[SOLVED] './mach' in librewolf PKGBUILD?

ThoughtBubble · 2024-10-05 19:15:39

Where is this script coming from? I don't see it in my cloned repository.

Last edited by ThoughtBubble (2024-11-17 20:56:51)

WorMzy · 2024-10-05 19:48:19

Mod note: moving to AUR Issues.

Scimmia · 2024-10-05 23:13:51

From the source tarball. Notice the `cd librewolf-$pkgver-$pkgrel` at the beginning of the function.

ThoughtBubble · 2024-10-09 15:14:34

How do I make sure that the source URL is trustworthy?

Last edited by ThoughtBubble (2024-10-09 15:14:45)

loqs · 2024-10-09 16:27:21

What have you tried so far far? Such as if you trust https://librewolf.net/ is the project home for LibreWolf that links to https://codeberg.org/librewolf for its source code. From the 130.0.1-1 release of source project on that codeberg instance you can compare the URLs. You could add back PGP signing after verifying that the old key 034F7776EF5E0C613D2F7934D29FBD5F93C0CFC3 has signed the new key 662E3CDD6FE329002D0CA5BB40339DD82B12EF16.

ThoughtBubble · 2024-10-09 17:17:35

loqs wrote:

What have you tried so far far? Such as if you trust https://librewolf.net/ is the project home for LibreWolf that links to https://codeberg.org/librewolf for its source code. From the 130.0.1-1 release of source project on that codeberg instance you can compare the URLs. You could add back PGP signing after verifying that the old key 034F7776EF5E0C613D2F7934D29FBD5F93C0CFC3 has signed the new key 662E3CDD6FE329002D0CA5BB40339DD82B12EF16.

The part that confuses me is why are both CodeBerg and GitLab involved in this. Wouldn't a single hosting service suffice?

loqs · 2024-10-09 18:06:03

ThoughtBubble wrote:

The part that confuses me is why are both CodeBerg and GitLab involved in this. Wouldn't a single hosting service suffice?

Have you tried asking the upstream project? I do not want to speculate.

ThoughtBubble · 2024-10-19 19:29:04

In lines 229-232, I notice there are backslashes at the end of the command. I don't understand what the purpose of these backslashes are. I thought they can only be used to escape characters.

Where is ${PWD@Q} coming from?

Last edited by ThoughtBubble (2024-10-19 19:36:20)

loqs · 2024-10-19 20:38:32

    LLVM_PROFDATA=llvm-profdata \
      JARLOG_FILE="$PWD/jarlog" \
      dbus-run-session \
      xvfb-run -s "-screen 0 1920x1080x24 -nolisten local" \
      ./mach python build/pgo/profileserver.py

A backslash that is not quoted shall preserve the literal value of the following character, with the exception of a <newline>. If a <newline> follows the backslash, the shell shall interpret this as line continuation. So the above is all one command.

man bash wrote:

PWD The current working directory as set by the cd command.

man bash wrote:

${parameter@operator}
Parameter transformation. The expansion is either a transformation of the value of parameter or information about parameter itself, depending on the value of operator. Each operator is a single letter:
....
Q The expansion is a string that is the value of parameter quoted in a format that can be reused as input.

So:

$ echo $PWD
/home/loqs
$  echo ${PWD@Q}
'/home/loqs'

ThoughtBubble · 2024-10-21 02:08:05

Is there a way for me to download and run a checksum against the files specified in source array without running any of the build files? I want to know what is in "mach". I want to see the file locally.

Last edited by ThoughtBubble (2024-10-21 02:11:14)

Lone_Wolf · 2024-10-21 10:46:15

On the aur page for the package there is a sources sectionwith urls (under the dependencies list) , you can download the files manually from there .

Once downloaded to a temp location run sha256sum on the files .
To see the mach script you'll have to extract the tar.gz manually.

ThoughtBubble · 2024-10-21 13:10:50

Lone_Wolf wrote:

Once downloaded to a temp location run sha256sum on the files.

What is the temp location and what is the purpose of downloading it there?

Scimmia · 2024-10-21 13:17:35

Have you read the makepkg man page?

You really don't know what 'a temp location' means? Maybe take a step back and evaluate what you're trying to accomplish here. Do you really expect to understand what the mach script does without a grasp of basics?

Lone_Wolf · 2024-10-21 13:20:47

temp = temporary

Any location where you store things that you need for a short period (after which you will discard them) is a temp location .

what is the purpose of downloading it there

you want to run a checksum against those files.

ThoughtBubble · 2024-10-21 13:35:04

Scimmia wrote:

Have you read the makepkg man page?
You really don't know what 'a temp location' means? Maybe take a step back and evaluate what you're trying to accomplish here. Do you really expect to understand what the mach script does without a grasp of basics?

Sorry, I realize I can use the nobuild and noprepare option now.

I don't know what it means. What should be my starting point? I know I don't understand the parts related to mach in the PKGBUILD. What would be the step back here? What resources should I look into first before delving any further?

Last edited by ThoughtBubble (2024-10-21 13:36:01)

ThoughtBubble · 2024-10-21 13:47:41

Lone_Wolf wrote:

temp = temporary
Any location where you store things that you need for a short period (after which you will discard them) is a temp location .

This would mean using the "/tmp" folder, correct? Just want to make sure I understand in case if this is referenced in the future.

loqs · 2024-10-21 18:32:45

makepkg --verifysource

Please also see my note on the removal of PGP signing in https://bbs.archlinux.org/viewtopic.php … 0#p2201240
You can also view mach at https://hg.mozilla.org/mozilla-central/ … 1_END/mach as librewolf does not patch that file.
Edit:
Comparison of firefox's PKGBUILD with libreworlf's:

git diff --ignore-all-space  firefox/PKGBUILD librewolf/PKGBUILD
diff --git a/firefox/PKGBUILD b/librewolf/PKGBUILD
index 64c2be3..8a13f89 100644
--- a/firefox/PKGBUILD
+++ b/librewolf/PKGBUILD
@@ -1,20 +1,23 @@
-# Maintainer: Jan Alexander Steffens (heftig) <heftig@archlinux.org>
-# Contributor: Ionut Biru <ibiru@archlinux.org>
-# Contributor: Jakub Schmidtke <sjakub@gmail.com>
+# Maintainer: ohfp/lsf <lsf at pfho dot net>
 
-pkgname=firefox
+pkgname=librewolf
+_pkgname=LibreWolf
 pkgver=131.0.3
 pkgrel=1
-pkgdesc="Fast, Private & Safe Web Browser"
-url="https://www.mozilla.org/firefox/"
-arch=(x86_64)
-license=(MPL-2.0)
+pkgdesc="Community-maintained fork of Firefox, focused on privacy, security and freedom."
+url="https://librewolf.net/"
+arch=(x86_64 aarch64)
+license=(
+  GPL
+  LGPL
+  MPL
+)
 depends=(
+  dbus
   alsa-lib
   at-spi2-core
   bash
   cairo
-  dbus
   ffmpeg
   fontconfig
   freetype2
@@ -41,27 +44,31 @@ depends=(
   ttf-font
 )
 makedepends=(
+  binutils
   cbindgen
   clang
   diffutils
+  git
   imake
+  inetutils
   jack
   lld
   llvm
   mesa
   nasm
   nodejs
+  pciutils
   python
   rust
   unzip
-  wasi-compiler-rt
-  wasi-libc
-  wasi-libc++
-  wasi-libc++abi
+  'wasi-compiler-rt>15'
+  'wasi-libc++>15'
+  'wasi-libc++abi>15'
+  'wasi-libc>=1:0+314+a1c7c2c'
   xorg-server-xvfb
   yasm
   zip
-)
+) # pciutils: only to avoid some PGO warning
 optdepends=(
   'hunspell-en_US: Spell checking, American English'
   'libnotify: Notification integration'
@@ -69,93 +76,116 @@ optdepends=(
   'speech-dispatcher: Text-to-Speech'
   'xdg-desktop-portal: Screensharing with Wayland'
 )
+backup=('usr/lib/librewolf/librewolf.cfg'
+        'usr/lib/librewolf/distribution/policies.json')
 options=(
   !emptydirs
   !lto
   !makeflags
 )
+
+_arch_git=https://gitlab.archlinux.org/archlinux/packaging/packages/firefox/-/raw
+
+install='librewolf.install'
 source=(
-  https://archive.mozilla.org/pub/firefox/releases/$pkgver/source/firefox-$pkgver.source.tar.xz{,.asc}
-  $pkgname-symbolic.svg
+  https://gitlab.com/api/v4/projects/32320088/packages/generic/librewolf-source/${pkgver}-${pkgrel}/librewolf-${pkgver}-${pkgrel}.source.tar.gz # {,.sig} sig files are currently broken, it seems
   $pkgname.desktop
-  org.mozilla.$pkgname.metainfo.xml
-)
-validpgpkeys=(
-  # Mozilla Software Releases <release@mozilla.com>
-  # https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/
-  14F26682D0916CDD81E37B6D61B7B526D98F0353
+  "default192x192.png"
 )
-sha256sums=('7a7df3f97737453efaa243ca9dbaf95d0f0f833c5dc8afacb5704ee16ef060d0'
-            'SKIP'
-            'a9b8b4a0a1f4a7b4af77d5fc70c2686d624038909263c795ecc81e0aec7711e9'
-            '71fe797430198ac8c00b538dce537284cf526e48be0496698cf5a980d70c16da'
-            '58d78ce57b3ee936bc966458d6b20ab142d02a897bbe924b3f26717af0c5bee1')
-b2sums=('1d59bb050c4565c3344e7c1159ebd5bc79f050686abbc408c38493c187e3f1960ab1217113e279b170141a004b3a4797e138200a8a5ada8f5ae93eaa337ad8c3'
-        'SKIP'
-        '63a8dd9d8910f9efb353bed452d8b4b2a2da435857ccee083fc0c557f8c4c1339ca593b463db320f70387a1b63f1a79e709e9d12c69520993e26d85a3d742e34'
-        '2c7936949ef922307fb593bd0480a13bde2eab8ae24fc89071d809d6659384705f9b7838b1ae8bc46b98a152ba01fcffad606d4c84796ad9bfaaf20166f0a0fd'
-        '2ce33432f8a73a4f1a412b7a065d3c124e1ca9f6bdf3fad0407e897efc0840f8ef43eeeb1b9bef4a102d9fac0b2c4a2ef205726b817f83fe9c3742d076778b14')
-
-# Google API keys (see http://www.chromium.org/developers/how-tos/api-keys)
-# Note: These are for Arch Linux use ONLY. For your own distribution, please
-# get your own set of keys. Feel free to contact foutrelis@archlinux.org for
-# more information.
-_google_api_key=AIzaSyDwr302FpOSkGRpLlUpPThNTDPbXcIn_FM
+
+sha256sums=('6177f16df17387c3a7f5affdc1dd40ab91ecfae5e93bf532d4e3d4d98acead94'
+            '7d01d317b7db7416783febc18ee1237ade2ec86c1567e2c2dd628a94cbf2f25d'
+            '959c94c68cab8d5a8cff185ddf4dca92e84c18dccc6dc7c8fe11c78549cdc2f1')
+
+validpgpkeys=('034F7776EF5E0C613D2F7934D29FBD5F93C0CFC3') # maltej(?)
+
+# change this to false if you do not want to run a PGO build for aarch64 or x86_64
+_build_profiled_aarch64=true
+_build_profiled_x86_64=true
 
 prepare() {
-  mkdir mozbuild
-  cd firefox-$pkgver
+  mkdir -p mozbuild
+  cd librewolf-$pkgver-$pkgrel
 
-  echo -n "$_google_api_key" >google-api-key
+  mv mozconfig ../mozconfig
 
-  cat >../mozconfig <<END
-ac_add_options --enable-application=browser
-mk_add_options MOZ_OBJDIR=${PWD@Q}/obj
+  cat >>../mozconfig <<END
 
-ac_add_options --prefix=/usr
-ac_add_options --enable-release
-ac_add_options --enable-hardening
-ac_add_options --enable-optimize
-ac_add_options --enable-rust-simd
+# TODO: check things here one after another if (still) required
 ac_add_options --enable-linker=lld
-ac_add_options --disable-install-strip
-ac_add_options --disable-elf-hack
+
+ac_add_options --prefix=/usr
+
 ac_add_options --disable-bootstrap
-ac_add_options --with-wasi-sysroot=/usr/share/wasi-sysroot
+
+export CC='clang'
+export CXX='clang++'
 
 # Branding
-ac_add_options --enable-official-branding
+ac_add_options --with-app-name=${pkgname}
+# is this one required? upstream lw doesn't use it
 ac_add_options --enable-update-channel=release
-ac_add_options --with-distribution-id=org.archlinux
-ac_add_options --with-unsigned-addon-scopes=app,system
-ac_add_options --allow-addon-sideload
-export MOZILLA_OFFICIAL=1
-export MOZ_APP_REMOTINGNAME=$pkgname
+# unlear?
+# ac_add_options --with-app-basename=${_pkgname}
 
-# Keys
-ac_add_options --with-google-location-service-api-keyfile=${PWD@Q}/google-api-key
-ac_add_options --with-google-safebrowsing-api-keyfile=${PWD@Q}/google-api-key
+# needed? yep.
+export MOZ_APP_REMOTINGNAME=${pkgname}
 
 # System libraries
 ac_add_options --with-system-nspr
 ac_add_options --with-system-nss
 
 # Features
+# keep alsa option in here until merged upstream
 ac_add_options --enable-alsa
 ac_add_options --enable-jack
-ac_add_options --enable-crashreporter
-ac_add_options --disable-updater
-ac_add_options --disable-tests
+
+# options for ci / weaker build systems
+# mk_add_options MOZ_MAKE_FLAGS="-j4"
+# ac_add_options --enable-linker=gold
+
+# wasi
+ac_add_options --with-wasi-sysroot=/usr/share/wasi-sysroot
+END
+
+if [[ $CARCH == 'aarch64' ]]; then
+  cat >>../mozconfig <<END
+# taken from manjaro build:
+ac_add_options --enable-optimize="-g0 -O2"
 END
+
+  export MOZ_DEBUG_FLAGS=" "
+  export CFLAGS+=" -g0"
+  export CXXFLAGS+=" -g0"
+  export RUSTFLAGS="-Cdebuginfo=0"
+
+  # we should have more than enough RAM on the CI spot instances.
+  # ...or maybe not?
+  export LDFLAGS+=" -Wl,--no-keep-memory"
+else
+
+  cat >>../mozconfig <<END
+# Arch upstream has it in their PKGBUILD, ALARM does not for aarch64:
+ac_add_options --disable-elf-hack
+
+# might help with failing x86_64 builds?
+export LDFLAGS+=" -Wl,--no-keep-memory"
+END
+fi
+
+  # upstream Arch fixes
+  #
 }
 
+
 build() {
-  cd firefox-$pkgver
+  cd librewolf-$pkgver-$pkgrel
 
   export MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE=pip
   export MOZBUILD_STATE_PATH="$srcdir/mozbuild"
   export MOZ_BUILD_DATE="$(date -u${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH} +%Y%m%d%H%M%S)"
   export MOZ_NOSPAM=1
+  # export PIP_NETWORK_INSTALL_RESTRICTED_VIRTUALENVS=mach # let us hope this is a working _new_ workaround for the pip env issues?
 
   # malloc_usable_size is used in various parts of the codebase
   CFLAGS="${CFLAGS/_FORTIFY_SOURCE=3/_FORTIFY_SOURCE=2}"
@@ -170,14 +200,33 @@ build() {
 
   # Do 3-tier PGO
   echo "Building instrumented browser..."
+
+  if [[ $CARCH == 'aarch64' && $_build_profiled_aarch64 == true ]]; then
+
+    cat >.mozconfig ../mozconfig - <<END
+ac_add_options --enable-profile-generate
+END
+
+  elif [[ $CARCH == 'x86_64' && $_build_profiled_x86_64 == true ]]; then
+
     cat >.mozconfig ../mozconfig - <<END
 ac_add_options --enable-profile-generate=cross
 END
+
+  fi
+
+  if [[ $CARCH == 'aarch64' && $_build_profiled_aarch64 == true || $CARCH == 'x86_64' && $_build_profiled_x86_64 == true ]]; then
+
     ./mach build --priority normal
 
     echo "Profiling instrumented browser..."
+
     ./mach package
-  LLVM_PROFDATA=llvm-profdata JARLOG_FILE="$PWD/jarlog" \
+
+    # Uncomment the next line if you have an error while profiling ( thanks to mkli )
+    # LIBGL_ALWAYS_SOFTWARE=true \
+    LLVM_PROFDATA=llvm-profdata \
+      JARLOG_FILE="$PWD/jarlog" \
       dbus-run-session \
       xvfb-run -s "-screen 0 1920x1080x24 -nolisten local" \
       ./mach python build/pgo/profileserver.py
@@ -192,90 +241,96 @@ END
     ./mach clobber objdir
 
     echo "Building optimized browser..."
+
+    if [[ $CARCH == 'aarch64' ]]; then
+
+      cat >.mozconfig ../mozconfig - <<END
+ac_add_options --enable-lto
+ac_add_options --enable-profile-use
+ac_add_options --with-pgo-profile-path=${PWD@Q}/merged.profdata
+ac_add_options --with-pgo-jarlog=${PWD@Q}/jarlog
+END
+
+    else
+
       cat >.mozconfig ../mozconfig - <<END
-ac_add_options --enable-lto=cross,full
+ac_add_options --enable-lto=cross
 ac_add_options --enable-profile-use=cross
 ac_add_options --with-pgo-profile-path=${PWD@Q}/merged.profdata
 ac_add_options --with-pgo-jarlog=${PWD@Q}/jarlog
 END
+
+    fi
+  fi
+
+  if [[ $CARCH == 'aarch64' && $_build_profiled_aarch64 == false || $CARCH == 'x86_64' && $_build_profiled_x86_64 == false ]]; then
+    cat >.mozconfig ../mozconfig
+  fi
+
   ./mach build --priority normal
 }
 
 package() {
-  cd firefox-$pkgver
+  cd librewolf-$pkgver-$pkgrel
   DESTDIR="$pkgdir" ./mach install
 
+  # mv ${pkgdir}/usr/local/lib ${pkgdir}/usr/lib/
+  # mv ${pkgdir}/usr/local/bin ${pkgdir}/usr/bin/
+  # rm -r ${pkgdir}/usr/local
+
   local vendorjs="$pkgdir/usr/lib/$pkgname/browser/defaults/preferences/vendor.js"
-  install -Dvm644 /dev/stdin "$vendorjs" <<END
-// Use LANG environment variable to choose locale
-pref("intl.locale.requested", "");
 
+  install -Dvm644 /dev/stdin "$vendorjs" <<END
 // Use system-provided dictionaries
 pref("spellchecker.dictionary_path", "/usr/share/hunspell");
 
-// Disable default browser checking.
-pref("browser.shell.checkDefaultBrowser", false);
-
 // Don't disable extensions in the application directory
-pref("extensions.autoDisableScopes", 11);
-
-// Enable GNOME Shell search provider
-pref("browser.gnome-search-provider.enabled", true);
+// done in librewolf.cfg
+// pref("extensions.autoDisableScopes", 11);
 END
 
   local distini="$pkgdir/usr/lib/$pkgname/distribution/distribution.ini"
   install -Dvm644 /dev/stdin "$distini" <<END
+
 [Global]
-id=archlinux
+id=io.gitlab.${pkgname}-community
 version=1.0
-about=Mozilla Firefox for Arch Linux
+about=LibreWolf
 
 [Preferences]
-app.distributor=archlinux
+app.distributor="LibreWolf Community"
 app.distributor.channel=$pkgname
-app.partner.archlinux=archlinux
+app.partner.librewolf=$pkgname
 END
 
-  local i theme=official
-  for i in 16 22 24 32 48 64 128 256; do
-    install -Dvm644 browser/branding/$theme/default$i.png \
+  for i in 16 32 48 64 128; do
+    install -Dvm644 browser/branding/${pkgname}/default$i.png \
       "$pkgdir/usr/share/icons/hicolor/${i}x${i}/apps/$pkgname.png"
   done
-  install -Dvm644 browser/branding/$theme/content/about-logo.png \
+  # install -Dvm644 browser/branding/librewolf/content/about-logo.png \
+    # "$pkgdir/usr/share/icons/hicolor/192x192/apps/$pkgname.png"
+  install -Dvm644 ${srcdir}/default192x192.png \
     "$pkgdir/usr/share/icons/hicolor/192x192/apps/$pkgname.png"
-  install -Dvm644 browser/branding/$theme/content/about-logo@2x.png \
-    "$pkgdir/usr/share/icons/hicolor/384x384/apps/$pkgname.png"
-  install -Dvm644 browser/branding/$theme/content/about-logo.svg \
-    "$pkgdir/usr/share/icons/hicolor/scalable/apps/$pkgname.svg"
 
-  install -Dvm644 ../$pkgname-symbolic.svg -t "$pkgdir/usr/share/icons/hicolor/symbolic/apps"
-  install -Dvm644 ../$pkgname.desktop -t "$pkgdir/usr/share/applications"
-  install -Dvm644 ../org.mozilla.$pkgname.metainfo.xml -t "$pkgdir/usr/share/metainfo"
+  # arch upstream provides a separate svg for this. we don't have that, so let's re-use 16.png
+  install -Dvm644 browser/branding/${pkgname}/default16.png \
+    "$pkgdir/usr/share/icons/hicolor/symbolic/apps/$pkgname-symbolic.png"
+
+  install -Dvm644 ../$pkgname.desktop \
+    "$pkgdir/usr/share/applications/$pkgname.desktop"
 
   # Install a wrapper to avoid confusion about binary path
   install -Dvm755 /dev/stdin "$pkgdir/usr/bin/$pkgname" <<END
 #!/bin/sh
-exec /usr/lib/$pkgname/firefox "\$@"
+exec /usr/lib/$pkgname/librewolf "\$@"
 END
 
   # Replace duplicate binary with wrapper
   # https://bugzilla.mozilla.org/show_bug.cgi?id=658850
-  ln -srfv "$pkgdir/usr/bin/$pkgname" "$pkgdir/usr/lib/$pkgname/firefox-bin"
-
+  ln -srfv "$pkgdir/usr/bin/$pkgname" "$pkgdir/usr/lib/$pkgname/librewolf-bin"
   # Use system certificates
   local nssckbi="$pkgdir/usr/lib/$pkgname/libnssckbi.so"
   if [[ -e $nssckbi ]]; then
     ln -srfv "$pkgdir/usr/lib/libnssckbi.so" "$nssckbi"
   fi
-
-  local sprovider="$pkgdir/usr/share/gnome-shell/search-providers/$pkgname.search-provider.ini"
-  install -Dvm644 /dev/stdin "$sprovider" <<END
-[Shell Search Provider]
-DesktopId=$pkgname.desktop
-BusName=org.mozilla.${pkgname//-/_}.SearchProvider
-ObjectPath=/org/mozilla/${pkgname//-/_}/SearchProvider
-Version=2
-END
 }
-
-# vim:set sw=2 sts=-1 et:

Last edited by loqs (2024-10-21 19:36:29)

Lone_Wolf · 2024-10-22 09:02:57

ThoughtBubble wrote:

Lone_Wolf wrote:
temp = temporary
Any location where you store things that you need for a short period (after which you will discard them) is a temp location .
This would mean using the "/tmp" folder, correct? Just want to make sure I understand in case if this is referenced in the future.

/tmp is (default) a tmpfs which means it's stored in memory (not suitable for large things) and its contents are gone at reboot .
A folder under your home is better suited.

I probably should not have have used 'short period' as stuff in my temp folder sometimes can stay there for months .
Also I like things to be structured and distinguish between A-stuff I want to keep permanently and B-stuff I need to keep for a while (and have quick access to).

The A-stuff goes in dedicated folders under Documents/Pictures etc, B-stuff in $HOME/Temp . At some point B-stuff is deleted or promoted to A-stuff .

ThoughtBubble · 2024-10-26 21:01:13

Thank you guys so much for all the help I have received. I'm truly grateful.

After attempting to build the package, I get an error that is similar to the one in the comments section of the AUR page. So I've decided to go for librewolf-bin instead. I notice that the pinned comment in the AUR page has two GPG key names. Where are these key names coming from?

Also, would you recommend I create an apparmor profile for this browser?

Last edited by ThoughtBubble (2024-10-26 22:00:07)

loqs · 2024-10-26 22:26:28

GnuPG#Import_a_public_key The key-id will be contained in the signature file being used to verify the source. librewolf builds for me without issue in a clean chroot.
Why does the maintainer of the AUR packages librewolf and librewolf-bin only trust 662E3CDD6FE329002D0CA5BB40339DD82B12EF16 for librewolf-bin and not librewolf instead disabling the use of signatures?

ThoughtBubble · 2024-10-27 19:23:55

Whenever I open this browser, I get this warning.

Some of LibreWolf's security features may offer less protection on your current operating system.

Based on the documentation for Firefox, it says

The sandbox in Firefox makes use of unprivileged user namespaces when creating new processes for enforcing more security. This can be considered a security risk, therefore some Linux distributions have started to restrict its usage and only allow it to work where there is an AppArmor profile.
Such profiles can only cover a limited set of installations paths, including Snap and Debian packages. They cannot however cover some other use cases, such as tarball installations as well as local development builds.

Wouldn't setting kernel.unprivileged_userns_clone sysctl to 0 suffice? Should I enable the apparmor profile for Firefox? Is it still necessary to create an apparmor profile for Librewolf?

Last edited by ThoughtBubble (2024-10-27 19:24:29)

loqs · 2024-10-27 19:43:56

ThoughtBubble wrote:

Wouldn't setting kernel.unprivileged_userns_clone sysctl to 0 suffice?

Yes but compared to enabling it for only librewolf it provides a larger attack surface.

ThoughtBubble wrote:

Should I enable the apparmor profile for Firefox? Is it still necessary to create an apparmor profile for Librewolf?

That depends on how you have apparmor configured to handle processes that do not match any application specific profile and what you would want to achieve by enabling it.

ThoughtBubble · 2024-10-27 22:39:33

I guess the question I should have asked from the start is whether I should be concerned about that warning.

loqs · 2024-10-27 22:55:33

ThoughtBubble wrote:

I guess the question I should have asked from the start is whether I should be concerned about that warning.

https://support.mozilla.org/en-US/kb/in … es-warning covers to some extent what is disabled by unprivileged user namespaces being disabled. If you are using apparmor you can enable unprivileged user namespaces only for librewolf.

ThoughtBubble · 2024-10-27 23:05:20

Can I sandbox the browser with other applications instead of enabling user namespaces?

Last edited by ThoughtBubble (2024-10-27 23:06:42)

Arch Linux

#1 2024-10-05 19:15:39

[SOLVED] './mach' in librewolf PKGBUILD?

#2 2024-10-05 19:48:19

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#3 2024-10-05 23:13:51

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#4 2024-10-09 15:14:34

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#5 2024-10-09 16:27:21

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#6 2024-10-09 17:17:35

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#7 2024-10-09 18:06:03

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#8 2024-10-19 19:29:04

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#9 2024-10-19 20:38:32

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#10 2024-10-21 02:08:05

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#11 2024-10-21 10:46:15

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#12 2024-10-21 13:10:50

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#13 2024-10-21 13:17:35

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#14 2024-10-21 13:20:47

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#15 2024-10-21 13:35:04

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#16 2024-10-21 13:47:41

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#17 2024-10-21 18:32:45

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#18 2024-10-22 09:02:57

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#19 2024-10-26 21:01:13

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#20 2024-10-26 22:26:28

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#21 2024-10-27 19:23:55

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#22 2024-10-27 19:43:56

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#23 2024-10-27 22:39:33

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#24 2024-10-27 22:55:33

Re: [SOLVED] './mach' in librewolf PKGBUILD?

#25 2024-10-27 23:05:20

Re: [SOLVED] './mach' in librewolf PKGBUILD?

Board footer