Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Concerning Mozilla GTK Embedding

3 views

Skip to first unread message

Doug Turner

unread,

Dec 12, 2007, 4:28:38 PM12/12/07

to dev-em...@lists.mozilla.org

This is important if you are an embedder, and use the mozilla gtk
embedding widget.

Between Mozilla 1.8 and now, the Mozilla GTK embedding widget has had
large changes outside the normal review process. Recently Kai Engert
(the owner of PSM) has found a security hole in code. As we dug into
this problem, it quickly became apparent that this code, if reviewed,
would have been caught. I know it is easy to say this now, but
seriously (bug number 406724) we were stubbing out an interface, and
did a terrible job at doing it. As we continued looking at the code,
there are large areas that need further reviewing.

On IRC, we discussed the possibly of just backing out all of this
code. The result of a backout would be that we would have a mozilla
gtk embedding widget that has no additional functionality above 1.8.
Post 1.9, we will carefully review the patches that we backed out.

The alternative might be to suck it up and accept the changes as is,
have the right people start reviewing this code as soon as possible,
and ensure that something like this never ever happens again.

The changes that are suspect (there are some good checkins in this):

http://bonsai.mozilla.org/cvsquery.cgi?branch=HEAD&dir=mozilla%2Fembedding%2Fbrowser%2Fgtk&date=explicit&mindate=2006-07-01&maxdate=2007-04-01

I am interested in hearing feedback either way.

Doug Turner