GNU bug report logs - #30329
[PATCH] gnu: emacs: Build with xwidgets support.

Previous Next

Package: guix-patches;

Reported by: Alex Vong <alexvong1995 <at> gmail.com>

Date: Fri, 2 Feb 2018 21:49:01 UTC

Severity: normal

Tags: patch

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Alex Vong <alexvong1995 <at> gmail.com>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 30329 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: [bug#30329] [PATCH] gnu: emacs: Build with xwidgets support.
Date: Thu, 08 Feb 2018 09:04:35 +0800

ludo <at> gnu.org (Ludovic Courtès) writes:

> Hello,
>
> Leo Famulari <leo <at> famulari.name> skribis:
>
>> On Sat, Feb 03, 2018 at 05:48:12AM +0800, Alex Vong wrote:
>>> Hi,
>>> 
>>> This patch adds xwidgets support to Emcas. So Emacs can now display GTK
>>> widgets. In particular, it can display webpages using webkitgtk.
>>> 
>>> Also, I use webkitgtk-2.4 instead of webkitgtk, because xwidgets
>>> requires libwebkitgtk-3.0 instead of libwebkitgtk-4.0 to
>>> build.
>>
>> Webkitgtk is very actively researched and exploited for security
>> problems. If this use of webkitgtk-2.4 would ever handle untrusted
>> input, it's not very safe. I don't use Emacs so I'm not sure what the
>> use case is for webkitgtk.
>>
>> For examples, you can check the security advisories published by the
>> Webkitgtk team:
>>
>> https://webkitgtk.org/news.html
>>
>> They publish an advisory after every release, and there are always
>> several fixed bugs allowing code execution by whoever supplies the input
>> (typically from a remote web server).
>
> That’s indeed a bit of a problem.  Would be nice if it could use the
> latest webkitgtk series.
>
> Given that and the increase in closure size, I would prefer making it a
> separate “emacs-xwidgets” package.
>
> WDYT?
>
I agree with what Leo thought. Since it is up to emacs package authors
to make sure untrusted input are never sent to webkitgtk, and it is hard
to garantee that every package does the right thing.

So I will send another patch after emacs switch to libwebkitgtk-4.0 (in
a separate package).

> Thanks,
> Ludo’.
This bug report was last modified 6 years and 330 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.