GNOME Bugzilla – Bug 751588
Port to WebKit2
Last modified: 2016-08-11 08:13:48 UTC
WebKit 1 is deprecated, and is no longer being developed, only receiving important bug fixes for the time being (and that will eventually stop). Thus evolution should be ported to WebKit 2 (libwebkit2gtk-4.0). Also see: https://wiki.gnome.org/Initiatives/GnomeGoals/Webkit2Porting
There is already a development branch with WebKit2 based Evolution: https://git.gnome.org/browse/evolution/log/?h=wip/webkit2
And after bug #749974 also evolution-data-server (optional dependency). I intentionally used WebKit1 there, because: a) evolution depends on it, thus to not mix the two webkits b) portability - WebKit2 cannot be built under Windows as of now The portability is kind of concern for me, I'd not use WebKit2 until it's buildable for Windows too.
My biggest concern at this point is the high number of unfixed security exploits in WK1. At this point it's irresponsible for Evolution to continue displaying HTML mail until the port to WK2 is complete. This is an extremely unfortunate situation, but it's impractical to do security backports to WK1. :( (In reply to Milan Crha from comment #2) > And after bug #749974 also evolution-data-server (optional dependency). > I intentionally used WebKit1 there, because: > a) evolution depends on it, thus to not mix the two webkits That was the right choice, since you cannot mix the two different WebKits in the same process. The only risk is that some other app might already have been using both e-d-s and WebKit2, but I don't think that's the case.
1) Is it absolutely necessary to support Microsoft Windows at the expense of putting Linux users at risk of security exploits? 2) Besides, how many Windows users bother with Qt or Gtk+ applications when there are working email/calendar/PIM solutions from their operating system vendor, Microsoft?
*** Bug 689503 has been marked as a duplicate of this bug. ***
It looks like no one is volunteering to do a webkit2gtk Windows port according to https://lists.webkit.org/pipermail/webkit-gtk/2014-January/001745.html (Windows has chromium anyway and Qt5 is moving to chromium as well) Will webkit1 still receive security fixes till the situation changes?
(In reply to Hussam Al-Tayeb from comment #6) > Will webkit1 still receive security fixes till the situation changes? It's not a question for the Evolution team, it's a question for the webkitgtk developers. I was told that the webkit1 will not receive any major updates/fixes, the main webkitgtk upstream focus is on the webkit2, which makes sense.
Since this is only needed for html rendering, an alternative could be to fork webkit1 gtk port into a minimal library without the unneeded features and without js support which should eliminate most security issues. It can be something like the old gtkhtml package. Both evolution and empathy would be able to use it.
(In reply to Hussam Al-Tayeb from comment #8) > Since this is only needed for html rendering, an alternative could be to > fork webkit1 gtk port into a minimal library without the unneeded features > and without js support which should eliminate most security issues. > It can be something like the old gtkhtml package. Both evolution and empathy > would be able to use it. Ignore this. This was explained in another bug.
Did you mean to close this issue?
(In reply to Christian Stadelmann from comment #10) > Did you mean to close this issue? Sorry, please ignore this comment.
It has been stated by the webkit developers that version 1 will not receive ANY security updates anymore. As of now there are more then 129 critical security bugs in webkit 2.4.9 (as used by evolution). Therefore evolution is currently affected by more the 129 security vulnerabilities, many of which are easily exploitable. Doesn't anyone think this should be taken care of? Source: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
To be clear, I am not personally aware of exploits for any of these vulnerabilities. I do not care to speculate on whether any have been developed. Evolution has a setting to turn off HTML rendering. I strongly recommend using it. (In reply to Michael Catanzaro from comment #3) > My biggest concern at this point is the high number of unfixed security > exploits in WK1. I misspoke here; I should have used the term "vulnerabilities" rather than "exploits."
(In reply to Michael Catanzaro from comment #13) > > I misspoke here; I should have used the term "vulnerabilities" rather than > "exploits." The issue still remains. I don't know how much work it will be to port to Webkit2 but Empathy has managed to remove all dependencies of Webkit1. (In reply to Michael Catanzaro from comment #13) > Evolution has a setting to turn off HTML rendering. I strongly recommend > using it. But html is still on by default, something that I would recommend to turn off by default, but that is probably not going to happen.
(In reply to Timo from comment #14) > (In reply to Michael Catanzaro from comment #13) > > Evolution has a setting to turn off HTML rendering. I strongly recommend > > using it. > > But html is still on by default, something that I would recommend to turn > off by default, but that is probably not going to happen. Not only is HTML view enabled by default but it is also essential for any email client out there. Many (especially non-technical) users are sending and receiving HTML-only emails on a daily basis. Disabling HTML rendering (by default) would be pretty bad for their user experience. (In reply to Timo from comment #12) > As of now there are more then 129 critical security bugs in webkit 2.4.9 (as > used by evolution). > Therefore evolution is currently affected by more the 129 security > vulnerabilities, many of which are easily exploitable. > > Doesn't anyone think this should be taken care of? I think this is mainly an issue of having programmers doing the work. (In reply to Hussam Al-Tayeb from comment #6) > It looks like no one is volunteering to do a webkit2gtk Windows port > according to > https://lists.webkit.org/pipermail/webkit-gtk/2014-January/001745.html Is there any change to this? Is the windows port so important to evolution? How about using WebKit2 and disabling HTML rendering on Windows? As far as I know Gtk+ 3.x hasn't seen much Windows support. Is there any Evolution 3.x build on Windows? I couldn't find one. Maybe its time to bury support for Windows…
(In reply to Timo from comment #14) > I don't know how much work it will be to port to Webkit2 A lot. > but Empathy has > managed to remove all dependencies of Webkit1. Empathy is still on WebKit1... there is a WIP patch to WK2, but someone needs to sit down and find a way to make themes work. Shouldn't be hard, but it's not going to be a quick project either, and nobody seems interested. > Not only is HTML view enabled by default but it is also essential for any > email client out there. Many (especially non-technical) users are sending > and receiving HTML-only emails on a daily basis. Disabling HTML rendering > (by default) would be pretty bad for their user experience. Evolution seems to be able to display all mail as plain text just fine when HTML is turned off? I've been using it like this for months.... > (In reply to Timo from comment #12) > I think this is mainly an issue of having programmers doing the work. Yup. > (In reply to Hussam Al-Tayeb from comment #6) > Is there any change to this? Naver is working on a Windows browser that uses WebKit2. They intend to upstream their work. It remains to be seen if they will, or if their contributions will be accepted (Apple is not keen on adding Windows support to WebKit2). If it is accepted, then this would take care of the majority of the work; in that case, we would accept reasonable patches to make WebKitGTK+ work on Windows. We will probably never work on this ourselves, though.
Shouldn't security issued have some kind of priority? Especially when they have this extend? Can anyone predict when this will be taken care of?
(In reply to Milan Crha from comment #2) > And after bug #749974 also evolution-data-server (optional dependency). > I intentionally used WebKit1 there, because: > a) evolution depends on it, thus to not mix the two webkits > b) portability - WebKit2 cannot be built under Windows as of now > > The portability is kind of concern for me, I'd not use WebKit2 until it's > buildable for Windows too. To be clear, you should not expect WebKitGTK+ to ever again work on Windows; if you really need that, you should migrate to some other web engine. :(
(In reply to Michael Catanzaro from comment #16) > > Not only is HTML view enabled by default but it is also essential for any > > email client out there. Many (especially non-technical) users are sending > > and receiving HTML-only emails on a daily basis. Disabling HTML rendering > > (by default) would be pretty bad for their user experience. > > Evolution seems to be able to display all mail as plain text just fine when > HTML is turned off? I've been using it like this for months.... This feature only works if your contacts use hybrid Emails (with both HTML and plain text. And it is useless when your conversations include highlighted text such as coloring or underlining. And sometimes you just need markup in Emails for printing tables or making citations work fine without getting very ugly when breaking lines. So basically everything beyond plain text (with optional intendation) may or will break. I'd like to help testing once the code is running and doesn't eat all my mails ;). I can't spend time on coding though.
(In reply to Timo from comment #17) > Shouldn't security issued have some kind of priority? > Especially when they have this extend? It should be, but when you have one and a half (that half is me) developer actively contributing to Evolution.. > Can anyone predict when this will be taken care of? As it was already stated the WebKit2 port of Evolution is going to be finished in Evolution 3.22. as part of GNOME 3.22.
(In reply to Timo from comment #17) > Shouldn't security issued have some kind of priority? Yes. Hence please provide patches and help: https://wiki.gnome.org/Git/Developers Thanks in advance!
Created attachment 323303 [details] [review] eds patch This is a port to webkit2 for the evolution-data-server. It should go in together with the evolution change, otherwise evolution crashes when the evolution-data-server is compiled with --enable-google-auth with the below backtrace (or similar). There should be a better way to notice when the application uses both webkit1 and webkit2, instead of this crash. Gtk+ has some way of doing it [1], which is called from [2] and few other places. [1] https://git.gnome.org/browse/gtk+/tree/gtk/gtkmodules.c#n582 [2] https://git.gnome.org/browse/gtk+/tree/gtk/gtkmain.c#n644
+ Trace 236033
Thread 1 (Thread 0x7ff6dc6dbac0 (LWP 20863))
*** Bug 769643 has been marked as a duplicate of this bug. ***
I "merged" the changes from the wip branch into the master branch within these commits: Created commit_6c3cff9 in eds master (3.21.90+) [1] Created commit 332789f in evo master (3.21.90+) [1] https://git.gnome.org/browse/evolution-data-server/commit/?id=6c3cff9