Having a bundled library like libgtkhtml with the gtkhtml2 plugin is bad style. Especially from a security point of view. What are the reasons to ship an own copy with it?
upstream was unmaintained or poorly maintained and buggy
What are your security concerns specifically? For the record, I am achieving much better results with the bundled version of libgtkhtml.
(In reply to comment #2) > What are your security concerns specifically? For the record, I am achieving > much better results with the bundled version of libgtkhtml. Imagine a security problem in libgtkhtml. This will be fixed in a distribution's package, but nobody knows that there is a bundled version in this plugin and who-knows-where. We on Gentoo had a lot of problems with bundled zlib versions security-wise as we had to track down dozens of packages for security advisories. What are your changes for libgtkhtml? I wasn't able to compile this plugin with vanilla libgtkhtml.
(In reply to comment #3) > (In reply to comment #2) > > What are your security concerns specifically? For the record, I am achieving > > much better results with the bundled version of libgtkhtml. > > Imagine a security problem in libgtkhtml. This will be fixed in a > distribution's package, but nobody knows that there is a bundled version in > this plugin and who-knows-where. We on Gentoo had a lot of problems with > bundled zlib versions security-wise as we had to track down dozens of packages > for security advisories. Imagine a bunch of bugs in libgtkhtml which are not fixed in original lib and reported to claws-mail. We had a lot of these too. > What are your changes for libgtkhtml? I wasn't able to compile this plugin > with vanilla libgtkhtml. diff -urN ? regards,
(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #2) > > > What are your security concerns specifically? For the record, I am achieving > > > much better results with the bundled version of libgtkhtml. > > > > Imagine a security problem in libgtkhtml. This will be fixed in a > > distribution's package, but nobody knows that there is a bundled version in > > this plugin and who-knows-where. We on Gentoo had a lot of problems with > > bundled zlib versions security-wise as we had to track down dozens of packages > > for security advisories. > > Imagine a bunch of bugs in libgtkhtml which are not fixed in original lib and > reported to claws-mail. We had a lot of these too. I understand your motivation, though bundling libs is really bad style and makes presence of libraries nearly senseless if everyone ships something they urgently think they need. > > What are your changes for libgtkhtml? I wasn't able to compile this plugin > > with vanilla libgtkhtml. > > diff -urN ? One possibility...do you only fix bugs or add new features? And what I can see is that gtkhtml has frequent releases, so why aren't you able to push your fixes upstream? No responses or are bugs marked invalid before doing any discussion on concerns?