[Users] Fancy

Ralf Mardorf silver.bullet at zoho.com
Fri Sep 1 00:13:23 CEST 2017


On Thu, 31 Aug 2017 20:50:01 +0200, Andrej Kacian wrote:
>Yep, I found this too in the meantime. :) I wonder if they know that
>the plugin is unsupported, and is in fact less safe to use than Fancy,
>given that it can not block loading remote HTML content?

Remote HTML content is not such a security risk as CVEs with very
high security warnings.

>And if so, do they inform users of this Archlinux package about this
>fact?

The target group of Arch Linux users should keep up with the stage of
affairs of the apps they use, if things like e.g. Internet security are
important for their individual needs. It's expected that the target
group has got the self-responsibility and skills to this, if it should
be important for them. Arch Linux explicitly mentions that it is not a
user-friendly distro.

There are announcements for special issue, but this isn't the kind of
issue that is announced. An Arch Linux user who really cares about
security issues, would use a tool like arch-audit to stay informed and
joins appropriate mailing lists or other sources of information.

I suspect that I'm not the only Arch User who 1. builds Claws, instead
of installing it from official repositories and 2. doesn't use HTML with
Claws at all. However, an official package build with the fancy plugin
can't be provided, even if for claws webkit should be more secure, than
using Dillo, since the webkit package is dropped. A webkit PKGBUILD is
still available by the Arch User Repository, but the PKGBUILD for
claws-mail-git from the Arch User Repository has also no dependency to
webkit anymore. A user is free to build and install webkit, e.g. by
using the PKGBUILD from the Arch User Repository and after that even
could build claws-mail using the original PKGBUILD from official
repositories:

[rocketmouse at archlinux tmp]$ asp checkout claws-mail
Cloning into '/tmp/claws-mail'...
done.
[rocketmouse at archlinux tmp]$ ls -hl claws-mail/trunk/PKGBUILD 
-rw-r--r-- 1 rocketmouse rocketmouse 3.2K Aug 31 23:58
claws-mail/trunk/PKGBUILD

However, usually Arch users ask upstream of apps that are important
for their needs, to find a solution without webkit. I ask upstream of
guitarix to drop webkit and upstream immediately agreed and provides
guitarix without webkit usage.




More information about the Users mailing list