GNU bug report logs -
#30329
[PATCH] gnu: emacs: Build with xwidgets support.
Previous Next
Reported by: Alex Vong <alexvong1995 <at> gmail.com>
Date: Fri, 2 Feb 2018 21:49:01 UTC
Severity: normal
Tags: patch
Done: Ricardo Wurmus <rekado <at> elephly.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30329 in the body.
You can then email your comments to 30329 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#30329; Package
guix-patches.
(Fri, 02 Feb 2018 21:49:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Alex Vong <alexvong1995 <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Fri, 02 Feb 2018 21:49:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
This patch adds xwidgets support to Emcas. So Emacs can now display GTK
widgets. In particular, it can display webpages using webkitgtk.
Also, I use webkitgtk-2.4 instead of webkitgtk, because xwidgets
requires libwebkitgtk-3.0 instead of libwebkitgtk-4.0 to
build.
Moroever, the size of the closure of Emacs increases from 880.2 MiB -->
1232.4 MiB after adding the inputs.
[0001-gnu-emacs-Build-with-xwidgets-support.patch (text/x-diff, inline)]
From ae89b2e42689d2ae54d5785238daa5800ad94241 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995 <at> gmail.com>
Date: Sat, 3 Feb 2018 05:05:17 +0800
Subject: [PATCH] gnu: emacs: Build with xwidgets support.
* gnu/packages/emacs.scm (emacs) [arguments]: Add '--with-xwidgets'
to #:configure-flags.
[inputs]: Add glib-networking, gsettings-desktop-schemas, libxcomposite,
webkitgtk-2.4.
---
gnu/packages/emacs.scm | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 9be92edc1..a56aec440 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -15,7 +15,7 @@
;;; Copyright © 2016, 2017 ng0 <ng0 <at> infotropique.org>
;;; Copyright © 2016 Alex Griffin <a <at> ajgrf.com>
;;; Copyright © 2016, 2017 Nicolas Goaziou <mail <at> nicolasgoaziou.fr>
-;;; Copyright © 2016, 2017 Alex Vong <alexvong1995 <at> gmail.com>
+;;; Copyright © 2016, 2017, 2018 Alex Vong <alexvong1995 <at> gmail.com>
;;; Copyright © 2016, 2017, 2018 Arun Isaac <arunisaac <at> systemreboot.net>
;;; Copyright © 2017 Christopher Baines <mail <at> cbaines.net>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe <at> gmail.com>
@@ -81,6 +81,7 @@
#:use-module (gnu packages version-control)
#:use-module (gnu packages imagemagick)
#:use-module (gnu packages w3m)
+ #:use-module (gnu packages webkit)
#:use-module (gnu packages wget)
#:use-module (gnu packages autotools)
#:use-module (gnu packages base)
@@ -151,7 +152,9 @@
" ")))))))
(build-system glib-or-gtk-build-system)
(arguments
- `(#:phases
+ `(#:configure-flags
+ '("--with-xwidgets")
+ #:phases
(modify-phases %standard-phases
(add-before 'configure 'fix-/bin/pwd
(lambda _
@@ -204,7 +207,13 @@
;; multilingualization support
("libotf" ,libotf)
- ("m17n-lib" ,m17n-lib)))
+ ("m17n-lib" ,m17n-lib)
+
+ ;; xwidgets support
+ ("glib-networking" ,glib-networking) ; required for browsing https pages
+ ("gsettings-desktop-schemas" ,gsettings-desktop-schemas)
+ ("libxcomposite" ,libxcomposite)
+ ("webkitgtk" ,webkitgtk-2.4))) ; libwebkitgtk-3.0 is required
(native-inputs
`(("guix-emacs.el" ,(search-auxiliary-file "emacs/guix-emacs.el"))
("pkg-config" ,pkg-config)
--
2.16.1
[Message part 3 (text/plain, inline)]
Cheers,
Alex
Information forwarded
to
guix-patches <at> gnu.org:
bug#30329; Package
guix-patches.
(Mon, 05 Feb 2018 21:59:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 30329 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Feb 03, 2018 at 05:48:12AM +0800, Alex Vong wrote:
> Hi,
>
> This patch adds xwidgets support to Emcas. So Emacs can now display GTK
> widgets. In particular, it can display webpages using webkitgtk.
>
> Also, I use webkitgtk-2.4 instead of webkitgtk, because xwidgets
> requires libwebkitgtk-3.0 instead of libwebkitgtk-4.0 to
> build.
Webkitgtk is very actively researched and exploited for security
problems. If this use of webkitgtk-2.4 would ever handle untrusted
input, it's not very safe. I don't use Emacs so I'm not sure what the
use case is for webkitgtk.
For examples, you can check the security advisories published by the
Webkitgtk team:
https://webkitgtk.org/news.html
They publish an advisory after every release, and there are always
several fixed bugs allowing code execution by whoever supplies the input
(typically from a remote web server).
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#30329; Package
guix-patches.
(Tue, 06 Feb 2018 15:30:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 30329 <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> skribis:
> On Sat, Feb 03, 2018 at 05:48:12AM +0800, Alex Vong wrote:
>> Hi,
>>
>> This patch adds xwidgets support to Emcas. So Emacs can now display GTK
>> widgets. In particular, it can display webpages using webkitgtk.
>>
>> Also, I use webkitgtk-2.4 instead of webkitgtk, because xwidgets
>> requires libwebkitgtk-3.0 instead of libwebkitgtk-4.0 to
>> build.
>
> Webkitgtk is very actively researched and exploited for security
> problems. If this use of webkitgtk-2.4 would ever handle untrusted
> input, it's not very safe. I don't use Emacs so I'm not sure what the
> use case is for webkitgtk.
>
> For examples, you can check the security advisories published by the
> Webkitgtk team:
>
> https://webkitgtk.org/news.html
>
> They publish an advisory after every release, and there are always
> several fixed bugs allowing code execution by whoever supplies the input
> (typically from a remote web server).
That’s indeed a bit of a problem. Would be nice if it could use the
latest webkitgtk series.
Given that and the increase in closure size, I would prefer making it a
separate “emacs-xwidgets” package.
WDYT?
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30329; Package
guix-patches.
(Thu, 08 Feb 2018 01:05:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 30329 <at> debbugs.gnu.org (full text, mbox):
ludo <at> gnu.org (Ludovic Courtès) writes:
> Hello,
>
> Leo Famulari <leo <at> famulari.name> skribis:
>
>> On Sat, Feb 03, 2018 at 05:48:12AM +0800, Alex Vong wrote:
>>> Hi,
>>>
>>> This patch adds xwidgets support to Emcas. So Emacs can now display GTK
>>> widgets. In particular, it can display webpages using webkitgtk.
>>>
>>> Also, I use webkitgtk-2.4 instead of webkitgtk, because xwidgets
>>> requires libwebkitgtk-3.0 instead of libwebkitgtk-4.0 to
>>> build.
>>
>> Webkitgtk is very actively researched and exploited for security
>> problems. If this use of webkitgtk-2.4 would ever handle untrusted
>> input, it's not very safe. I don't use Emacs so I'm not sure what the
>> use case is for webkitgtk.
>>
>> For examples, you can check the security advisories published by the
>> Webkitgtk team:
>>
>> https://webkitgtk.org/news.html
>>
>> They publish an advisory after every release, and there are always
>> several fixed bugs allowing code execution by whoever supplies the input
>> (typically from a remote web server).
>
> That’s indeed a bit of a problem. Would be nice if it could use the
> latest webkitgtk series.
>
> Given that and the increase in closure size, I would prefer making it a
> separate “emacs-xwidgets” package.
>
> WDYT?
>
I agree with what Leo thought. Since it is up to emacs package authors
to make sure untrusted input are never sent to webkitgtk, and it is hard
to garantee that every package does the right thing.
So I will send another patch after emacs switch to libwebkitgtk-4.0 (in
a separate package).
> Thanks,
> Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30329; Package
guix-patches.
(Thu, 08 Feb 2018 02:33:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 30329 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Thu, Feb 08, 2018 at 09:04:35AM +0800, Alex Vong wrote:
> I agree with what Leo thought. Since it is up to emacs package authors
> to make sure untrusted input are never sent to webkitgtk, and it is hard
> to garantee that every package does the right thing.
I'd like to clarify myself a bit.
I believe that with some time and effort, someone could find exploitable
bugs in every complex piece of software in Guix.
We shouldn't let this hold us back from enjoying the features of the
software.
However, in cases where the bugs were publicized long ago (webkitgtk
2.4.0 is almost 4 years old; 2.4.11 almost 2 years old) and the bugs are
easily accessible to attackers (webkitgtk renders content from web
pages) we should be more careful.
GnuCash is now the only thing in our tree using this old webkitgtk, and
the GnuCash developers are actively working to make GnuCash use a more
recent version. Other distros have even removed GnuCash or are preparing
to remove it due to this issue, but I think we can wait for a bit
longer.
BTW, there is a bug to discuss related issues at
<https://bugs.gnu.org/26176>.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#30329; Package
guix-patches.
(Sat, 09 Jun 2018 05:26:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 30329 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
Alex Vong <alexvong1995 <at> gmail.com> writes:
> This patch adds xwidgets support to Emcas. So Emacs can now display GTK
> widgets. In particular, it can display webpages using webkitgtk.
>
> Also, I use webkitgtk-2.4 instead of webkitgtk, because xwidgets
> requires libwebkitgtk-3.0 instead of libwebkitgtk-4.0 to
> build.
This patch will no longer work, since webkitgtk <at> 2.4 has been removed.
How shall we proceed? Is something like it still needed, or can we
close this report?
--
Chris
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Ricardo Wurmus <rekado <at> elephly.net>:
You have taken responsibility.
(Sat, 23 Jun 2018 23:55:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Alex Vong <alexvong1995 <at> gmail.com>:
bug acknowledged by developer.
(Sat, 23 Jun 2018 23:55:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 30329-done <at> debbugs.gnu.org (full text, mbox):
Chris Marusich <cmmarusich <at> gmail.com> writes:
> Alex Vong <alexvong1995 <at> gmail.com> writes:
>
>> This patch adds xwidgets support to Emcas. So Emacs can now display GTK
>> widgets. In particular, it can display webpages using webkitgtk.
>>
>> Also, I use webkitgtk-2.4 instead of webkitgtk, because xwidgets
>> requires libwebkitgtk-3.0 instead of libwebkitgtk-4.0 to
>> build.
>
> This patch will no longer work, since webkitgtk <at> 2.4 has been removed.
> How shall we proceed? Is something like it still needed, or can we
> close this report?
Some time ago I updated the Emacs xwidget feature to use the latest
webkit, so we shouldn’t be using the old one here.
I would suggest not to add this package, because the xwidgets feature
currently isn’t all that useful. There is very little communication
between Emacs and the widget. Work was underway (and has since stalled)
to use gobject introspection to expose the webkit API to Elisp.
I’d suggest to wait until this feature is more useful.
Alex, I’m closing this bug now, but you’re welcome to submit another
patch that adds a separate emacs-with-xwidgets package and I won’t
reject it despite my opinion of current state of the feature.
Thanks!
--
Ricardo
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 22 Jul 2018 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 280 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.