Gnome devs say sysadmin "smeared the project" with Evolution Mail privacy report

Last week, Mike Cardwell, a sysadmin, wrote about his experience reporting a privacy issue in the Evolution email client. If you missed that, here's a quick summary: he found out that Evolution leaks user activity through a feature called DNS prefetching. When he reported it, the GNOME developers referred him to a bug in an upstream library, WebKit, and closed his ticket.

An email can include a link HTML tag with the rel attribute set to dns-prefetch and a cross-origin domain in the href attribute. This tells the browser or email client to resolve the domain’s IP address ahead of time.

Normally, for any remote content, WebKitGTK (the web rendering engine Evolution uses) is supposed to emit a signal called WebPage::send-request. This lets Evolution's code decide whether to block the connection based on the "Load Remote Content" setting, which when disabled is supposed to stop trackers and other nasties from phoning home.

The bug here is that for these prefetch requests, WebKit just goes ahead and makes the DNS query without sending that signal.

This bypasses Evolution's privacy defenses completely. So a sender can see if you opened their email, when you opened it, and the IP of your DNS resolver without you ever consenting.

As Michael Catanzaro, a WebKit developer, noted in the bug thread, the enable-dns-prefetching setting Evolution uses to disable this has been deprecated since version 2.48, thus no longer respected by the engine.

This is where things get interesting. The developers' position was that since the bug is in a library they use, it is not their problem to fix inside Evolution. Milan Crha, an Evolution developer, took the time to explain that "applications use libraries, applications have their dependencies", and that a fix has to happen in the right place.

But Cardwell got annoyed, seeing this as a refusal to take responsibility for their own product. He claimed it was the responsibility of the GNOME devs to protect their users, and provided a list of actions the team could take while waiting for an upstream fix:

• Warn people about the problem, either in the UI or on the download page.
• Push the upstream project to fix the library.
• Fork the library and fix it themselves.
• Switch to a different library.

The back and forth got ugly after Cardwell discovered an even worse flaw using a link tag with rel set to preconnect, which leaks a user's actual IP address, not just their DNS server's. He notified the developers that he added it to Email Privacy Tester, a tool he created to find exactly these kinds of issues.

But the GNOME developers did not appreciate his "passive-aggressive" attitude or his public posts. One developer accused him of "smearing of the project" with the posts on his blog, called him "entitled", and said his reporting was "counterproductive and frankly demotivating."

If you want to have a positive impact on this project, please send patches to WebKitGTK. Complaints, especially in the wrong place in the stack, achieve nothing but irritating overextended developers and putting them on the defensive, especially when they already calmly explained to you in multiple ways where the problem needs to be properly fixed.

This story has found an end (for now), as the developers have locked the thread, with Cardwell claiming it was because he "hurt their feelings". The bug in WebKit, first reported in August 2023, remains open.