diff options
| author | bill-auger <mr.j.spam.me@gmail.com> | 2023-10-19 20:27:48 -0400 |
|---|---|---|
| committer | bill-auger <mr.j.spam.me@gmail.com> | 2023-10-21 22:16:21 -0400 |
| commit | 60ac23c9e33140cce90fd64cf2c8c1bf4c75b033 (patch) | |
| tree | 05dd74981c80162dab3e581c727aa773a11ef700 | |
| parent | b48fe734179b51b60437cd59a61bed71922b96c8 (diff) | |
[icecat]: upgrade to 115.3.1
| -rw-r--r-- | libre/icecat/0001-Use-remoting-name-for-GDK-application-names.patch | 57 | ||||
| -rw-r--r-- | libre/icecat/PKGBUILD | 135 | ||||
| -rw-r--r-- | libre/icecat/arm.patch | 15 | ||||
| -rw-r--r-- | libre/icecat/enable-sync.patch | 16 | ||||
| -rw-r--r-- | libre/icecat/firefox-111.0.1-fdlibm.patch | 21 | ||||
| -rw-r--r-- | libre/icecat/fix-i686-build-moz-1792159.patch | 18 | ||||
| -rw-r--r-- | libre/icecat/fix-i686-xsimd-incomplete.patch | 29 | ||||
| -rw-r--r-- | libre/icecat/vendor.js.in | 306 | ||||
| -rw-r--r-- | libre/icecat/zstandard-0.21.0.diff | 10 |
9 files changed, 457 insertions, 150 deletions
diff --git a/libre/icecat/0001-Use-remoting-name-for-GDK-application-names.patch b/libre/icecat/0001-Use-remoting-name-for-GDK-application-names.patch deleted file mode 100644 index f313d7d95..000000000 --- a/libre/icecat/0001-Use-remoting-name-for-GDK-application-names.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Mon, 25 Mar 2019 20:30:11 +0100 -Subject: [PATCH] Use remoting name for GDK application names - ---- - toolkit/xre/nsAppRunner.cpp | 6 +----- - widget/gtk/nsAppShell.cpp | 11 ++++------- - 2 files changed, 5 insertions(+), 12 deletions(-) - -diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp -index 49e2c73986ab..43ebcac381c7 100644 ---- a/toolkit/xre/nsAppRunner.cpp -+++ b/toolkit/xre/nsAppRunner.cpp -@@ -4262,11 +4262,7 @@ int XREMain::XRE_mainStartup(bool* aExitFlag) { - // consistently. - - // Set program name to the one defined in application.ini. -- { -- nsAutoCString program(gAppData->name); -- ToLowerCase(program); -- g_set_prgname(program.get()); -- } -+ g_set_prgname(gAppData->remotingName); - - // Initialize GTK here for splash. - -diff --git a/widget/gtk/nsAppShell.cpp b/widget/gtk/nsAppShell.cpp -index cfe022e65d82..06325264dbb1 100644 ---- a/widget/gtk/nsAppShell.cpp -+++ b/widget/gtk/nsAppShell.cpp -@@ -24,6 +24,8 @@ - # include "WakeLockListener.h" - #endif - #include "gfxPlatform.h" -+#include "nsAppRunner.h" -+#include "mozilla/XREAppData.h" - #include "ScreenHelperGTK.h" - #include "HeadlessScreenHelper.h" - #include "mozilla/widget/ScreenManager.h" -@@ -152,13 +154,9 @@ nsresult nsAppShell::Init() { - // See https://bugzilla.gnome.org/show_bug.cgi?id=747634 - // - // Only bother doing this for the parent process, since it's the one -- // creating top-level windows. (At this point, a child process hasn't -- // received the list of registered chrome packages, so the -- // GetBrandShortName call would fail anyway.) -- nsAutoString brandName; -- mozilla::widget::WidgetUtils::GetBrandShortName(brandName); -- if (!brandName.IsEmpty()) { -- gdk_set_program_class(NS_ConvertUTF16toUTF8(brandName).get()); -+ // creating top-level windows. -+ if (gAppData) { -+ gdk_set_program_class(gAppData->remotingName); - } - } - } diff --git a/libre/icecat/PKGBUILD b/libre/icecat/PKGBUILD index cf130772d..a76574613 100644 --- a/libre/icecat/PKGBUILD +++ b/libre/icecat/PKGBUILD @@ -23,35 +23,22 @@ # Contributor: grizzlyuser <grizzlyuser@protonmail.com> -# parabola changes and rationale: -# libre: -# - none -# technical: -# - enable the 'sync' feature -# privacy: -# - none - - -# NOTE: icecat (60.7 < V <= current) are not complete upstream releases -# upstream releases normally have $_upstream_ver ending in '-gnu<N>' -# those builds were based on gnuzilla VCS development sources -# with parabola patches applied (offered upstream, some accepted) +# NOTE: icecat (60.7 < V <= current) are not complete upstream releases. +# Upstream releases normally have $_upstream_ver ending in '-gnu<N>'. +# Those builds are based on gnuzilla VCS development sources +# with parabola patches applied (offered upstream). # https://git.parabola.nu/~bill-auger/icecat.git/log/?h=parabola -# NOTE: since 102.4.0, the former icecat maintainer has publishing versioned source-balls -# for some versions - like the upstream VCS, they are denoted as 'testing' and -# are not signed; and although the current maintainer has published newer versions; -# we should still prefer the versioned source-balls - besides the usually reason +# NOTE: Occasionally (v102.4.0), a versioned source-ball is published. +# However, like the upstream VCS, they are denoted as 'testing' and are not signed. +# We should still prefer the versioned source-balls. Besides the usually reason # (always prefer versioned source-balls to VCS builds), they are a significant -# reduction in workload; because gnuzilla can not be compiled from VCS - we first +# reduction in workload; because gnuzilla can not be compiled from VCS. We first # need to run the makeicecat.sh script to prepare the source-ball, then sign it and -# publish it, which takes hours - ordinarily, this would not deserve mention -# (ie: both this and the preceding NOTEs would not be necessary); but it not yet -# obvious if this recent trend will continue (ie: we may need to build from VCS -# again, which deserves a special note) - if the trend continues, these NOTEs can -# be deleted, along with the LOCs commented with "(VCS builds)" -# NOTE: all of the important parabola patches are now upstreamed - the remaining patches -# are now re-implemented in abslibre ('enable-sync.patch') - -# those would need to be deleted, if building from VCS again (and 'dummy-sig') +# publish it, which takes hours. If versioned source-balls become the norm again, +# these NOTEs can be deleted, along with the LOCs commented with "(VCS builds)". +# Until then, whenever building from an upstream source-ball, any un-merged patches +# should be re-implemented in abslibre (eg: 'enable-sync.patch')m and deleted +# again (and 'dummy-sig'), if building from VCS again. # NOTE: This PKGBUILD is kept in-sync, as closely as possible, @@ -69,8 +56,8 @@ pkgname=icecat -_upstream_ver=102.5.0-gnu1 -_upstream_ver=${_upstream_ver/-gnu1/-gnu0-pre1} # (VCS builds) +_upstream_ver=115.3.1-gnu1 +_upstream_ver=${_upstream_ver/-gnu[0-9]/-pre1} # (VCS builds) pkgver=${_upstream_ver//-/_} pkgrel=1 pkgdesc="the GNU web browser, derived from Mozilla Firefox ESR" @@ -118,6 +105,9 @@ makedepends=( yasm zip ) +makedepends+=( + python-typing_extensions +) optdepends=( 'hunspell-en_US: Spell checking, American English' 'libnotify: Notification integration' @@ -134,30 +124,35 @@ options=( !strip ) source=(https://repo.parabola.nu/other/${pkgname}/${pkgname}-${_upstream_ver}.tar.bz2{,.sig} # (VCS builds) - icecat.desktop icecat-safe.desktop ) -source+=(vendor.js.in - arc4random.diff - enable-sync.patch) +source+=( + icecat.desktop + icecat-safe.desktop + vendor.js.in + zstandard-0.21.0.diff +) source_armv7h=(build-arm-libopus.patch) source_i686=( avoid-libxul-OOM-python-check.patch rust-static-disable-network-test-on-static-libraries.patch - firefox-99.0.1-fdlibm-double.patch + firefox-111.0.1-fdlibm.patch + fix-i686-build-moz-1792159.patch + fix-i686-xsimd-incomplete.patch ) -sha256sums=('4ce4257a14a70fa5237b3a3f2cb5759e32cd73e20cdd78fa0317cb296ef91d5c' +validpgpkeys+=('3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40') # bill-auger (VCS builds) +sha256sums=('44a39b0364da3dfed1f2bad5d7bbf353e7b4c506d8ec8e27a89dec0ef161066e' 'SKIP' - 'e00dbf01803cdd36fd9e1c0c018c19bb6f97e43016ea87062e6134bdc172bc7d' - '33dd309eeb99ec730c97ba844bf6ce6c7840f7d27da19c82389cdefee8c20208' ) -sha256sums+=('e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' - '714ca50b2ce0cac470dbd5a60e9a0101b28072f08a5e7a9bba94fef2058321c4' - '7de7975a560c4964745e866d3b7d48fb28bc0eda0a27c895b1beb66a60da44e5') +sha256sums+=('e00dbf01803cdd36fd9e1c0c018c19bb6f97e43016ea87062e6134bdc172bc7d' + '33dd309eeb99ec730c97ba844bf6ce6c7840f7d27da19c82389cdefee8c20208' + '8e113fd2730be3fd11b2a24918dd62e8741513cf4dce9819d8eae358c5411adc' + 'aa663d899e924f4979114584cad671dad3b93dd9b0dfe28bb1cf11ddf92e6d47') # zstandard-0.21.0.diff sha256sums_armv7h=('2d4d91f7e35d0860225084e37ec320ca6cae669f6c9c8fe7735cdbd542e3a7c9') sha256sums_i686=('2f0c81a38c4578f68f5456b618fe84a78974072821488173eb55e0e72287e353' '10c5276eab2e87f400a6ec15d7ffbef3b0407ee888dea36f1128927ca55b9041' - '62695e56daf8c0b8bb921980d475b3fd169b9134188ad9ffaeb9cd660589c23d') -validpgpkeys+=('3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40') # bill-auger (VCS builds) + 'ed3bb281697af7c4353a34067ffb4b18a971d40757bef2d6af3c8bf2d28d42d1' + '2fb39374fd3d80eea9e346032a2a4b2bc2e357dee7380855b24bcf19b1335d06' + 'c3ce181fbb0142055aa6dd17f3cda2ba6a1e54d7a689a8c6e9cce76aa40e6544') ## compiler and optimization tweaks ## @@ -178,16 +173,16 @@ readonly _SHOULD_USE_GCC=$(case "${CARCH}" in armv7h) echo 1 ;; *) echo 0 ;; esa case "${CARCH}" in armv7h) makedepends=( ${makedepends[*]/wasi-*/} ) # armv7h has no wasi compiler - - depends+=( icu=72.1 ) # --with-system-icu ;; i686) - makedepends+=( llvm14 ) # rustup: error while loading shared libraries: libLLVM-14.so: - - makedepends=( ${makedepends[*]/wasi-*/} ) # wasm-ld: error: cannot open /usr/lib/clang/15.0.7/lib/wasi/libclang_rt.builtins-wasm32.a: No such file or directory - makedepends+=( 'wasi-libc++>=15' 'wasi-libc++<16' ) # in [community-testing] - makedepends+=( 'wasi-libc++abi>=15' 'wasi-libc++abi<16' ) # in [community-testing] - makedepends+=( 'wasi-compiler-rt>=15' 'wasi-compiler-rt<16' ) # in [community-testing] + # checking for nodejs... /usr/bin/node: error while loading shared libraries: libicui18n.so.72 + makedepends+=( icu72 ) + + # wasm-ld: error: cannot open /usr/lib/clang/15.0.7/lib/wasi/libclang_rt.builtins-wasm32.a: No such file or directory + makedepends=( ${makedepends[*]/wasi-*/} ) + makedepends+=( 'wasi-libc++>=15' 'wasi-libc++<16' ) # dustbin + makedepends+=( 'wasi-libc++abi>=15' 'wasi-libc++abi<16' ) # dustbin + makedepends+=( 'wasi-compiler-rt>=15' 'wasi-compiler-rt<16' ) # dustbin ;; esac @@ -230,8 +225,6 @@ _check_build_config() { if (( ${#antifeatures[@]} )) then echo "Some anti-features are not disabled in build configuration files, aborting:" for key in ${antifeatures[@]} ; do echo " - ${key} is enabled" ; done ; - - [[ -z "${antifeatures[*]/.datareporting/}" ]] && return 0 || # FIXME: (icecat) .datareporting is detected return 1 fi @@ -252,19 +245,26 @@ prepare() { ## technical patching ## - # FIXME: FTBS with cbindgen > 0.23 (currently 0.24) - # https://bugzilla.mozilla.org/show_bug.cgi?id=1773259 - sed -i '/const uint64_t ROOT_CLIP_CHAIN = ~0;/d' gfx/webrender_bindings/webrender_ffi.h + # Unbreak build with python-zstandard 0.21.0 + echo "applying zstandard-0.21.0.diff" + patch -Np1 -i ../zstandard-0.21.0.diff + + # Use system python-typing-extensions instead of the old vendored one to avoid + # unresolvable dependency versions. They are probably downloaded when network + # connectivity is enabled at built time, but that is not the case for Parabola. + rm -rfv third_party/python/typing_extensions # arch-specific technical patching case ${CARCH} in aarch64|armv7h) + # Error: immediate expression requires a # prefix -- `pld [r0,1792]' + # mozilla #1787405 and #1791267 + sed -i "s|# 'LIBYUV_DISABLE_NEON',|'LIBYUV_DISABLE_NEON',|" media/libyuv/libyuv/libyuv.gyp + ! grep "# 'LIBYUV_DISABLE_NEON'," media/libyuv/libyuv/libyuv.gyp || ! echo "error patching media/libyuv/libyuv/libyuv.gyp" || exit 1 + patch -p1 -i ../build-arm-libopus.patch ;; i686) - # Unbreak build with glibc 2.36 - patch -Np1 -i ../arc4random.diff - # readelf: Error: Unable to seek to 0x801db328 for section headers echo "applying avoid-libxul-OOM-python-check.patch" patch -p1 -i ../avoid-libxul-OOM-python-check.patch @@ -279,12 +279,22 @@ prepare() { # /build/iceweasel/src/firefox-96.0.1/modules/fdlibm/src/math_private.h:34:21: # error: conflicting declaration ‘typedef __double_t double_t’ # /usr/include/math.h:156:21: note: previous declaration as ‘typedef long double double_t’ - echo "applying firefox-99.0.1-fdlibm-double.patch" - patch -p1 -i "$srcdir/firefox-99.0.1-fdlibm-double.patch" + echo "applying firefox-111.0.1-fdlibm.patch" + patch -p1 -i "$srcdir/firefox-111.0.1-fdlibm.patch" + + # js/src/jit/shared/AtomicOperations-shared-jit.cpp:88:9: error: ‘AtomicCopyByteUnsynchronized’ was not declared in this scope; did you mean ‘AtomicMemcpyUpUnsynchronized’? + echo "applying fix-i686-build-moz-1792159.patch" + patch -p1 -i "$srcdir/fix-i686-build-moz-1792159.patch" + + # https://bugs.archlinux32.org/index.php?do=details&task_id=332 + # dom/base/nsTextFragmentGeneric.h:38:16: error: ‘any’ is not a member of ‘xsimd’ + # dom/base/nsTextFragmentGeneric.h:16:70: error: incomplete type ‘xsimd::batch<short int, xsimd::sse2>’ used in nested name specifier + # dom/base/nsTextFragmentGeneric.h:35:31: error: ‘xsimd::batch<short int, xsimd::sse2> vectmask’ has incomplete type + # dom/base/nsTextFragmentGeneric.h:37:64: error: incomplete type ‘xsimd::batch<short int, xsimd::sse2>’ used in nested name specifier + echo "applying fix-i686-xsimd-incomplete.patch" + patch -p1 -i "$srcdir/fix-i686-xsimd-incomplete.patch" ;; x86_64) - # Unbreak build with glibc 2.36 - patch -Np1 -i ../arc4random.diff ;; esac @@ -309,9 +319,10 @@ ac_add_options --disable-bootstrap ac_add_options --with-wasi-sysroot=/usr/share/wasi-sysroot # Branding -ac_add_options --enable-official-branding +ac_add_options --enable-official-branding # icecat branding ac_add_options --enable-update-channel=release ac_add_options --with-distribution-id=nu.parabola # branding over-ride + # --with-branding= n/a for icecat ac_add_options --with-app-name=${pkgname} # branding over-ride ac_add_options --with-app-basename=${pkgname} # branding over-ride ac_add_options --with-unsigned-addon-scopes=app,system diff --git a/libre/icecat/arm.patch b/libre/icecat/arm.patch deleted file mode 100644 index 9e2ed1510..000000000 --- a/libre/icecat/arm.patch +++ /dev/null @@ -1,15 +0,0 @@ -https://bugzilla.mozilla.org/show_bug.cgi?id=1526653 - -diff --git a/js/src/wasm/WasmSignalHandlers.cpp.orig b/js/src/wasm/WasmSignalHandlers.cpp -index 636537f..0f3461a 100644 ---- a/js/src/wasm/WasmSignalHandlers.cpp.orig -+++ b/js/src/wasm/WasmSignalHandlers.cpp -@@ -244,7 +244,7 @@ using mozilla::DebugOnly; - // emulation here. - - #if defined(__linux__) && defined(__arm__) --# define WASM_EMULATE_ARM_UNALIGNED_FP_ACCESS -+//# define WASM_EMULATE_ARM_UNALIGNED_FP_ACCESS - #endif - - #ifdef WASM_EMULATE_ARM_UNALIGNED_FP_ACCESS diff --git a/libre/icecat/enable-sync.patch b/libre/icecat/enable-sync.patch deleted file mode 100644 index bb1c57d59..000000000 --- a/libre/icecat/enable-sync.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/data/settings.js b/data/settings.js -index f66eccd..4b20bd5 100644 ---- a/data/settings.js -+++ b/data/settings.js -@@ -186,8 +186,9 @@ pref("app.update.auto", false); - pref("media.eme.enabled", false); - pref("media.eme.apiVisible", false); - --// Firefox Accounts --pref("identity.fxaccounts.enabled", false); -+// Firefox Sync -+pref("identity.fxaccounts.enabled", true); -+pref("webchannel.allowObject.urlWhitelist", "https://content.cdn.mozilla.net https://support.mozilla.org https://install.mozilla.org https://accounts.firefox.com"); - - // WebRTC - pref("media.peerconnection.enabled", true); diff --git a/libre/icecat/firefox-111.0.1-fdlibm.patch b/libre/icecat/firefox-111.0.1-fdlibm.patch new file mode 100644 index 000000000..f2c15a2bb --- /dev/null +++ b/libre/icecat/firefox-111.0.1-fdlibm.patch @@ -0,0 +1,21 @@ +diff -rauN firefox-111.0.1/modules/fdlibm/src/math_private.h firefox-111.0.1-fdlibm-patch/modules/fdlibm/src/math_private.h +--- firefox-111.0.1/modules/fdlibm/src/math_private.h 2023-03-21 14:16:09.000000000 +0100 ++++ firefox-111.0.1-fdlibm-patch/modules/fdlibm/src/math_private.h 2023-04-08 16:50:07.828564320 +0200 +@@ -30,9 +30,17 @@ + * Adapted from https://github.com/freebsd/freebsd-src/search?q=__double_t + */ + ++#if defined __FLT_EVAL_METHOD__ && (__FLT_EVAL_METHOD__ == 2) ++typedef long double __double_t; ++#else + typedef double __double_t; ++#endif + typedef __double_t double_t; ++#if defined __FLT_EVAL_METHOD__ && (__FLT_EVAL_METHOD__ == 2) ++typedef long double __float_t; ++#else + typedef float __float_t; ++#endif + + /* + * The original fdlibm code used statements like: diff --git a/libre/icecat/fix-i686-build-moz-1792159.patch b/libre/icecat/fix-i686-build-moz-1792159.patch new file mode 100644 index 000000000..592dcad93 --- /dev/null +++ b/libre/icecat/fix-i686-build-moz-1792159.patch @@ -0,0 +1,18 @@ +--- a/js/src/jit/shared/AtomicOperations-shared-jit.cpp ++++ b/js/src/jit/shared/AtomicOperations-shared-jit.cpp +@@ -5,4 +5,9 @@ + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + ++// bug 1792159 ++#if defined(__i386__) && defined(__GNUC__) && !defined(__clang__) ++# include "../../../mfbt/Attributes.h" ++#endif ++ + #include "jit/AtomicOperations.h" + +--- a/config/check_spidermonkey_style.py ++++ b/config/check_spidermonkey_style.py +@@ -68,2 +68,3 @@ + "jit/AtomicOperationsGenerated.h", # generated in $OBJDIR ++ "../../../mfbt/Attributes.h", # unrecognized path + "jit/CacheIROpsGenerated.h", # generated in $OBJDIR diff --git a/libre/icecat/fix-i686-xsimd-incomplete.patch b/libre/icecat/fix-i686-xsimd-incomplete.patch new file mode 100644 index 000000000..c0df0054b --- /dev/null +++ b/libre/icecat/fix-i686-xsimd-incomplete.patch @@ -0,0 +1,29 @@ +diff --git a/dom/base/nsTextFragmentGeneric.h b/dom/base/nsTextFragmentGeneric.h +index 10e16fcfaa..87d9e0d075 100644 +--- a/dom/base/nsTextFragmentGeneric.h ++++ b/dom/base/nsTextFragmentGeneric.h +@@ -13,7 +13,6 @@ namespace mozilla { + + template <class Arch> + int32_t FirstNon8Bit(const char16_t* str, const char16_t* end) { +- const uint32_t numUnicharsPerVector = xsimd::batch<int16_t, Arch>::size; + using p = Non8BitParameters<sizeof(size_t)>; + const size_t mask = p::mask(); + const uint32_t numUnicharsPerWord = p::numUnicharsPerWord(); +@@ -28,16 +27,6 @@ int32_t FirstNon8Bit(const char16_t* str, const char16_t* end) { + if (str[i] > 255) return i; + } + +- // Check one batch at a time. +- const int32_t vectWalkEnd = +- ((len - i) / numUnicharsPerVector) * numUnicharsPerVector; +- const uint16_t shortMask = 0xff00; +- xsimd::batch<int16_t, Arch> vectmask(static_cast<int16_t>(shortMask)); +- for (; i < vectWalkEnd; i += numUnicharsPerVector) { +- const auto vect = xsimd::batch<int16_t, Arch>::load_aligned(str + i); +- if (xsimd::any((vect & vectmask) != 0)) return i; +- } +- + // Check one word at a time. + const int32_t wordWalkEnd = + ((len - i) / numUnicharsPerWord) * numUnicharsPerWord; diff --git a/libre/icecat/vendor.js.in b/libre/icecat/vendor.js.in index e69de29bb..88984a761 100644 --- a/libre/icecat/vendor.js.in +++ b/libre/icecat/vendor.js.in @@ -0,0 +1,306 @@ + + +/*\ +|*| Parabola additions to vendor.js +|*| +|*| TODO: Go through this and figure out what's nescessary, remove +|*| most of it. This is mostly cargo-cult BS. For example, disabling +|*| all the EME stuff... that's already off because of `--disable-eme` +|*| in `.mozconfig`. Some of these settings no longer exist. Some of +|*| these settings don't do anything on GNU/Linux. +|*| +|*| However, they don't seem to be causing any of the critical issues. +\*/ + +// Google Widevine DRM +// https://blog.mozilla.org/futurereleases/2016/04/08/mozilla-to-test-widevine-cdm-in-firefox-nightly/ +// https://wiki.mozilla.org/QA/Widevine_CDM +// https://bugzilla.mozilla.org/show_bug.cgi?id=1288580 +pref("media.gmp-widevinecdm.visible", false); +pref("media.gmp-widevinecdm.enabled", false); +pref("media.gmp-widevinecdm.autoupdate", false); + +// Default sites for about:newtab +pref("browser.newtabpage.activity-stream.default.sites", "https://wiki.parabola.nu/,https://labs.parabola.nu/,https://www.gnu.org/,https://libreplanet.org/,https://www.wikipedia.org/"); + +// Poodle attack +pref("security.tls.version.min", 1); + +// Don't call home for blacklisting +pref("extensions.blocklist.enabled", false); + +// Disable plugin installer +pref("plugins.hide_infobar_for_missing_plugin", true); +pref("plugins.hide_infobar_for_outdated_plugin", true); +pref("plugins.notifyMissingFlash", false); + +//https://developer.mozilla.org/en-US/docs/Web/API/MediaSource +//pref("media.mediasource.enabled",true); + +// Speeding it up +pref("network.http.pipelining", true); +pref("network.http.proxy.pipelining", true); +pref("network.http.pipelining.maxrequests", 10); +pref("nglayout.initialpaint.delay", 0); + +// Disable third party cookies +pref("network.cookie.cookieBehavior", 1); + +// Prevent EULA dialog to popup on first run +pref("browser.EULA.override", true); + +// Spoof the useragent to a generic one +// people tend to agree that this was a bad idea +// these are the default values (same as arch): +// pref("general.useragent.compatMode.firefox", false); +// pref("general.useragent.override", "Mozilla/5.0 (X11; Linux @_ARCH_@; rv:@_SHORTVER_@) Gecko/20100101 Firefox/@_SHORTVER_@"); +// pref("general.appname.override", "Netscape"); // deprecated +// pref("general.appCodeName.override", "Mozilla"); // deprecated +// pref("general.appversion.override", "@_SHORTVER_@"); // deprecated +// pref("general.buildID.override", "Gecko/20100101"); // deprecated +// pref("general.oscpu.override", "Linux @_ARCH_@"); // deprecated +// pref("general.platform.override", "Linux @_ARCH_@"); // deprecated +// pref("general.product.override", "Gecko"); // deprecated + +// Privacy & Freedom Issues +// https://webdevelopmentaid.wordpress.com/2013/10/21/customize-privacy-settings-in-mozilla-firefox-part-1-aboutconfig/ +// https://panopticlick.eff.org +// http://ip-check.info +// http://browserspy.dk +// https://wiki.mozilla.org/Fingerprinting +// http://www.browserleaks.com +// http://fingerprint.pet-portal.eu +pref("privacy.donottrackheader.enabled", true); +pref("privacy.donottrackheader.value", 1); +pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); + +// CIS 2.1.1 Disable Auto Update / Balrog +pref("app.update.auto", false); +pref("app.update.checkInstallTime", false); +pref("app.update.enabled", false); +pref("app.update.staging.enabled", false); +pref("app.update.url", "about:blank"); +pref("media.gmp-manager.certs.1.commonName", ""); +pref("media.gmp-manager.certs.2.commonName", ""); +// Disable Gecko media plugins: https://wiki.mozilla.org/GeckoMediaPlugins +pref("media.gmp-manager.url", "http://127.0.0.1/"); +pref("media.gmp-manager.url.override", "data:text/plain,"); +pref("media.gmp-provider.enabled", false); +// Don't install openh264 codec +pref("media.gmp-gmpopenh264.enabled", false); +pref("media.gmp-eme-adobe.enabled", false); +pref("media.peerconnection.video.h264_enabled", false); + +// CIS 2.3.4 Block Reported Web Forgeries +// http://kb.mozillazine.org/Browser.safebrowsing.enabled +// http://kb.mozillazine.org/Safe_browsing +// https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work +// http://forums.mozillazine.org/viewtopic.php?f=39&t=2711237&p=12896849#p12896849 +pref("browser.safebrowsing.enabled", false); + +// CIS 2.3.5 Block Reported Attack Sites +// http://kb.mozillazine.org/Browser.safebrowsing.malware.enabled +pref("browser.safebrowsing.malware.enabled", false); + +// Disable safe browsing remote lookups for downloaded files. +// This leaks information to google. +// https://www.mozilla.org/en-US/firefox/39.0/releasenotes/ +// https://wiki.mozilla.org/Security/Application_Reputation +pref("browser.safebrowsing.downloads.remote.enabled", false); +pref("browser.safebrowsing.appRepURL", "about:blank"); +pref("browser.safebrowsing.provider.mozilla.gethashURL", "about:blank"); +pref("browser.safebrowsing.provider.mozilla.updateURL", "about:blank"); +pref("browser.safebrowsing.downloads.remote.block_dangerous", false); +pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); +pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); +pref("browser.safebrowsing.downloads.remote.block_uncommon", false); +pref("browser.safebrowsing.downloads.remote.enabled", false); +pref("browser.safebrowsing.downloads.remote.url", "about:blank"); +pref("browser.safebrowsing.provider.google.gethashURL", "about:blank"); +pref("browser.safebrowsing.provider.google.updateURL", "about:blank"); +pref("browser.safebrowsing.provider.google.lists", "about:blank"); + +// https://bugzilla.mozilla.org/show_bug.cgi?id=1025965 +pref("browser.safebrowsing.phishing.enabled", false); +pref("browser.safebrowsing.provider.google4.lists", "about:blank"); +pref("browser.safebrowsing.provider.google4.updateURL", "about:blank"); +pref("browser.safebrowsing.provider.google4.gethashURL", "about:blank"); +pref("browser.safebrowsing.provider.google4.reportURL", "about:blank"); +pref("browser.safebrowsing.provider.mozilla.lists", "about:blank"); + +// Disable Microsoft Family Safety MiTM support +// https://bugzilla.mozilla.org/show_bug.cgi?id=1239166 +// https://wiki.mozilla.org/SecurityEngineering/Untrusted_Certificates_in_Windows_Child_Mode +// https://hg.mozilla.org/releases/mozilla-release/file/ddb37c386bb2ffa180117b4d30ca3b41a8af233c/security/manager/ssl/nsNSSComponent.cpp#l782 +pref("security.family_safety.mode", 0); +// https://bugzilla.mozilla.org/show_bug.cgi?id=1265113 +// https://hg.mozilla.org/releases/mozilla-release/rev/d9659c22b3c5 +// https://bugzilla.mozilla.org/show_bug.cgi?id=1298883 +pref("security.enterprise_roots.enabled", false); + +//pref("services.sync.privacyURL", "https://www.gnu.org/software/gnuzilla/"); +pref("social.enabled", false); +pref("social.remote-install.enabled", false); +pref("social.toast-notifications.enabled", false); +pref("browser.slowStartup.notificationDisabled", true); +pref("network.http.sendRefererHeader", 2); +//pref("network.http.referer.spoofSource", true); +//http://grack.com/blog/2010/01/06/3rd-party-cookies-dom-storage-and-privacy/ +//pref("dom.storage.enabled", false); +pref("dom.event.clipboardevents.enabled",false); +pref("network.prefetch-next", false); +pref("network.dns.disablePrefetch", true); +pref("network.http.sendSecureXSiteReferrer", false); +pref("toolkit.telemetry.archive.enabled", false); +pref("toolkit.telemetry.bhrPing.enabled", false); +pref("toolkit.telemetry.enabled", false); +pref("toolkit.telemetry.unified", false); +pref("toolkit.telemetry.newProfilePing.enabled", false); +pref("toolkit.telemetry.firstShutdownPing.enabled", false); +pref("toolkit.telemetry.server", "127.0.0.1"); +pref("toolkit.telemetry.server_owner", "User"); +pref("app.shield.optoutstudies.enabled", false); +pref("experiments.enabled", false); +pref("experiments.manifest.uri", "127.0.0.1"); +pref("extensions.pocket.enabled", false); +pref("extensions.pocket.api", "127.0.0.1"); +// Do not tell what plugins do we have enabled: https://mail.mozilla.org/pipermail/firefox-dev/2013-November/001186.html +pref("plugins.enumerable_names", ""); +pref("plugin.state.flash", 0); +// Do not autoupdate search engines +pref("browser.search.update", false); +// Warn when the page tries to redirect or refresh +//pref("accessibility.blockautorefresh", true); +pref("dom.battery.enabled", false); +pref("device.sensors.enabled", false); +pref("camera.control.face_detection.enabled", false); +pref("camera.control.autofocus_moving_callback.enabled", false); +pref("network.http.speculative-parallel-limit", 0); +// No search suggestions +pref("browser.urlbar.userMadeSearchSuggestionsChoice", true); +pref("browser.search.suggest.enabled", false); + +// Crypto hardening +// https://gist.github.com/haasn/69e19fc2fe0e25f3cff5 +// General settings +//pref("security.tls.unrestricted_rc4_fallback", false); +//pref("security.tls.insecure_fallback_hosts.use_static_list", false); +//pref("security.tls.version.min", 1); +//pref("security.ssl.require_safe_negotiation", true); +//pref("security.ssl.treat_unsafe_negotiation_as_broken", true); +//pref("security.ssl3.rsa_seed_sha", true); +//pref("security.OCSP.enabled", 1); +//pref("security.OCSP.require", true); + + +// WebRTC +//pref("media.peerconnection.enabled", false); +pref("media.peerconnection.ice.default_address_only", true); + +pref("font.default.x-western", "sans-serif"); + +// URL for the 'Find more search engines' link in about:preferences#search +pref("browser.search.searchEnginesURL", "https://directory.fsf.org/wiki/Collection:Search_engines"); + +// Mobile +pref("privacy.announcements.enabled", false); +pref("browser.snippets.enabled", false); +pref("browser.snippets.syncPromo.enabled", false); +pref("identity.mobilepromo.android", "https://f-droid.org/repository/browse/?fdid=org.gnu.icecat&"); +pref("browser.snippets.geoUrl", "http://127.0.0.1/"); +pref("browser.snippets.updateUrl", "http://127.0.0.1/"); +pref("browser.snippets.statsUrl", "http://127.0.0.1/"); +pref("browser.webapps.checkForUpdates", 0); +pref("browser.webapps.updateCheckUrl", "http://127.0.0.1/"); +pref("app.faqURL", "http://libreplanet.org/wiki/Group:IceCat/FAQ"); + +// PFS url +pref("pfs.datasource.url", "http://gnuzilla.gnu.org/plugins/PluginFinderService.php?mimetype=%PLUGIN_MIMETYPE%"); +pref("pfs.filehint.url", "http://gnuzilla.gnu.org/plugins/PluginFinderService.php?mimetype=%PLUGIN_MIMETYPE%"); + +// Disable heartbeat +pref("browser.selfsupport.url", ""); + +// Disable Link to FireFox Marketplace, currently loaded with non-free "apps" +pref("browser.apps.URL", ""); + +// Use old style preferences, that allow javascript to be disabled +pref("browser.preferences.inContent",false); + +// Don't download ads for the newtab page +pref("browser.newtabpage.directory.source", ""); +pref("browser.newtabpage.directory.ping", ""); +pref("browser.newtabpage.introShown", true); + +// Disable home snippets +pref("browser.aboutHomeSnippets.updateUrl", "data:text/html"); + +// Disable hardware acceleration and WebGL +//pref("layers.acceleration.disabled", false); +pref("webgl.disabled", false); + +// Disable SSDP +pref("browser.casting.enabled", false); + +// Disable directory service +pref("social.directories", ""); +pref("social.whitelist", ""); +pref("social.shareDirectory", ""); + +// Disable Pocket integration +pref("browser.pocket.api", "about:blank"); +pref("browser.pocket.enabled", false); +pref("browser.pocket.enabledLocales", "about:blank"); +pref("browser.pocket.oAuthConsumerKey", "about:blank"); +pref("browser.pocket.site", "about:blank"); +pref("browser.pocket.useLocaleList", false); +pref("extensions.pocket.enabled", false); + +// Do not require xpi extensions to be signed by Mozilla +pref("xpinstall.signatures.required", false); + +// Disable File and Directory Entries API (Imported from Edge/Chromium) +// https://developer.mozilla.org/en-US/Firefox/Releases/50#Files_and_directories +// https://developer.mozilla.org/en-US/docs/Web/API/File_and_Directory_Entries_API +// https://developer.mozilla.org/en-US/docs/Web/API/File_and_Directory_Entries_API/Introduction +// https://developer.mozilla.org/en-US/docs/Web/API/File_and_Directory_Entries_API/Firefox_support +// https://bugzilla.mozilla.org/show_bug.cgi?id=1265767 +pref("dom.webkitBlink.filesystem.enabled", false); +// https://developer.mozilla.org/en-US/docs/Web/API/HTMLInputElement/webkitdirectory +// https://bugzilla.mozilla.org/show_bug.cgi?id=1258489 +// https://hg.mozilla.org/releases/mozilla-release/rev/133af19777be +pref("dom.webkitBlink.dirPicker.enabled", false); + +// Directory Upload API, webkitdirectory +// https://bugzilla.mozilla.org/show_bug.cgi?id=1188880 +// https://bugzilla.mozilla.org/show_bug.cgi?id=907707 +// https://wicg.github.io/directory-upload/proposal.html +pref("dom.input.dirpicker", false); + +// fix alsa sound sandbox issue for iceweasel-58 +// https://labs.parabola.nu/issues/1628 +pref("security.sandbox.content.syscall_whitelist", "16"); + +// Disable "Recommend extensions as you browse" in about:preferences#general +pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); + +// Make extensions work on Mozilla domains +pref("extensions.webextensions.restrictedDomains", ""); +pref("privacy.resistFingerprinting.block_mozAddonManager", true); + +// Disable 'What's New' gift icon in toolbar and main menu. +// It shows downloaded news that sometimes contain links to non-free software like mobile Firefox. +pref("browser.messaging-system.whatsNewPanel.enabled", false); + +// Disable 'Recommendations' section in about:addons +// Related to: https://labs.parabola.nu/issues/2409 +pref("extensions.getAddons.showPane", false); + +// Disable some bits of Normandy, subsystem that allows Mozilla to make changes remotely. +// Should be already disabled by setting MOZ_NORMANDY to False in build configuration. +// Setting these preferences just in case and to not frustrate users. +pref("app.normandy.api_url", "http://127.0.0.1/"); +pref("app.normandy.enabled", false); + +// enable "sync" feature +pref("webchannel.allowObject.urlWhitelist", "https://content.cdn.mozilla.net https://support.mozilla.org https://install.mozilla.org https://accounts.firefox.com"); diff --git a/libre/icecat/zstandard-0.21.0.diff b/libre/icecat/zstandard-0.21.0.diff new file mode 100644 index 000000000..f99ef3eb3 --- /dev/null +++ b/libre/icecat/zstandard-0.21.0.diff @@ -0,0 +1,10 @@ +diff --git a/python/sites/mach.txt b/python/sites/mach.txt +index d105723399..b10a7e42d7 100644 +--- a/python/sites/mach.txt ++++ b/python/sites/mach.txt +@@ -143,4 +143,4 @@ pypi-optional:glean-sdk==52.7.0:telemetry will not be collected + # We aren't (yet) able to pin packages in automation, so we have to + # support down to the oldest locally-installed version (5.4.2). + pypi-optional:psutil>=5.4.2,<=5.9.4:telemetry will be missing some data +-pypi-optional:zstandard>=0.11.1,<=0.19.0:zstd archives will not be possible to extract ++pypi-optional:zstandard>=0.11.1,<=0.21.0:zstd archives will not be possible to extract |