Bug 1612 - Don't use a bundled library
: Don't use a bundled library
Status: RESOLVED INVALID
Product: Claws Mail
Classification: Unclassified
Component: Plugins/Gtkhtml2 Viewer
: other
: PC Linux
: P3 enhancement
Assigned To: users
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-18 10:19 CEST by Christian Faulhammer
Modified: 2008-05-20 19:36 CEST (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Faulhammer 2008-05-18 10:19:04 CEST
Having a bundled library like libgtkhtml with the gtkhtml2 plugin is bad style.  Especially from a security point of view. What are the reasons to ship an own copy with it?
Comment 1 Paul 2008-05-18 10:29:02 CEST
upstream was unmaintained or poorly maintained and buggy
Comment 2 Gerard Seibert 2008-05-18 13:02:16 CEST
What are your security concerns specifically? For the record, I am achieving much better results with the bundled version of libgtkhtml.
Comment 3 Christian Faulhammer 2008-05-20 19:05:21 CEST
(In reply to comment #2)
> What are your security concerns specifically? For the record, I am achieving
> much better results with the bundled version of libgtkhtml.

 Imagine a security problem in libgtkhtml.  This will be fixed in a distribution's package, but nobody knows that there is a bundled version in this plugin and who-knows-where.  We on Gentoo had a lot of problems with bundled zlib versions security-wise as we had to track down dozens of packages for security advisories.
 What are your changes for libgtkhtml?  I wasn't able to compile this plugin with vanilla libgtkhtml.

Comment 4 Ricardo Mones 2008-05-20 19:15:55 CEST
(In reply to comment #3)
> (In reply to comment #2)
> > What are your security concerns specifically? For the record, I am achieving
> > much better results with the bundled version of libgtkhtml.
> 
>  Imagine a security problem in libgtkhtml.  This will be fixed in a
> distribution's package, but nobody knows that there is a bundled version in
> this plugin and who-knows-where.  We on Gentoo had a lot of problems with
> bundled zlib versions security-wise as we had to track down dozens of packages
> for security advisories.

  Imagine a bunch of bugs in libgtkhtml which are not fixed in original lib and reported to claws-mail. We had a lot of these too.

>  What are your changes for libgtkhtml?  I wasn't able to compile this plugin
> with vanilla libgtkhtml.

  diff -urN ? 

  regards,
Comment 5 Christian Faulhammer 2008-05-20 19:36:26 CEST
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > What are your security concerns specifically? For the record, I am achieving
> > > much better results with the bundled version of libgtkhtml.
> > 
> >  Imagine a security problem in libgtkhtml.  This will be fixed in a
> > distribution's package, but nobody knows that there is a bundled version in
> > this plugin and who-knows-where.  We on Gentoo had a lot of problems with
> > bundled zlib versions security-wise as we had to track down dozens of packages
> > for security advisories.
> 
>   Imagine a bunch of bugs in libgtkhtml which are not fixed in original lib and
> reported to claws-mail. We had a lot of these too.

 I understand your motivation, though bundling libs is really bad style and makes presence of libraries nearly senseless if everyone ships something they urgently think they need.

> >  What are your changes for libgtkhtml?  I wasn't able to compile this plugin
> > with vanilla libgtkhtml.
> 
>   diff -urN ? 

 One possibility...do you only fix bugs or add new features?

And what I can see is that gtkhtml has frequent releases, so why aren't you able to push your fixes upstream?  No responses or are bugs marked invalid before doing any discussion on concerns?