-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iOS: Use objc2
#87
iOS: Use objc2
#87
Conversation
Concrete benefits to `webbrowser`: - Less error prone `msg_send!` macro invocations (I've refactored the rest into a separate function as recommended by the docs). - Prevents a leak of the `options` dictionary. - Catches errors when passing an invalid URL to `NSURL`. - Makes it easier to do something in the completion handler in the future.
Thanks @madsmtm. I remember the thread between you and the objc maintainer. While I do want to walk away from a 4+ yr stale crate, the following considerations come up:
The first issue is the main blocker here, and while I do want to be supportive of migration away from objc (given the maintainer's stance on it), I'd like to make sure that I feel comfortable with security for my downstream users first. I don't have any suggestions for you on this, just sharing what's top of mind for me here. I'm leaving this PR open for now, to allow myself more time to think through this, and for alternative perspectives to be shared. * Edit: I want to be clear that I'm not insinuating that this is a supply chain attack. I'm just explaining why I've continued to stick with |
Thanks for the thoughtful reply!
Thanks for the heads-up, I've added one in madsmtm/objc2@469a36f and enabled the ability to report vulnerabilities using GitHub's advisories.
I'll note that it isn't defined by policy yet, so I may still decide to bump it in a minor version. Would be interested in your input on it, preferably in madsmtm/objc2#203.
One idea to slightly reduce the review surface would be to not use Although,
Totally understandable worry (especially given that I'm opening the PR myself, I can definitely see how this could be negatively interpreted). In general, I'm looking to replace That said, I'm totally fine with it (and really quite respect) if you want to hold out on this for a while! If you think of other ways I can help prove the sincerity and security of the project, please don't hesitate to tell me! |
Thanks @madsmtm, for deciding to have a security policy, as well as your inputs on the surface area to assess. I don't have a well defined time frame in mind currently, but I do plan to take a first look at it this weekend. |
This is good to go after the tests. Thanks @madsmtm, and hope that you find wider adoption quickly enough. To document my thought process for later reference:
|
Proceeding with merging this, despite the ios test failure. I'm currently of the opinion that the test failure has something to do with some recent changes to the I'll figure that out separately from this PR. Release will happen only after this has been figured out. |
Thanks for caring so much about the security of your project, it's been really nice to see and to discuss with you!
|
This is released as v1.0.1 |
objc2
is a refinement ofobjc
with the following benefits towebbrowser
:msg_send!
macro invocations (I've refactored the rest into a separate function as recommended by the docs).options
dictionary.NSURL
.Builds upon #86 to avoid a merge conflict.