From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57700)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ejaeB-0007fp-Jb
	for guix-patches@gnu.org; Wed, 07 Feb 2018 20:05:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ejae6-0008Rb-LZ
	for guix-patches@gnu.org; Wed, 07 Feb 2018 20:05:07 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:53922)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1ejae6-0008RU-Hg
	for guix-patches@gnu.org; Wed, 07 Feb 2018 20:05:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ejae6-0000jB-1y
	for guix-patches@gnu.org; Wed, 07 Feb 2018 20:05:02 -0500
Subject: [bug#30329] [PATCH] gnu: emacs: Build with xwidgets support.
Resent-Message-ID: <handler.30329.B30329.15180518942781@debbugs.gnu.org>
From: Alex Vong <alexvong1995@gmail.com>
References: <87vaff12sj.fsf@gmail.com> <20180205215839.GA17317@jasmine.lan>
	<87fu6e5e84.fsf@gnu.org>
Date: Thu, 08 Feb 2018 09:04:35 +0800
In-Reply-To: <87fu6e5e84.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Tue, 06 Feb 2018 16:28:59 +0100")
Message-ID: <87a7wks34s.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 30329@debbugs.gnu.org

ludo@gnu.org (Ludovic Court=C3=A8s) writes:

> Hello,
>
> Leo Famulari <leo@famulari.name> skribis:
>
>> On Sat, Feb 03, 2018 at 05:48:12AM +0800, Alex Vong wrote:
>>> Hi,
>>>=20
>>> This patch adds xwidgets support to Emcas. So Emacs can now display GTK
>>> widgets. In particular, it can display webpages using webkitgtk.
>>>=20
>>> Also, I use webkitgtk-2.4 instead of webkitgtk, because xwidgets
>>> requires libwebkitgtk-3.0 instead of libwebkitgtk-4.0 to
>>> build.
>>
>> Webkitgtk is very actively researched and exploited for security
>> problems. If this use of webkitgtk-2.4 would ever handle untrusted
>> input, it's not very safe. I don't use Emacs so I'm not sure what the
>> use case is for webkitgtk.
>>
>> For examples, you can check the security advisories published by the
>> Webkitgtk team:
>>
>> https://webkitgtk.org/news.html
>>
>> They publish an advisory after every release, and there are always
>> several fixed bugs allowing code execution by whoever supplies the input
>> (typically from a remote web server).
>
> That=E2=80=99s indeed a bit of a problem.  Would be nice if it could use =
the
> latest webkitgtk series.
>
> Given that and the increase in closure size, I would prefer making it a
> separate =E2=80=9Cemacs-xwidgets=E2=80=9D package.
>
> WDYT?
>
I agree with what Leo thought. Since it is up to emacs package authors
to make sure untrusted input are never sent to webkitgtk, and it is hard
to garantee that every package does the right thing.

So I will send another patch after emacs switch to libwebkitgtk-4.0 (in
a separate package).

> Thanks,
> Ludo=E2=80=99.