Bug 1612 - Don't use a bundled library
Summary: Don't use a bundled library
Status: RESOLVED INVALID
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Plugins/Gtkhtml2 Viewer (show other bugs)
Version: other
Hardware: PC Linux
: P3 enhancement
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2008-05-18 10:19 UTC by Christian Faulhammer
Modified: 2008-05-20 19:36 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Christian Faulhammer 2008-05-18 10:19:04 UTC 
Having a bundled library like libgtkhtml with the gtkhtml2 plugin is bad style.  Especially from a security point of view. What are the reasons to ship an own copy with it?
Comment 1 Paul 2008-05-18 10:29:02 UTC 
upstream was unmaintained or poorly maintained and buggy
Comment 2 Gerard Seibert 2008-05-18 13:02:16 UTC 
What are your security concerns specifically? For the record, I am achieving much better results with the bundled version of libgtkhtml.
Comment 3 Christian Faulhammer 2008-05-20 19:05:21 UTC 
(In reply to comment #2)
> What are your security concerns specifically? For the record, I am achieving
> much better results with the bundled version of libgtkhtml.

 Imagine a security problem in libgtkhtml.  This will be fixed in a distribution's package, but nobody knows that there is a bundled version in this plugin and who-knows-where.  We on Gentoo had a lot of problems with bundled zlib versions security-wise as we had to track down dozens of packages for security advisories.
 What are your changes for libgtkhtml?  I wasn't able to compile this plugin with vanilla libgtkhtml.
Comment 4 Ricardo Mones 2008-05-20 19:15:55 UTC 
(In reply to comment #3)
> (In reply to comment #2)
> > What are your security concerns specifically? For the record, I am achieving
> > much better results with the bundled version of libgtkhtml.
> 
>  Imagine a security problem in libgtkhtml.  This will be fixed in a
> distribution's package, but nobody knows that there is a bundled version in
> this plugin and who-knows-where.  We on Gentoo had a lot of problems with
> bundled zlib versions security-wise as we had to track down dozens of packages
> for security advisories.

  Imagine a bunch of bugs in libgtkhtml which are not fixed in original lib and reported to claws-mail. We had a lot of these too.

>  What are your changes for libgtkhtml?  I wasn't able to compile this plugin
> with vanilla libgtkhtml.

  diff -urN ? 

  regards,
Comment 5 Christian Faulhammer 2008-05-20 19:36:26 UTC 
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > What are your security concerns specifically? For the record, I am achieving
> > > much better results with the bundled version of libgtkhtml.
> > 
> >  Imagine a security problem in libgtkhtml.  This will be fixed in a
> > distribution's package, but nobody knows that there is a bundled version in
> > this plugin and who-knows-where.  We on Gentoo had a lot of problems with
> > bundled zlib versions security-wise as we had to track down dozens of packages
> > for security advisories.
> 
>   Imagine a bunch of bugs in libgtkhtml which are not fixed in original lib and
> reported to claws-mail. We had a lot of these too.

 I understand your motivation, though bundling libs is really bad style and makes presence of libraries nearly senseless if everyone ships something they urgently think they need.

> >  What are your changes for libgtkhtml?  I wasn't able to compile this plugin
> > with vanilla libgtkhtml.
> 
>   diff -urN ? 

 One possibility...do you only fix bugs or add new features?

And what I can see is that gtkhtml has frequent releases, so why aren't you able to push your fixes upstream?  No responses or are bugs marked invalid before doing any discussion on concerns?
Note You need to log in before you can comment on or make changes to this bug.