You are not logged in.
Where is this script coming from? I don't see it in my cloned repository.
Last edited by ThoughtBubble (2024-11-17 20:56:51)
Offline
Mod note: moving to AUR Issues.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Online
From the source tarball. Notice the `cd librewolf-$pkgver-$pkgrel` at the beginning of the function.
Online
How do I make sure that the source URL is trustworthy?
Last edited by ThoughtBubble (2024-10-09 15:14:45)
Offline
What have you tried so far far? Such as if you trust https://librewolf.net/ is the project home for LibreWolf that links to https://codeberg.org/librewolf for its source code. From the 130.0.1-1 release of source project on that codeberg instance you can compare the URLs. You could add back PGP signing after verifying that the old key 034F7776EF5E0C613D2F7934D29FBD5F93C0CFC3 has signed the new key 662E3CDD6FE329002D0CA5BB40339DD82B12EF16.
Offline
What have you tried so far far? Such as if you trust https://librewolf.net/ is the project home for LibreWolf that links to https://codeberg.org/librewolf for its source code. From the 130.0.1-1 release of source project on that codeberg instance you can compare the URLs. You could add back PGP signing after verifying that the old key 034F7776EF5E0C613D2F7934D29FBD5F93C0CFC3 has signed the new key 662E3CDD6FE329002D0CA5BB40339DD82B12EF16.
The part that confuses me is why are both CodeBerg and GitLab involved in this. Wouldn't a single hosting service suffice?
Offline
The part that confuses me is why are both CodeBerg and GitLab involved in this. Wouldn't a single hosting service suffice?
Have you tried asking the upstream project? I do not want to speculate.
Offline
In lines 229-232, I notice there are backslashes at the end of the command. I don't understand what the purpose of these backslashes are. I thought they can only be used to escape characters.
Where is ${PWD@Q} coming from?
Last edited by ThoughtBubble (2024-10-19 19:36:20)
Offline
LLVM_PROFDATA=llvm-profdata \
JARLOG_FILE="$PWD/jarlog" \
dbus-run-session \
xvfb-run -s "-screen 0 1920x1080x24 -nolisten local" \
./mach python build/pgo/profileserver.py
A backslash that is not quoted shall preserve the literal value of the following character, with the exception of a <newline>. If a <newline> follows the backslash, the shell shall interpret this as line continuation. So the above is all one command.
PWD The current working directory as set by the cd command.
${parameter@operator}
Parameter transformation. The expansion is either a transformation of the value of parameter or information about parameter itself, depending on the value of operator. Each operator is a single letter:
....
Q The expansion is a string that is the value of parameter quoted in a format that can be reused as input.
So:
$ echo $PWD
/home/loqs
$ echo ${PWD@Q}
'/home/loqs'
Offline
Is there a way for me to download and run a checksum against the files specified in source array without running any of the build files? I want to know what is in "mach". I want to see the file locally.
Last edited by ThoughtBubble (2024-10-21 02:11:14)
Offline
On the aur page for the package there is a sources sectionwith urls (under the dependencies list) , you can download the files manually from there .
Once downloaded to a temp location run sha256sum on the files .
To see the mach script you'll have to extract the tar.gz manually.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
Once downloaded to a temp location run sha256sum on the files.
What is the temp location and what is the purpose of downloading it there?
Offline
Have you read the makepkg man page?
You really don't know what 'a temp location' means? Maybe take a step back and evaluate what you're trying to accomplish here. Do you really expect to understand what the mach script does without a grasp of basics?
Online
temp = temporary
Any location where you store things that you need for a short period (after which you will discard them) is a temp location .
what is the purpose of downloading it there
you want to run a checksum against those files.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
Have you read the makepkg man page?
You really don't know what 'a temp location' means? Maybe take a step back and evaluate what you're trying to accomplish here. Do you really expect to understand what the mach script does without a grasp of basics?
Sorry, I realize I can use the nobuild and noprepare option now.
I don't know what it means. What should be my starting point? I know I don't understand the parts related to mach in the PKGBUILD. What would be the step back here? What resources should I look into first before delving any further?
Last edited by ThoughtBubble (2024-10-21 13:36:01)
Offline
temp = temporary
Any location where you store things that you need for a short period (after which you will discard them) is a temp location .
This would mean using the "/tmp" folder, correct? Just want to make sure I understand in case if this is referenced in the future.
Offline
makepkg --verifysource
Please also see my note on the removal of PGP signing in https://bbs.archlinux.org/viewtopic.php … 0#p2201240
You can also view mach at https://hg.mozilla.org/mozilla-central/ … 1_END/mach as librewolf does not patch that file.
Edit:
Comparison of firefox's PKGBUILD with libreworlf's:
git diff --ignore-all-space firefox/PKGBUILD librewolf/PKGBUILD
diff --git a/firefox/PKGBUILD b/librewolf/PKGBUILD
index 64c2be3..8a13f89 100644
--- a/firefox/PKGBUILD
+++ b/librewolf/PKGBUILD
@@ -1,20 +1,23 @@
-# Maintainer: Jan Alexander Steffens (heftig) <heftig@archlinux.org>
-# Contributor: Ionut Biru <ibiru@archlinux.org>
-# Contributor: Jakub Schmidtke <sjakub@gmail.com>
+# Maintainer: ohfp/lsf <lsf at pfho dot net>
-pkgname=firefox
+pkgname=librewolf
+_pkgname=LibreWolf
pkgver=131.0.3
pkgrel=1
-pkgdesc="Fast, Private & Safe Web Browser"
-url="https://www.mozilla.org/firefox/"
-arch=(x86_64)
-license=(MPL-2.0)
+pkgdesc="Community-maintained fork of Firefox, focused on privacy, security and freedom."
+url="https://librewolf.net/"
+arch=(x86_64 aarch64)
+license=(
+ GPL
+ LGPL
+ MPL
+)
depends=(
+ dbus
alsa-lib
at-spi2-core
bash
cairo
- dbus
ffmpeg
fontconfig
freetype2
@@ -41,27 +44,31 @@ depends=(
ttf-font
)
makedepends=(
+ binutils
cbindgen
clang
diffutils
+ git
imake
+ inetutils
jack
lld
llvm
mesa
nasm
nodejs
+ pciutils
python
rust
unzip
- wasi-compiler-rt
- wasi-libc
- wasi-libc++
- wasi-libc++abi
+ 'wasi-compiler-rt>15'
+ 'wasi-libc++>15'
+ 'wasi-libc++abi>15'
+ 'wasi-libc>=1:0+314+a1c7c2c'
xorg-server-xvfb
yasm
zip
-)
+) # pciutils: only to avoid some PGO warning
optdepends=(
'hunspell-en_US: Spell checking, American English'
'libnotify: Notification integration'
@@ -69,93 +76,116 @@ optdepends=(
'speech-dispatcher: Text-to-Speech'
'xdg-desktop-portal: Screensharing with Wayland'
)
+backup=('usr/lib/librewolf/librewolf.cfg'
+ 'usr/lib/librewolf/distribution/policies.json')
options=(
!emptydirs
!lto
!makeflags
)
+
+_arch_git=https://gitlab.archlinux.org/archlinux/packaging/packages/firefox/-/raw
+
+install='librewolf.install'
source=(
- https://archive.mozilla.org/pub/firefox/releases/$pkgver/source/firefox-$pkgver.source.tar.xz{,.asc}
- $pkgname-symbolic.svg
+ https://gitlab.com/api/v4/projects/32320088/packages/generic/librewolf-source/${pkgver}-${pkgrel}/librewolf-${pkgver}-${pkgrel}.source.tar.gz # {,.sig} sig files are currently broken, it seems
$pkgname.desktop
- org.mozilla.$pkgname.metainfo.xml
-)
-validpgpkeys=(
- # Mozilla Software Releases <release@mozilla.com>
- # https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/
- 14F26682D0916CDD81E37B6D61B7B526D98F0353
+ "default192x192.png"
)
-sha256sums=('7a7df3f97737453efaa243ca9dbaf95d0f0f833c5dc8afacb5704ee16ef060d0'
- 'SKIP'
- 'a9b8b4a0a1f4a7b4af77d5fc70c2686d624038909263c795ecc81e0aec7711e9'
- '71fe797430198ac8c00b538dce537284cf526e48be0496698cf5a980d70c16da'
- '58d78ce57b3ee936bc966458d6b20ab142d02a897bbe924b3f26717af0c5bee1')
-b2sums=('1d59bb050c4565c3344e7c1159ebd5bc79f050686abbc408c38493c187e3f1960ab1217113e279b170141a004b3a4797e138200a8a5ada8f5ae93eaa337ad8c3'
- 'SKIP'
- '63a8dd9d8910f9efb353bed452d8b4b2a2da435857ccee083fc0c557f8c4c1339ca593b463db320f70387a1b63f1a79e709e9d12c69520993e26d85a3d742e34'
- '2c7936949ef922307fb593bd0480a13bde2eab8ae24fc89071d809d6659384705f9b7838b1ae8bc46b98a152ba01fcffad606d4c84796ad9bfaaf20166f0a0fd'
- '2ce33432f8a73a4f1a412b7a065d3c124e1ca9f6bdf3fad0407e897efc0840f8ef43eeeb1b9bef4a102d9fac0b2c4a2ef205726b817f83fe9c3742d076778b14')
-
-# Google API keys (see http://www.chromium.org/developers/how-tos/api-keys)
-# Note: These are for Arch Linux use ONLY. For your own distribution, please
-# get your own set of keys. Feel free to contact foutrelis@archlinux.org for
-# more information.
-_google_api_key=AIzaSyDwr302FpOSkGRpLlUpPThNTDPbXcIn_FM
+
+sha256sums=('6177f16df17387c3a7f5affdc1dd40ab91ecfae5e93bf532d4e3d4d98acead94'
+ '7d01d317b7db7416783febc18ee1237ade2ec86c1567e2c2dd628a94cbf2f25d'
+ '959c94c68cab8d5a8cff185ddf4dca92e84c18dccc6dc7c8fe11c78549cdc2f1')
+
+validpgpkeys=('034F7776EF5E0C613D2F7934D29FBD5F93C0CFC3') # maltej(?)
+
+# change this to false if you do not want to run a PGO build for aarch64 or x86_64
+_build_profiled_aarch64=true
+_build_profiled_x86_64=true
prepare() {
- mkdir mozbuild
- cd firefox-$pkgver
+ mkdir -p mozbuild
+ cd librewolf-$pkgver-$pkgrel
- echo -n "$_google_api_key" >google-api-key
+ mv mozconfig ../mozconfig
- cat >../mozconfig <<END
-ac_add_options --enable-application=browser
-mk_add_options MOZ_OBJDIR=${PWD@Q}/obj
+ cat >>../mozconfig <<END
-ac_add_options --prefix=/usr
-ac_add_options --enable-release
-ac_add_options --enable-hardening
-ac_add_options --enable-optimize
-ac_add_options --enable-rust-simd
+# TODO: check things here one after another if (still) required
ac_add_options --enable-linker=lld
-ac_add_options --disable-install-strip
-ac_add_options --disable-elf-hack
+
+ac_add_options --prefix=/usr
+
ac_add_options --disable-bootstrap
-ac_add_options --with-wasi-sysroot=/usr/share/wasi-sysroot
+
+export CC='clang'
+export CXX='clang++'
# Branding
-ac_add_options --enable-official-branding
+ac_add_options --with-app-name=${pkgname}
+# is this one required? upstream lw doesn't use it
ac_add_options --enable-update-channel=release
-ac_add_options --with-distribution-id=org.archlinux
-ac_add_options --with-unsigned-addon-scopes=app,system
-ac_add_options --allow-addon-sideload
-export MOZILLA_OFFICIAL=1
-export MOZ_APP_REMOTINGNAME=$pkgname
+# unlear?
+# ac_add_options --with-app-basename=${_pkgname}
-# Keys
-ac_add_options --with-google-location-service-api-keyfile=${PWD@Q}/google-api-key
-ac_add_options --with-google-safebrowsing-api-keyfile=${PWD@Q}/google-api-key
+# needed? yep.
+export MOZ_APP_REMOTINGNAME=${pkgname}
# System libraries
ac_add_options --with-system-nspr
ac_add_options --with-system-nss
# Features
+# keep alsa option in here until merged upstream
ac_add_options --enable-alsa
ac_add_options --enable-jack
-ac_add_options --enable-crashreporter
-ac_add_options --disable-updater
-ac_add_options --disable-tests
+
+# options for ci / weaker build systems
+# mk_add_options MOZ_MAKE_FLAGS="-j4"
+# ac_add_options --enable-linker=gold
+
+# wasi
+ac_add_options --with-wasi-sysroot=/usr/share/wasi-sysroot
+END
+
+if [[ $CARCH == 'aarch64' ]]; then
+ cat >>../mozconfig <<END
+# taken from manjaro build:
+ac_add_options --enable-optimize="-g0 -O2"
END
+
+ export MOZ_DEBUG_FLAGS=" "
+ export CFLAGS+=" -g0"
+ export CXXFLAGS+=" -g0"
+ export RUSTFLAGS="-Cdebuginfo=0"
+
+ # we should have more than enough RAM on the CI spot instances.
+ # ...or maybe not?
+ export LDFLAGS+=" -Wl,--no-keep-memory"
+else
+
+ cat >>../mozconfig <<END
+# Arch upstream has it in their PKGBUILD, ALARM does not for aarch64:
+ac_add_options --disable-elf-hack
+
+# might help with failing x86_64 builds?
+export LDFLAGS+=" -Wl,--no-keep-memory"
+END
+fi
+
+ # upstream Arch fixes
+ #
}
+
build() {
- cd firefox-$pkgver
+ cd librewolf-$pkgver-$pkgrel
export MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE=pip
export MOZBUILD_STATE_PATH="$srcdir/mozbuild"
export MOZ_BUILD_DATE="$(date -u${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH} +%Y%m%d%H%M%S)"
export MOZ_NOSPAM=1
+ # export PIP_NETWORK_INSTALL_RESTRICTED_VIRTUALENVS=mach # let us hope this is a working _new_ workaround for the pip env issues?
# malloc_usable_size is used in various parts of the codebase
CFLAGS="${CFLAGS/_FORTIFY_SOURCE=3/_FORTIFY_SOURCE=2}"
@@ -170,14 +200,33 @@ build() {
# Do 3-tier PGO
echo "Building instrumented browser..."
+
+ if [[ $CARCH == 'aarch64' && $_build_profiled_aarch64 == true ]]; then
+
+ cat >.mozconfig ../mozconfig - <<END
+ac_add_options --enable-profile-generate
+END
+
+ elif [[ $CARCH == 'x86_64' && $_build_profiled_x86_64 == true ]]; then
+
cat >.mozconfig ../mozconfig - <<END
ac_add_options --enable-profile-generate=cross
END
+
+ fi
+
+ if [[ $CARCH == 'aarch64' && $_build_profiled_aarch64 == true || $CARCH == 'x86_64' && $_build_profiled_x86_64 == true ]]; then
+
./mach build --priority normal
echo "Profiling instrumented browser..."
+
./mach package
- LLVM_PROFDATA=llvm-profdata JARLOG_FILE="$PWD/jarlog" \
+
+ # Uncomment the next line if you have an error while profiling ( thanks to mkli )
+ # LIBGL_ALWAYS_SOFTWARE=true \
+ LLVM_PROFDATA=llvm-profdata \
+ JARLOG_FILE="$PWD/jarlog" \
dbus-run-session \
xvfb-run -s "-screen 0 1920x1080x24 -nolisten local" \
./mach python build/pgo/profileserver.py
@@ -192,90 +241,96 @@ END
./mach clobber objdir
echo "Building optimized browser..."
+
+ if [[ $CARCH == 'aarch64' ]]; then
+
+ cat >.mozconfig ../mozconfig - <<END
+ac_add_options --enable-lto
+ac_add_options --enable-profile-use
+ac_add_options --with-pgo-profile-path=${PWD@Q}/merged.profdata
+ac_add_options --with-pgo-jarlog=${PWD@Q}/jarlog
+END
+
+ else
+
cat >.mozconfig ../mozconfig - <<END
-ac_add_options --enable-lto=cross,full
+ac_add_options --enable-lto=cross
ac_add_options --enable-profile-use=cross
ac_add_options --with-pgo-profile-path=${PWD@Q}/merged.profdata
ac_add_options --with-pgo-jarlog=${PWD@Q}/jarlog
END
+
+ fi
+ fi
+
+ if [[ $CARCH == 'aarch64' && $_build_profiled_aarch64 == false || $CARCH == 'x86_64' && $_build_profiled_x86_64 == false ]]; then
+ cat >.mozconfig ../mozconfig
+ fi
+
./mach build --priority normal
}
package() {
- cd firefox-$pkgver
+ cd librewolf-$pkgver-$pkgrel
DESTDIR="$pkgdir" ./mach install
+ # mv ${pkgdir}/usr/local/lib ${pkgdir}/usr/lib/
+ # mv ${pkgdir}/usr/local/bin ${pkgdir}/usr/bin/
+ # rm -r ${pkgdir}/usr/local
+
local vendorjs="$pkgdir/usr/lib/$pkgname/browser/defaults/preferences/vendor.js"
- install -Dvm644 /dev/stdin "$vendorjs" <<END
-// Use LANG environment variable to choose locale
-pref("intl.locale.requested", "");
+ install -Dvm644 /dev/stdin "$vendorjs" <<END
// Use system-provided dictionaries
pref("spellchecker.dictionary_path", "/usr/share/hunspell");
-// Disable default browser checking.
-pref("browser.shell.checkDefaultBrowser", false);
-
// Don't disable extensions in the application directory
-pref("extensions.autoDisableScopes", 11);
-
-// Enable GNOME Shell search provider
-pref("browser.gnome-search-provider.enabled", true);
+// done in librewolf.cfg
+// pref("extensions.autoDisableScopes", 11);
END
local distini="$pkgdir/usr/lib/$pkgname/distribution/distribution.ini"
install -Dvm644 /dev/stdin "$distini" <<END
+
[Global]
-id=archlinux
+id=io.gitlab.${pkgname}-community
version=1.0
-about=Mozilla Firefox for Arch Linux
+about=LibreWolf
[Preferences]
-app.distributor=archlinux
+app.distributor="LibreWolf Community"
app.distributor.channel=$pkgname
-app.partner.archlinux=archlinux
+app.partner.librewolf=$pkgname
END
- local i theme=official
- for i in 16 22 24 32 48 64 128 256; do
- install -Dvm644 browser/branding/$theme/default$i.png \
+ for i in 16 32 48 64 128; do
+ install -Dvm644 browser/branding/${pkgname}/default$i.png \
"$pkgdir/usr/share/icons/hicolor/${i}x${i}/apps/$pkgname.png"
done
- install -Dvm644 browser/branding/$theme/content/about-logo.png \
+ # install -Dvm644 browser/branding/librewolf/content/about-logo.png \
+ # "$pkgdir/usr/share/icons/hicolor/192x192/apps/$pkgname.png"
+ install -Dvm644 ${srcdir}/default192x192.png \
"$pkgdir/usr/share/icons/hicolor/192x192/apps/$pkgname.png"
- install -Dvm644 browser/branding/$theme/content/about-logo@2x.png \
- "$pkgdir/usr/share/icons/hicolor/384x384/apps/$pkgname.png"
- install -Dvm644 browser/branding/$theme/content/about-logo.svg \
- "$pkgdir/usr/share/icons/hicolor/scalable/apps/$pkgname.svg"
- install -Dvm644 ../$pkgname-symbolic.svg -t "$pkgdir/usr/share/icons/hicolor/symbolic/apps"
- install -Dvm644 ../$pkgname.desktop -t "$pkgdir/usr/share/applications"
- install -Dvm644 ../org.mozilla.$pkgname.metainfo.xml -t "$pkgdir/usr/share/metainfo"
+ # arch upstream provides a separate svg for this. we don't have that, so let's re-use 16.png
+ install -Dvm644 browser/branding/${pkgname}/default16.png \
+ "$pkgdir/usr/share/icons/hicolor/symbolic/apps/$pkgname-symbolic.png"
+
+ install -Dvm644 ../$pkgname.desktop \
+ "$pkgdir/usr/share/applications/$pkgname.desktop"
# Install a wrapper to avoid confusion about binary path
install -Dvm755 /dev/stdin "$pkgdir/usr/bin/$pkgname" <<END
#!/bin/sh
-exec /usr/lib/$pkgname/firefox "\$@"
+exec /usr/lib/$pkgname/librewolf "\$@"
END
# Replace duplicate binary with wrapper
# https://bugzilla.mozilla.org/show_bug.cgi?id=658850
- ln -srfv "$pkgdir/usr/bin/$pkgname" "$pkgdir/usr/lib/$pkgname/firefox-bin"
-
+ ln -srfv "$pkgdir/usr/bin/$pkgname" "$pkgdir/usr/lib/$pkgname/librewolf-bin"
# Use system certificates
local nssckbi="$pkgdir/usr/lib/$pkgname/libnssckbi.so"
if [[ -e $nssckbi ]]; then
ln -srfv "$pkgdir/usr/lib/libnssckbi.so" "$nssckbi"
fi
-
- local sprovider="$pkgdir/usr/share/gnome-shell/search-providers/$pkgname.search-provider.ini"
- install -Dvm644 /dev/stdin "$sprovider" <<END
-[Shell Search Provider]
-DesktopId=$pkgname.desktop
-BusName=org.mozilla.${pkgname//-/_}.SearchProvider
-ObjectPath=/org/mozilla/${pkgname//-/_}/SearchProvider
-Version=2
-END
}
-
-# vim:set sw=2 sts=-1 et:
Last edited by loqs (2024-10-21 19:36:29)
Offline
Lone_Wolf wrote:temp = temporary
Any location where you store things that you need for a short period (after which you will discard them) is a temp location .
This would mean using the "/tmp" folder, correct? Just want to make sure I understand in case if this is referenced in the future.
/tmp is (default) a tmpfs which means it's stored in memory (not suitable for large things) and its contents are gone at reboot .
A folder under your home is better suited.
I probably should not have have used 'short period' as stuff in my temp folder sometimes can stay there for months .
Also I like things to be structured and distinguish between A-stuff I want to keep permanently and B-stuff I need to keep for a while (and have quick access to).
The A-stuff goes in dedicated folders under Documents/Pictures etc, B-stuff in $HOME/Temp . At some point B-stuff is deleted or promoted to A-stuff .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
Thank you guys so much for all the help I have received. I'm truly grateful.
After attempting to build the package, I get an error that is similar to the one in the comments section of the AUR page. So I've decided to go for librewolf-bin instead. I notice that the pinned comment in the AUR page has two GPG key names. Where are these key names coming from?
Also, would you recommend I create an apparmor profile for this browser?
Last edited by ThoughtBubble (2024-10-26 22:00:07)
Offline
GnuPG#Import_a_public_key The key-id will be contained in the signature file being used to verify the source. librewolf builds for me without issue in a clean chroot.
Why does the maintainer of the AUR packages librewolf and librewolf-bin only trust 662E3CDD6FE329002D0CA5BB40339DD82B12EF16 for librewolf-bin and not librewolf instead disabling the use of signatures?
Offline
Whenever I open this browser, I get this warning.
Some of LibreWolf's security features may offer less protection on your current operating system.
Based on the documentation for Firefox, it says
The sandbox in Firefox makes use of unprivileged user namespaces when creating new processes for enforcing more security. This can be considered a security risk, therefore some Linux distributions have started to restrict its usage and only allow it to work where there is an AppArmor profile.
Such profiles can only cover a limited set of installations paths, including Snap and Debian packages. They cannot however cover some other use cases, such as tarball installations as well as local development builds.
Wouldn't setting kernel.unprivileged_userns_clone sysctl to 0 suffice? Should I enable the apparmor profile for Firefox? Is it still necessary to create an apparmor profile for Librewolf?
Last edited by ThoughtBubble (2024-10-27 19:24:29)
Offline
Wouldn't setting kernel.unprivileged_userns_clone sysctl to 0 suffice?
Yes but compared to enabling it for only librewolf it provides a larger attack surface.
Should I enable the apparmor profile for Firefox? Is it still necessary to create an apparmor profile for Librewolf?
That depends on how you have apparmor configured to handle processes that do not match any application specific profile and what you would want to achieve by enabling it.
Offline
I guess the question I should have asked from the start is whether I should be concerned about that warning.
Offline
I guess the question I should have asked from the start is whether I should be concerned about that warning.
https://support.mozilla.org/en-US/kb/in … es-warning covers to some extent what is disabled by unprivileged user namespaces being disabled. If you are using apparmor you can enable unprivileged user namespaces only for librewolf.
Offline
Can I sandbox the browser with other applications instead of enabling user namespaces?
Last edited by ThoughtBubble (2024-10-27 23:06:42)
Offline