Bug 1612 – Don't use a bundled library

Bug 1612 - Don't use a bundled library

Summary:

Don't use a bundled library

Status:	RESOLVED INVALID

Product:	Claws Mail
Component:	Plugins/Gtkhtml2 Viewer
Version:	other
Platform:	PC Linux

Importance:	P3 enhancement
Assigned To:	users@lists.claws-mail.org

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-05-18 10:19 by Christian Faulhammer
Modified:	2008-05-20 19:36 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Christian Faulhammer 2008-05-18 10:19:04

Having a bundled library like libgtkhtml with the gtkhtml2 plugin is bad style.
 Especially from a security point of view. What are the reasons to ship an own
copy with it?

------- Comment #1 From Paul 2008-05-18 10:29:02 -------

upstream was unmaintained or poorly maintained and buggy

------- Comment #2 From Gerard Seibert 2008-05-18 13:02:16 -------

What are your security concerns specifically? For the record, I am achieving
much better results with the bundled version of libgtkhtml.

------- Comment #3 From Christian Faulhammer 2008-05-20 19:05:21 -------

(In reply to comment #2)
> What are your security concerns specifically? For the record, I am achieving
> much better results with the bundled version of libgtkhtml.

 Imagine a security problem in libgtkhtml.  This will be fixed in a
distribution's package, but nobody knows that there is a bundled version in
this plugin and who-knows-where.  We on Gentoo had a lot of problems with
bundled zlib versions security-wise as we had to track down dozens of packages
for security advisories.
 What are your changes for libgtkhtml?  I wasn't able to compile this plugin
with vanilla libgtkhtml.

------- Comment #4 From Ricardo Mones 2008-05-20 19:15:55 -------

(In reply to comment #3)
> (In reply to comment #2)
> > What are your security concerns specifically? For the record, I am achieving
> > much better results with the bundled version of libgtkhtml.
> 
>  Imagine a security problem in libgtkhtml.  This will be fixed in a
> distribution's package, but nobody knows that there is a bundled version in
> this plugin and who-knows-where.  We on Gentoo had a lot of problems with
> bundled zlib versions security-wise as we had to track down dozens of packages
> for security advisories.

  Imagine a bunch of bugs in libgtkhtml which are not fixed in original lib and
reported to claws-mail. We had a lot of these too.

>  What are your changes for libgtkhtml?  I wasn't able to compile this plugin
> with vanilla libgtkhtml.

  diff -urN ? 

  regards,

------- Comment #5 From Christian Faulhammer 2008-05-20 19:36:26 -------

(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > What are your security concerns specifically? For the record, I am achieving
> > > much better results with the bundled version of libgtkhtml.
> > 
> >  Imagine a security problem in libgtkhtml.  This will be fixed in a
> > distribution's package, but nobody knows that there is a bundled version in
> > this plugin and who-knows-where.  We on Gentoo had a lot of problems with
> > bundled zlib versions security-wise as we had to track down dozens of packages
> > for security advisories.
> 
>   Imagine a bunch of bugs in libgtkhtml which are not fixed in original lib and
> reported to claws-mail. We had a lot of these too.

 I understand your motivation, though bundling libs is really bad style and
makes presence of libraries nearly senseless if everyone ships something they
urgently think they need.

> >  What are your changes for libgtkhtml?  I wasn't able to compile this plugin
> > with vanilla libgtkhtml.
> 
>   diff -urN ? 

 One possibility...do you only fix bugs or add new features?

And what I can see is that gtkhtml has frequent releases, so why aren't you
able to push your fixes upstream?  No responses or are bugs marked invalid
before doing any discussion on concerns?