I wasn't aware of Balsa or Geary, but it's interesting to note that the author has mentioned that they are affected by GNOME's culture. I also have found the GNOME devs to have issues with admitting any fault at all, security or otherwise, but I wasn't aware of them being linked to any email clients other than Evolution - which I have been using.
What's a good app for Exchange on Linux? I could use the web app, which my company has available, but I do appreciate having a dedicated email client sometimes, particularly for OS notifications (which will work without having the browser open).
Not defending the GNOME devs as being perfect, but I'd suggest reading this from the start: https://gitlab.gnome.org/GNOME/evolution/-/issues/3095 and then deciding if the author is really being affected by a "toxic development culture" at GNOME.
Reading the thread, I don't see how that's much of a defense.
A GNOME foundation member going through the thread to decorate the reporter's posts with clown emoji reactions is not great.
It seems reasonable to say "even if this is caused by one your library dependencies, users are using your application and you should try to find a mitigation."
If you get in a wreck because your brakes fail, imagine the car manufacturer saying "oh that's not a problem with the car, it's a problem with the brakes. Talk to the brake manufacturer."
"No warranty express or implied" and all that, but still.
No one here comes out looking particularly good, but at the end of the day the issue is still unpatched and OP is doing a good thing spreading that information.
Honestly, I think the GNOME devs in that thread were really patient with a bug filer who kept escalating and inserting little taunting quips, and ultimately was barking up the wrong tree (project). He could have easily just accepted that the bug was in a different project, and go press that team instead. You're not going to get anywhere with such an argumentative tone.
A few years ago while working at a company that required Exchange, I was using Thunderbird with an addon called Owl. It was a paid addon, I think in the neighborhood of $10 to $20, and very much worth it. Full calendar integration and everything. Outlook users would be interested in my setup.
You are looking for a minority of a minority of a minority - People using Linux, people using an email client, people using Linux that want all the MS Exchange features.
Tons of "general" email clients out there, sure, but you're talking about a largely proprietary system.
Have to disagree, having worked at multiple companies using Exchange for their email servers but with Linux workstations. It's not so uncommon for software devs to request a Linux system, depending on the field. I'll agree that it's less common, but the issue is more the small number of people using Linux rather than Exchange.
I like using edge for that. Desktop notifications works and I can log off from work by closing entire window. When I change company I am getting rid of profile.
Evolution is the only client on Linux (that I’m aware of) that fully supports Microsoft exchange and Google out of the box without any plugins. I used thunderbird for a long time, however I got frustrated so many times after things broke after every update because essential plugins stopped working. Yes, you may say Evolution UI is old, but the software is rock solid and softwares in general are more than their GUI. It’s good to bring awareness about the tracking but I’m not so bothered by it, as its hard to find software that doesn’t track you these days
they didn't say it was ok, they said it was good to be informed about it, they were not personally bothered by it, and they added that it's difficult to find software that doesn't do it. there is no non sequitor
Same here. Nowadays we've switched from Exchange and use IMAP. I stay with Evolution because the client and integration is good. I like some design decisions in the UI. Evolution allows to use client-side decorations and a traditional menu bar, at the same time. And they've added integrated Markdown support lately. While an upgrade to Gtk4 is hopefully coming. I would love to see support for notes via IMAP, similar to how iOS does for many years.
PS: If your E-Mails are stored on an Exchange-Server (or: worse Azure) the discussed problem is the least issue.
I feel like I should note that Exchange support is indeed a plugin, and isn't installed by default on (for example) Fedora. However, I believe it's a first party plugin.
The support is only for the EWS protocol (MS Graph will probably come next year). You can enable it in beta by going to Config Editor (this is primarily for advanced users), searching for the preference "experimental.mail.ews.enabled" and setting it to true.
You would have to manually add the account. Currently only mail is supported. No calendar support.
If only he made that much effort to get Chromium to fix the issue. The source of the problem is with a dependency of the email clients, not the email clients themselves.
He is bothering small free software projects so that those small free software projects ask Chromium to fix the issue.
Just my opinion, but the dependency on Chromium is a problem in itself. You don't need a full-blown browser to render HTML email. The fact that it is no more viable for a client to ignore HTML nowadays is something unfortunate, to say the least.
Real people only need Emoji support at best (or at worst), because nowadays every from your bank to your local security expert tells you "don't click on links in emails", and your local privacy expert tells you to turn off every convenience feature related to HTML.
On another note, TFA talks about a "GNOME toxic development culture", which looks like a blanket statement. Does it really exist?
If only the developers of Evolution Mail made any effort to get the issue fixed in the 15 months they've known about it.
It's unacceptable to sit on a privacy affecting bug like this for 15 months.
This continously repeated bullshit that the source of the problem lies elsehwere is tiring. They're knowingly using a library with a security bug, and they're doing:
1. Nothing to get the devs of that library to fix it
2. Nothing to fix the library themselves
3. Nothing to warn their users
4. Nothing in their local application to protect their users.
You’re welcome to submit a request for a refund of the purchase price for Evolution.
Your Gitlab issue is a textbook example of why open source devs quit. And now you’re wandering around trying to drum up a mob to further pressure people to do free work for you.
They have done #1 and the library is WebKit and so #2 isn't happening. Not the least of which because of the lack of expertise to patch that code base but because it's dynamically linked and in most deployment scenarios they get the webkit provided by the distro. If Evolution even tried to vendor WebKit downstream packagers would patch it out so that it links to the system lib and gets security patches along with the rest of the system.
I thought the Evolution issue was related to WebKit. Same for the other one (Geary). Does chromium also have the same issue? Regardless, it seems like these issues are all related to WebKitGTK, not Chromium.
>The source of the problem is with a dependency of the email clients, not the email clients themselves.
For ends users, that's a distinction without a difference. Programmers are responsible for their choice of dependencies. If you've chosen to depend on it, it becomes your problem. Chromium is open source, no? So the email client programmer can fix that bug himself.
It’s their product, IMHO it’s their responsibility. They can pressure the upstream library developers (good luck with that) or submit a patch, or switch to another library. The “not my problem” attitude from these projects is likely another good reason to avoid these projects.
Will you add a list of Known Good Email Clients? Or just "Tested Clients"? Since you can't possibly test them all, it would be nice to know which ones have been evaluated.
If the library they depend on isnt getting fixed then it needs to be worked around (doable with HTML sanitisation) or use another library that's usable for the purpose of an email client.
If neither of those are doable, the software needs a warning that it's vulnerable to a such a terrible privacy exploit. People over however many years this has been possible deserve to know that their email client has been allowing any random person in the internet to easily get their IP address or know they're on their computer.
If you can't do this why are you maintaining software, it's unmaintained at that point. The replies to the bug report are just terrible attitude even if factually correct.
What I fails to understand it's why no one seems to offer the most logic MUE which is essentially offering the full download/sync of all accounts maildirs, like with OfflineIMAP, than offer powerful local indexing like notmuch/mu with a pre-made UI nice for end users.
Slogan: own your own messages, own a local GMail. We have all the code except the UI
What's all this controversy with GNOME? I must be missing something. Isn't it perfectly reasonable to say that some security issue in a dependency (which is maintained and open and funded, like WebKit or Linux) is not the fault of someone down the line to fix?
I can't imagine someone reporting a bug to one of my repos about some race condition in the kernel. Why the hell are you bothering me with that? Tell the LKML.
That's not to say I'm not sympathetic, it's just, like, what do you expect me to do?
One the one hand: Yes, if it's not your code then it's not exactly your responsibility to fix.
On the other hand: As a user, the takeaway isn't "well that's not their fault", the takeaway is "if I use this software, then I am vulnerable to this problem". The question of who's responsible or where the fault lies is irrelevant.
Off the top of my head: you could broadcast it more publicly that there is a known issue (particularly important if this is a security issue). You could change code to avoid whatever kernel features trigger the race. You could print a warning if you detect the kernel version is an unpatched one and/or has Kconfig in whatever state exposes the issue.
Want to understand this more. I know I'm talking from a position of privilege, but it's really hard to find a machine these days with less than 16 or 32GB of RAM from the factory.
Even going back several years, DDR4 has been extremely cheap for a long time, and DDR5 is finally closer to general ram prices.
Isn't Geary basically a one-person show? I remember evaluating Geary a couple years ago and it looked like there was only one active developer. I ended up going with Thunderbird + Davmail.
Readit News
What's a good app for Exchange on Linux? I could use the web app, which my company has available, but I do appreciate having a dedicated email client sometimes, particularly for OS notifications (which will work without having the browser open).
A GNOME foundation member going through the thread to decorate the reporter's posts with clown emoji reactions is not great.
It seems reasonable to say "even if this is caused by one your library dependencies, users are using your application and you should try to find a mitigation."
If you get in a wreck because your brakes fail, imagine the car manufacturer saying "oh that's not a problem with the car, it's a problem with the brakes. Talk to the brake manufacturer."
"No warranty express or implied" and all that, but still.
You are looking for a minority of a minority of a minority - People using Linux, people using an email client, people using Linux that want all the MS Exchange features.
Tons of "general" email clients out there, sure, but you're talking about a largely proprietary system.
That's a non-sequitur. Just because it's common does not mean it's okay.
PS: If your E-Mails are stored on an Exchange-Server (or: worse Azure) the discussed problem is the least issue.
You would have to manually add the account. Currently only mail is supported. No calendar support.
See https://blog.thunderbird.net/2025/07/thunderbird-monthly-dev...
Probably Thunderbird tries it again with 141.
He is bothering small free software projects so that those small free software projects ask Chromium to fix the issue.
On another note, TFA talks about a "GNOME toxic development culture", which looks like a blanket statement. Does it really exist?
It's unacceptable to sit on a privacy affecting bug like this for 15 months.
This continously repeated bullshit that the source of the problem lies elsehwere is tiring. They're knowingly using a library with a security bug, and they're doing:
1. Nothing to get the devs of that library to fix it
2. Nothing to fix the library themselves
3. Nothing to warn their users
4. Nothing in their local application to protect their users.
This is not how secure development works.
Your Gitlab issue is a textbook example of why open source devs quit. And now you’re wandering around trying to drum up a mob to further pressure people to do free work for you.
PS: I'm thankful that they don't use that thing from Google.
For ends users, that's a distinction without a difference. Programmers are responsible for their choice of dependencies. If you've chosen to depend on it, it becomes your problem. Chromium is open source, no? So the email client programmer can fix that bug himself.
Deleted Comment
If neither of those are doable, the software needs a warning that it's vulnerable to a such a terrible privacy exploit. People over however many years this has been possible deserve to know that their email client has been allowing any random person in the internet to easily get their IP address or know they're on their computer.
If you can't do this why are you maintaining software, it's unmaintained at that point. The replies to the bug report are just terrible attitude even if factually correct.
Slogan: own your own messages, own a local GMail. We have all the code except the UI
I can't imagine someone reporting a bug to one of my repos about some race condition in the kernel. Why the hell are you bothering me with that? Tell the LKML.
That's not to say I'm not sympathetic, it's just, like, what do you expect me to do?
On the other hand: As a user, the takeaway isn't "well that's not their fault", the takeaway is "if I use this software, then I am vulnerable to this problem". The question of who's responsible or where the fault lies is irrelevant.
Off the top of my head: you could broadcast it more publicly that there is a known issue (particularly important if this is a security issue). You could change code to avoid whatever kernel features trigger the race. You could print a warning if you detect the kernel version is an unpatched one and/or has Kconfig in whatever state exposes the issue.
Want to understand this more. I know I'm talking from a position of privilege, but it's really hard to find a machine these days with less than 16 or 32GB of RAM from the factory.
Even going back several years, DDR4 has been extremely cheap for a long time, and DDR5 is finally closer to general ram prices.
Are you using mini PCs with soldered ram?