintosh Repository file downloader that runs directly on 68k Macs

Asynchrony is not concurrency

How to write Rust in the Linux kernel: part 3

Debcraft – Easiest way to modify and build Debian packages

Silence Is a Commons by Ivan Illich (1983)

Ccusage: A CLI tool for analyzing Claude Code usage from local JSONL files

C++: zero-cost static initialization

Valve confirms credit card companies pressured it to delist certain adult games

Meta says it wont sign Europe AI agreement, calling it growth stunting overreach

Multiplatform Matrix Multiplication Kernels

lsr: ls with io_uring

Broadcom to discontinue free Bitnami Helm charts

Wii U SDBoot1 Exploit “paid the beak”

Shutting Down Clear Linux OS

Trying Guix: A Nixer's impressions

AI capex is so big that it's affecting economic statistics

The year of peak might and magic

Replication of Quantum Factorisation Records with a VIC-20, an Abacus, and a Dog

CP/M creator Gary Kildall's memoirs released as free download

Show HN: I built library management app for those who outgrew spreadsheets

Mango Health (YC W24) Is Hiring

I'm Rebelling Against the Algorithm

Show HN: Molab, a cloud-hosted Marimo notebook workspace

Converting Integers to Floats Using Hyperfocus (2022)

A New Geometry for Einstein's Theory of Relativity

Sage: An atomic bomb kicked off the biggest computing project in history

Cancer DNA is detectable in blood years before diagnosis

Intel Announces It's Shutting Down Clear Linux

How I keep up with AI progress

Show HN: Simulating autonomous drone formations