GNU bug report logs - #47628
webkitgtk-2.32.0 fails to launch without /usr/bin

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Mark H Weaver <mhw@HIDDEN>; dated Tue, 6 Apr 2021 22:48:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 47628 <at> debbugs.gnu.org:


Received: (at 47628) by debbugs.gnu.org; 14 Apr 2021 15:23:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 14 11:23:24 2021
Received: from localhost ([127.0.0.1]:35546 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lWhMS-0007GE-6Z
	for submit <at> debbugs.gnu.org; Wed, 14 Apr 2021 11:23:24 -0400
Received: from flashner.co.il ([178.62.234.194]:60844)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <efraim@HIDDEN>) id 1lWhMP-0007Fy-VG
 for 47628 <at> debbugs.gnu.org; Wed, 14 Apr 2021 11:23:22 -0400
Received: from localhost (unknown [31.210.177.71])
 by flashner.co.il (Postfix) with ESMTPSA id B85DE405BC;
 Wed, 14 Apr 2021 15:23:15 +0000 (UTC)
Date: Wed, 14 Apr 2021 18:22:29 +0300
From: Efraim Flashner <efraim@HIDDEN>
To: Mark H Weaver <mhw@HIDDEN>
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
Message-ID: <YHcItam5+4VZocq1@3900XT>
Mail-Followup-To: Efraim Flashner <efraim@HIDDEN>,
 Mark H Weaver <mhw@HIDDEN>,
 Guillaume Le Vaillant <glv@HIDDEN>, 47628 <at> debbugs.gnu.org
References: <87tuojni9a.fsf@HIDDEN> <87r1jnnhfi.fsf@HIDDEN>
 <87lf9upmwb.fsf@yamatai> <YG69WSLo6kwh2RhD@3900XT>
 <87h7kgoo2z.fsf@HIDDEN> <87blaoonha.fsf@HIDDEN>
 <878s5solv5.fsf@HIDDEN> <YHAnv8HSK/ixvhhC@3900XT>
 <87mtu2rntp.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="QRLpmdHQ+b+sKZpr"
Content-Disposition: inline
In-Reply-To: <87mtu2rntp.fsf@HIDDEN>
X-PGP-Key-ID: 0x41AAE7DCCA3D8351
X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
X-PGP-Fingerprint: A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 47628
Cc: Guillaume Le Vaillant <glv@HIDDEN>, 47628 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--QRLpmdHQ+b+sKZpr
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 13, 2021 at 03:22:47PM -0400, Mark H Weaver wrote:
> Hi Efraim,
>=20
> Efraim Flashner <efraim@HIDDEN> writes:
>=20
> > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
> >> I suspect that the relevant bit that needs to be changed is line 779 of
> >> the following file in the webkitgtk-2.32.0 source code:
> >>=20
> >>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> >>=20
> >> Most likely, that line can simply be deleted.  Here's the relevant
> >> excerpt, with line 779 marked by "=3D=3D>":
> >
> > Looking at the other lines above it, we could just change it from
> > ro-bind to ro-bind-try.
>=20
> I expect that would work, but why should we give the sandbox access to
> /usr/bin at all?  I took a different approach: I removed access to *all*
> of the FHS directories, since they should not be needed for a
> Guix-compiled package.
>=20
> Below, I've attached the patch that I'm currently using successfully on
> my private branch of Guix.
>=20
> What do you think?
>=20

Since we should be linking to any libraries we need anyway and patching
any calls out to other binaries then I suppose this should work. I
suggested ro-bind-try to minimize the patch size.


--=20
Efraim Flashner   <efraim@HIDDEN>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--QRLpmdHQ+b+sKZpr
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmB3CLUACgkQQarn3Mo9
g1FVQQ//Wz/Ox+482uB9GKdjQFAKxWdEGiR6ESiVvGwYZ7oZkVUsW3bbg84NvB2+
WxvXHrVp7CHR7wg47Ap4N0fsV+u1FHy8waRbCHmTFKBzVewznUkFuxhVrC2+wjGz
6tXyOIq9YYAqbE8KJb6/fA6ix0AFsXKRSKPShmCN0bPI7dvM9lpigspM3mteEPDV
9KkIU5O87WhpfMaAfT3b/RBMwh7SXZngs1PGS9hV8GUDpmYIyuA9C6ewH10ZxYhG
lLQf5fLdrqe2z4jtkH/rDP8eVqLtSrJtAhlw0ZELATL3oGj5tdEtA/u3EltFNdL3
JAcRope9zFZzAlFxCp2i/yEXK65llaqXHzy56/aALfSqf9rmeZVZf/sCXltm0s4e
59ryvgOee53z0jlJ+Oq5Et2Gxx2XHLKC3KsxKtzg6vbutAvlmLujUQlYxcTvjIkB
wkKW+3FHRFicz8YtzY4PoroM6mBoQ6pfLH+Qkx857a0va2O3DhM1nvYAy/xd//Bv
A1T/f/tnZLomT9/R0jcx1BZaenNVQpVFT7QE3DxWAPosDT/JjuLB2PuztEscuakp
BlsxtQl+cyAEmh4zi7P1LAHoe7JfqF6o72n7axgbXSZ2blX+Y84U/5w0sNXPE6lE
mziDXpHcOhllekwWgsES0caGQ0GBA6TgthF/PnWSPve5YyxuCco=
=76HD
-----END PGP SIGNATURE-----

--QRLpmdHQ+b+sKZpr--




Information forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.

Message received at 47628 <at> debbugs.gnu.org:


Received: (at 47628) by debbugs.gnu.org; 13 Apr 2021 19:24:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 13 15:24:39 2021
Received: from localhost ([127.0.0.1]:60855 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lWOeM-0004td-Kx
	for submit <at> debbugs.gnu.org; Tue, 13 Apr 2021 15:24:39 -0400
Received: from world.peace.net ([64.112.178.59]:35572)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>) id 1lWOeL-0004tQ-5v
 for 47628 <at> debbugs.gnu.org; Tue, 13 Apr 2021 15:24:37 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@HIDDEN>)
 id 1lWOeE-000121-81; Tue, 13 Apr 2021 15:24:30 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: Efraim Flashner <efraim@HIDDEN>
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
In-Reply-To: <YHAnv8HSK/ixvhhC@3900XT>
References: <87tuojni9a.fsf@HIDDEN> <87r1jnnhfi.fsf@HIDDEN>
 <87lf9upmwb.fsf@yamatai> <YG69WSLo6kwh2RhD@3900XT>
 <87h7kgoo2z.fsf@HIDDEN> <87blaoonha.fsf@HIDDEN>
 <878s5solv5.fsf@HIDDEN> <YHAnv8HSK/ixvhhC@3900XT>
Date: Tue, 13 Apr 2021 15:22:47 -0400
Message-ID: <87mtu2rntp.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47628
Cc: Guillaume Le Vaillant <glv@HIDDEN>, 47628 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain

Hi Efraim,

Efraim Flashner <efraim@HIDDEN> writes:

> On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
>> I suspect that the relevant bit that needs to be changed is line 779 of
>> the following file in the webkitgtk-2.32.0 source code:
>> 
>>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>> 
>> Most likely, that line can simply be deleted.  Here's the relevant
>> excerpt, with line 779 marked by "==>":
>
> Looking at the other lines above it, we could just change it from
> ro-bind to ro-bind-try.

I expect that would work, but why should we give the sandbox access to
/usr/bin at all?  I took a different approach: I removed access to *all*
of the FHS directories, since they should not be needed for a
Guix-compiled package.

Below, I've attached the patch that I'm currently using successfully on
my private branch of Guix.

What do you think?

     Thanks,
       Mark


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0001-DRAFT-gnu-webkitgtk-Trim-system-dirs-made-available-.patch
Content-Description: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to sandbox.

From 4a10e1deb63d1b2227a0bcc60a17ddb9af7b8cc3 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@HIDDEN>
Date: Thu, 8 Apr 2021 11:27:55 -0400
Subject: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to
 sandbox.

* gnu/packages/patches/webkitgtk-share-store.patch: Adjust patch.
---
 .../patches/webkitgtk-share-store.patch       | 46 ++++++++++++++-----
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch
index 053d86fcf4..c02157076e 100644
--- a/gnu/packages/patches/webkitgtk-share-store.patch
+++ b/gnu/packages/patches/webkitgtk-share-store.patch
@@ -1,19 +1,41 @@
-Tell bubblewrap to share the store.  Required for programs that use the
+Tell bubblewrap to share the store, and _not_ to share traditional FHS
+directories that are not used in Guix.  Required for programs that use the
 sandboxing features such as Epiphany.
 
-See <https://bugs.gnu.org/40837>.
-Author: Jack Hill <jackhill@HIDDEN>
----
+See <https://bugs.gnu.org/40837> and <https://bugs.gnu.org/47628>.
+Authors: Jack Hill <jackhill@HIDDEN> and Mark H Weaver <mhw@HIDDEN>.
+
 diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
 --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
 +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -737,6 +737,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
-         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+@@ -749,26 +749,18 @@
+         "--ro-bind", "/sys/dev", "/sys/dev",
+         "--ro-bind", "/sys/devices", "/sys/devices",
+ 
+-        "--ro-bind-try", "/usr/share", "/usr/share",
+-        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
          "--ro-bind-try", DATADIR, DATADIR,
  
-+       // Bind mount the store inside the WebKitGTK sandbox.
-+       "--ro-bind", "@storedir@", "@storedir@",
-+
-         // We only grant access to the libdirs webkit is built with and
-         // guess system libdirs. This will always have some edge cases.
-         "--ro-bind-try", "/lib", "/lib",
+-        // We only grant access to the libdirs webkit is built with and
+-        // guess system libdirs. This will always have some edge cases.
+-        "--ro-bind-try", "/lib", "/lib",
+-        "--ro-bind-try", "/usr/lib", "/usr/lib",
+-        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
+-        "--ro-bind-try", LIBDIR, LIBDIR,
+-        "--ro-bind-try", "/lib64", "/lib64",
+-        "--ro-bind-try", "/usr/lib64", "/usr/lib64",
+-        "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
++        // Bind mount the store inside the WebKitGTK sandbox.
++        "--ro-bind", "@storedir@", "@storedir@",
+ 
++        // We only grant access to the libdirs webkit is built with.
++        "--ro-bind-try", LIBDIR, LIBDIR,
+         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
+     };
+ 
+     if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
+         sandboxArgs.appendVector(Vector<CString>({
+-            "--ro-bind", "/usr/bin", "/usr/bin",
+             // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
+             // only because we have to mount .flatpak-info in its mount namespace. The user rundir
+             // is where we mount our proxy socket.
-- 
2.31.1


--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.

Message received at 47628 <at> debbugs.gnu.org:


Received: (at 47628) by debbugs.gnu.org; 13 Apr 2021 11:34:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 13 07:34:51 2021
Received: from localhost ([127.0.0.1]:59037 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lWHJj-0001CM-31
	for submit <at> debbugs.gnu.org; Tue, 13 Apr 2021 07:34:51 -0400
Received: from flashner.co.il ([178.62.234.194]:55412)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <efraim@HIDDEN>) id 1lWHJh-0001C9-1W
 for 47628 <at> debbugs.gnu.org; Tue, 13 Apr 2021 07:34:49 -0400
Received: from localhost (unknown [31.210.177.71])
 by flashner.co.il (Postfix) with ESMTPSA id CB661405C9;
 Tue, 13 Apr 2021 11:34:42 +0000 (UTC)
Date: Fri, 9 Apr 2021 13:09:03 +0300
From: Efraim Flashner <efraim@HIDDEN>
To: Mark H Weaver <mhw@HIDDEN>
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
Message-ID: <YHAnv8HSK/ixvhhC@3900XT>
References: <87tuojni9a.fsf@HIDDEN> <87r1jnnhfi.fsf@HIDDEN>
 <87lf9upmwb.fsf@yamatai> <YG69WSLo6kwh2RhD@3900XT>
 <87h7kgoo2z.fsf@HIDDEN> <87blaoonha.fsf@HIDDEN>
 <878s5solv5.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="6KZcnYiQUZRRFNmU"
Content-Disposition: inline
In-Reply-To: <878s5solv5.fsf@HIDDEN>
X-PGP-Key-ID: 0x41AAE7DCCA3D8351
X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
X-PGP-Fingerprint: A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
X-Spam-Score: 2.1 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  On Thu, Apr 08, 2021 at 11:07:31AM -0400,
 Mark H Weaver wrote:
 > I suspect that the relevant bit that needs to be changed is line 779 of
 > the following file in the webkitgtk-2.32.0 source code: > > S [...] 
 Content analysis details:   (2.1 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 2.1 DATE_IN_PAST_96_XX     Date: is 96 hours or more before Received:
 date -0.0 SPF_PASS               SPF: sender matches SPF record
X-Debbugs-Envelope-To: 47628
Cc: Guillaume Le Vaillant <glv@HIDDEN>, 47628 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.1 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
    > I suspect that the relevant bit that needs to be changed is line 779 of
    > the following file in the webkitgtk-2.32.0 source code: > > S [...] 
 
 Content analysis details:   (1.1 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  2.1 DATE_IN_PAST_96_XX     Date: is 96 hours or more before Received:
                             date
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager


--6KZcnYiQUZRRFNmU
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
> I suspect that the relevant bit that needs to be changed is line 779 of
> the following file in the webkitgtk-2.32.0 source code:
>=20
>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>=20
> Most likely, that line can simply be deleted.  Here's the relevant
> excerpt, with line 779 marked by "=3D=3D>":

Looking at the other lines above it, we could just change it from
ro-bind to ro-bind-try.

>=20
> --8<---------------cut here---------------start------------->8---
> GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const=
 ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
> {
>     ASSERT(launcher);
>=20
>     // For now we are just considering the network process trusted as it
>     // requires a lot of access but doesn't execute arbitrary code like
>     // the WebProcess where our focus lies.
>     if (launchOptions.processType =3D=3D ProcessLauncher::ProcessType::Ne=
twork)
>         return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, err=
or));
>=20
>     const char* runDir =3D g_get_user_runtime_dir();
>     Vector<CString> sandboxArgs =3D {
>         "--die-with-parent",
>         "--unshare-pid",
>         "--unshare-uts",
>=20
>         // We assume /etc has safe permissions.
>         // At a later point we can start masking privacy-concerning files.
>         "--ro-bind", "/etc", "/etc",
>         "--dev", "/dev",
>         "--proc", "/proc",
>         "--tmpfs", "/tmp",
>         "--unsetenv", "TMPDIR",
>         "--dir", runDir,
>         "--setenv", "XDG_RUNTIME_DIR", runDir,
>         "--symlink", "../run", "/var/run",
>         "--symlink", "../tmp", "/var/tmp",
>         "--ro-bind", "/sys/block", "/sys/block",
>         "--ro-bind", "/sys/bus", "/sys/bus",
>         "--ro-bind", "/sys/class", "/sys/class",
>         "--ro-bind", "/sys/dev", "/sys/dev",
>         "--ro-bind", "/sys/devices", "/sys/devices",
>=20
>         "--ro-bind-try", "/usr/share", "/usr/share",
>         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
>         "--ro-bind-try", DATADIR, DATADIR,
>=20
>        // Bind mount the store inside the WebKitGTK sandbox.
>        "--ro-bind", "@storedir@", "@storedir@",
>=20
>         // We only grant access to the libdirs webkit is built with and
>         // guess system libdirs. This will always have some edge cases.
>         "--ro-bind-try", "/lib", "/lib",
>         "--ro-bind-try", "/usr/lib", "/usr/lib",
>         "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
>         "--ro-bind-try", LIBDIR, LIBDIR,
>         "--ro-bind-try", "/lib64", "/lib64",
>         "--ro-bind-try", "/usr/lib64", "/usr/lib64",
>         "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
>=20
>         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
>     };
>=20
>     if (launchOptions.processType =3D=3D ProcessLauncher::ProcessType::DB=
usProxy) {
>         sandboxArgs.appendVector(Vector<CString>({
> =3D=3D>         "--ro-bind", "/usr/bin", "/usr/bin",
>             // This is a lot of access, but xdg-dbus-proxy is trusted so =
that's OK. It's sandboxed
>             // only because we have to mount .flatpak-info in its mount n=
amespace. The user rundir
>             // is where we mount our proxy socket.
>             "--bind", runDir, runDir,
>         }));
>     } else {
>         // xdg-dbus-proxy needs access to host abstract sockets to connec=
t to the a11y bus. Secure
>         // host services must not use abstract sockets. Otherwise, only t=
he network process should
>         // have network access, and the network process is not sandboxed =
at all.
>         sandboxArgs.appendVector(Vector<CString>({
>             "--unshare-net"
>         }));
>     }
> --8<---------------cut here---------------end--------------->8---
>=20
>        Mark

--=20
Efraim Flashner   <efraim@HIDDEN>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--6KZcnYiQUZRRFNmU
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmBwJ78ACgkQQarn3Mo9
g1GJERAAgZ74bdAp37HWR8pMOxxJ3gviHRve3Fygw1H8jI1ucAkEqqttVLNwebTT
zrPe27Jk/oHorap6r1J8K9beIrRJwOZRe/zJbIwmKa2tAU/myiCqUhHbXDmprqhV
qsx2U7fRLgLaSiGktBYbTVkTkwCQlPSl/8PbPqvdfCKkWtxduJiX2f4AkGFGtUit
TFAnguXl1MOUnhKhdMNABH7KlVZ2ZXN0eVm/h8m5+4CMhlv3xKzD18EQ5O+r17aQ
JQAABJ4C3epk6pQ70Ys9miVHVRL+Il0zvrbnHHtheeC0MBK8lU0HwEHJChzsdZZW
fvDxH49fClVmCkGuZmCDRzuLDFfWeTb/0uB3pGV68icJkSexExsM391M9F1PQ84Q
tuzgRlTZel5NCvSEh4C9OynDgo8sHiBmqO0kEi7myszXb78ysFwnyyB2k/KBDsJl
SbS5mBwfqyLM/EgpD+uT1DTLPW6paUuw2LBcc4OL6eAHOB2FZcHyqkIF/KotJNLK
fWKMKDY5cPeBL3Bp99cOURuwqWPBJUbIjji8a/I3t40NzkfkdQ035jj9lgn587kI
6ZksTM0gTvpEjxfTlU1pGfo5w+NJhnqvQGPa8YGgL5wPRoZSpZ09b6y15nLE3LLt
JYZ8z7SyzXgcKUYpJbw/85FZh3L4shAIN50UAcgS+XnKDiJIrWM=
=phWq
-----END PGP SIGNATURE-----

--6KZcnYiQUZRRFNmU--




Information forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.

Message received at 47628 <at> debbugs.gnu.org:


Received: (at 47628) by debbugs.gnu.org; 8 Apr 2021 15:09:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 08 11:09:25 2021
Received: from localhost ([127.0.0.1]:47982 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lUWHc-0005km-Lz
	for submit <at> debbugs.gnu.org; Thu, 08 Apr 2021 11:09:25 -0400
Received: from world.peace.net ([64.112.178.59]:51176)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>)
 id 1lUWHY-0005kO-4O; Thu, 08 Apr 2021 11:09:21 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@HIDDEN>)
 id 1lUWHQ-0000Wj-MN; Thu, 08 Apr 2021 11:09:12 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: Efraim Flashner <efraim@HIDDEN>, Guillaume Le Vaillant
 <glv@HIDDEN>
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
In-Reply-To: <87blaoonha.fsf@HIDDEN>
References: <87tuojni9a.fsf@HIDDEN> <87r1jnnhfi.fsf@HIDDEN>
 <87lf9upmwb.fsf@yamatai> <YG69WSLo6kwh2RhD@3900XT>
 <87h7kgoo2z.fsf@HIDDEN> <87blaoonha.fsf@HIDDEN>
Date: Thu, 08 Apr 2021 11:07:31 -0400
Message-ID: <878s5solv5.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47628
Cc: 47628 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

I suspect that the relevant bit that needs to be changed is line 779 of
the following file in the webkitgtk-2.32.0 source code:

  Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp

Most likely, that line can simply be deleted.  Here's the relevant
excerpt, with line 779 marked by "==>":

--8<---------------cut here---------------start------------->8---
GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
{
    ASSERT(launcher);

    // For now we are just considering the network process trusted as it
    // requires a lot of access but doesn't execute arbitrary code like
    // the WebProcess where our focus lies.
    if (launchOptions.processType == ProcessLauncher::ProcessType::Network)
        return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));

    const char* runDir = g_get_user_runtime_dir();
    Vector<CString> sandboxArgs = {
        "--die-with-parent",
        "--unshare-pid",
        "--unshare-uts",

        // We assume /etc has safe permissions.
        // At a later point we can start masking privacy-concerning files.
        "--ro-bind", "/etc", "/etc",
        "--dev", "/dev",
        "--proc", "/proc",
        "--tmpfs", "/tmp",
        "--unsetenv", "TMPDIR",
        "--dir", runDir,
        "--setenv", "XDG_RUNTIME_DIR", runDir,
        "--symlink", "../run", "/var/run",
        "--symlink", "../tmp", "/var/tmp",
        "--ro-bind", "/sys/block", "/sys/block",
        "--ro-bind", "/sys/bus", "/sys/bus",
        "--ro-bind", "/sys/class", "/sys/class",
        "--ro-bind", "/sys/dev", "/sys/dev",
        "--ro-bind", "/sys/devices", "/sys/devices",

        "--ro-bind-try", "/usr/share", "/usr/share",
        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
        "--ro-bind-try", DATADIR, DATADIR,

       // Bind mount the store inside the WebKitGTK sandbox.
       "--ro-bind", "@storedir@", "@storedir@",

        // We only grant access to the libdirs webkit is built with and
        // guess system libdirs. This will always have some edge cases.
        "--ro-bind-try", "/lib", "/lib",
        "--ro-bind-try", "/usr/lib", "/usr/lib",
        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
        "--ro-bind-try", LIBDIR, LIBDIR,
        "--ro-bind-try", "/lib64", "/lib64",
        "--ro-bind-try", "/usr/lib64", "/usr/lib64",
        "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",

        "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
    };

    if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
        sandboxArgs.appendVector(Vector<CString>({
==>         "--ro-bind", "/usr/bin", "/usr/bin",
            // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
            // only because we have to mount .flatpak-info in its mount namespace. The user rundir
            // is where we mount our proxy socket.
            "--bind", runDir, runDir,
        }));
    } else {
        // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure
        // host services must not use abstract sockets. Otherwise, only the network process should
        // have network access, and the network process is not sandboxed at all.
        sandboxArgs.appendVector(Vector<CString>({
            "--unshare-net"
        }));
    }
--8<---------------cut here---------------end--------------->8---

       Mark




Information forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.
Changed bug title to 'webkitgtk-2.32.0 fails to launch without /usr/bin' from 'webkitgtk-2.32.0 fails to launch without /usr/bin/env' Request was from Mark H Weaver <mhw@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 47628 <at> debbugs.gnu.org:


Received: (at 47628) by debbugs.gnu.org; 8 Apr 2021 14:34:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 08 10:34:30 2021
Received: from localhost ([127.0.0.1]:47945 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lUVjp-0002nl-4P
	for submit <at> debbugs.gnu.org; Thu, 08 Apr 2021 10:34:30 -0400
Received: from world.peace.net ([64.112.178.59]:51100)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>)
 id 1lUVjl-0002nP-TT; Thu, 08 Apr 2021 10:34:26 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@HIDDEN>)
 id 1lUVje-0006Qz-MK; Thu, 08 Apr 2021 10:34:18 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: Efraim Flashner <efraim@HIDDEN>, Guillaume Le Vaillant
 <glv@HIDDEN>
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
In-Reply-To: <87h7kgoo2z.fsf@HIDDEN>
References: <87tuojni9a.fsf@HIDDEN> <87r1jnnhfi.fsf@HIDDEN>
 <87lf9upmwb.fsf@yamatai> <YG69WSLo6kwh2RhD@3900XT>
 <87h7kgoo2z.fsf@HIDDEN>
Date: Thu, 08 Apr 2021 10:32:38 -0400
Message-ID: <87blaoonha.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47628
Cc: 47628 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin
thanks

Earlier, I wrote:
> That's it!  I have /bin/sh but not /usr/bin/env.  Adding /usr/bin/env
> fixes the problem for me.

Actually, it suffices for /usr/bin to exist as an empty directory.
/usr/bin/env is never actually used.

       Mark




Information forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.
Changed bug title to 'webkitgtk-2.32.0 fails to launch without /usr/bin/env' from 'Epiphany fails to launch after webkitgtk-2.32.0 update' Request was from Mark H Weaver <mhw@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 47628 <at> debbugs.gnu.org:


Received: (at 47628) by debbugs.gnu.org; 8 Apr 2021 14:21:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 08 10:21:28 2021
Received: from localhost ([127.0.0.1]:47929 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lUVXE-0000MM-BV
	for submit <at> debbugs.gnu.org; Thu, 08 Apr 2021 10:21:28 -0400
Received: from world.peace.net ([64.112.178.59]:51072)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>) id 1lUVXB-0000M6-Sn
 for 47628 <at> debbugs.gnu.org; Thu, 08 Apr 2021 10:21:27 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@HIDDEN>)
 id 1lUVX4-0005UU-DF; Thu, 08 Apr 2021 10:21:18 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: Efraim Flashner <efraim@HIDDEN>, Guillaume Le Vaillant
 <glv@HIDDEN>
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env
In-Reply-To: <YG69WSLo6kwh2RhD@3900XT>
References: <87tuojni9a.fsf@HIDDEN> <87r1jnnhfi.fsf@HIDDEN>
 <87lf9upmwb.fsf@yamatai> <YG69WSLo6kwh2RhD@3900XT>
Date: Thu, 08 Apr 2021 10:19:37 -0400
Message-ID: <87h7kgoo2z.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47628
Cc: 47628 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin/env
thanks

Hi Efraim,

Efraim Flashner <efraim@HIDDEN> writes:
> It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix
> System with Enlightenment. I get errors about not committing changes to
> dconf and I'm unable to change settings in preferences. Does your system
> have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin.

That's it!  I have /bin/sh but not /usr/bin/env.  Adding /usr/bin/env
fixes the problem for me.

It would be good to eliminate that dependency.  If webkitgtk is using
/usr/bin/env from within its sandbox, that's worrisome.  I want it using
software components determined at build time.  I do *not* want it
searching in PATH for things.

To be continued...

     Mark




Information forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.

Message received at 47628 <at> debbugs.gnu.org:


Received: (at 47628) by debbugs.gnu.org; 8 Apr 2021 08:23:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 08 04:23:34 2021
Received: from localhost ([127.0.0.1]:45972 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lUPws-0005v4-Fe
	for submit <at> debbugs.gnu.org; Thu, 08 Apr 2021 04:23:34 -0400
Received: from flashner.co.il ([178.62.234.194]:53006)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <efraim@HIDDEN>) id 1lUPwq-0005uo-IP
 for 47628 <at> debbugs.gnu.org; Thu, 08 Apr 2021 04:23:33 -0400
Received: from localhost (unknown [31.210.177.71])
 by flashner.co.il (Postfix) with ESMTPSA id 654B2402DB;
 Thu,  8 Apr 2021 08:23:24 +0000 (UTC)
Date: Thu, 8 Apr 2021 11:22:49 +0300
From: Efraim Flashner <efraim@HIDDEN>
To: Guillaume Le Vaillant <glv@HIDDEN>
Subject: Re: bug#47628: webkitgtk-2.32.0 is broken on my system
Message-ID: <YG69WSLo6kwh2RhD@3900XT>
References: <87tuojni9a.fsf@HIDDEN> <87r1jnnhfi.fsf@HIDDEN>
 <87lf9upmwb.fsf@yamatai>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="N/cEB6EX5GS099dg"
Content-Disposition: inline
In-Reply-To: <87lf9upmwb.fsf@yamatai>
X-PGP-Key-ID: 0x41AAE7DCCA3D8351
X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
X-PGP-Fingerprint: A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 47628
Cc: Mark H Weaver <mhw@HIDDEN>, 47628 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--N/cEB6EX5GS099dg
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 07, 2021 at 09:35:48AM +0200, Guillaume Le Vaillant wrote:
> Mark H Weaver <mhw@HIDDEN> skribis:
>=20
> > retitle 47628 webkitgtk-2.32.0 is broken on my system
> > thanks
> >
> > Mark H Weaver <mhw@HIDDEN> writes:
> >
> >> FYI, since updating to webkitgtk-2.32.0 (commit
> >> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
> >> window appears, although GNOME Shell shows an empty outline in overview
> >> mode, as if there's a window but it has never been painted.
> >>
> >> When running 'epiphany' from the command line, I see the followin
> >> warning from 'bwrap', which indicates that it's looking in /usr/bin:
> >
> > I see exactly the same behavior with 'eolie': the window never appears,
> > (except for an outline in GNOME Shell's overview mode), and I see the
> > same warning:
> >
> >   "bwrap: Can't find source path /usr/bin: No such file or directory"
> >
> > In both cases, if I try to close the phantom window from overview mode,
> > it informs me that the application is not responding, and I have to
> > force quit to make the phantom window go away.
> >
> >        Mark
>=20
> On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine
> (with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95).
> The window appears and I can browse websites, and it doesn't print any
> error about 'bwrap'.
> I'm using StumpWM and not Gnome Shell; I don't know if it has an impact
> on epiphany's behavior.

It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix
System with Enlightenment. I get errors about not committing changes to
dconf and I'm unable to change settings in preferences. Does your system
have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin.

--=20
Efraim Flashner   <efraim@HIDDEN>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--N/cEB6EX5GS099dg
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmBuvVkACgkQQarn3Mo9
g1ESjg//edsV1kkK43vk/jFq6pp5jvjpoxZrNr5Ua6S0k0QBELHHTc1X8+WFwqBw
UEMMdbRtFVbhoof1tK9Wmse662GRvs4f/v51v0jVoADa/dIBM0HJ3FbuHd63lbWz
QewLblOlN6kRsLgwjP3vGfwj7qvaPoqfqcMuEMoSRnfj16y+Fvwqb8UZ6Fvx5Rm1
3q4Cenpnzui+6uZ76CJgEtRJoPZkqcbNgdIbN/jIWf0WoGvAlIsV9jzG9A5hqf4B
lCx1LABVkK+8no7BDyM/DcC56tD5/4VMU3GT9GNKkK0XsDdmCphSOA6DWaGMWjaH
Iwn8dZCaySceXPwNGQqBQYyVNAlfEKJOxLl0dNioKJNc4diynIsRfWLHLTI5zJoM
CyNI+BCYpR+du/eK5TZhthGZGt6w7Ftt8Q4+yf1s+/4Rmkdc/ip9Mop/t6/ugYNg
UwOMRlkLqehGAct2lh1uDs2r71A6ovuQMZ7Du5xxZZpdS68yU3CukPUz2q7t/2r4
Bkdopp9TP6XJ5rtNXT/ilUlMg6gVpA7rm6LHQ7rKFC7ltazYeyYxufQFFK/NlslY
EovbUTFRiPP6j32J0Kf7HEZXR657v43dQFIpCKhufCub3xCvJUX/o0JJjCnol+/t
nQb78GH9WX/2igxF++DGC8zgFd/iPN6ruhjPPcX27kfcMfj6hDE=
=OzZN
-----END PGP SIGNATURE-----

--N/cEB6EX5GS099dg--




Information forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.

Message received at 47628 <at> debbugs.gnu.org:


Received: (at 47628) by debbugs.gnu.org; 7 Apr 2021 07:36:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 07 03:36:15 2021
Received: from localhost ([127.0.0.1]:42916 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lU2jW-00084M-US
	for submit <at> debbugs.gnu.org; Wed, 07 Apr 2021 03:36:15 -0400
Received: from mout01.posteo.de ([185.67.36.65]:35220)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <glv@HIDDEN>) id 1lU2jU-000845-0B
 for 47628 <at> debbugs.gnu.org; Wed, 07 Apr 2021 03:36:13 -0400
Received: from submission (posteo.de [89.146.220.130]) 
 by mout01.posteo.de (Postfix) with ESMTPS id 4CB3216005C
 for <47628 <at> debbugs.gnu.org>; Wed,  7 Apr 2021 09:36:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1617780964; bh=5Y6fJ6D5LwMQvquDmmMG0e2pyvi20nZWGLW5NFEQkoU=;
 h=From:To:Cc:Subject:Date:From;
 b=f7bdnsgXlQXBcxn9W1Gp5eNj2jXQiWg89a8Y7f3H20QBt1rJp4xqYlketAVE9AyQ3
 fSu1aRQysDsr4MVuNNhq2VAdjQ8gnLiRn4TSEXTYDYIO1IlTTIJZffjW/xA1ee+oaW
 UOSlIrbHf29sYgR9W/PqMkcvvPE1hl8WSfH+z58jmzw27JRqVt+5uolUAnlg8gEPOE
 v4zERSeaZejEoFTKjrnBmZJUrr26w6Vqdt1nMdvuBzQjPlzVU67i+Vo8dyFK08aUkZ
 5+yZtVeNzKCvxz0cR1sEV0G98Xv6F0aqd9qDiB+VmsuExxhNrBrIOdMv83z4hktmnd
 HAPQ6f0Gp4HMA==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4FFbmK5jsmz6tm6;
 Wed,  7 Apr 2021 09:36:01 +0200 (CEST)
References: <87tuojni9a.fsf@HIDDEN> <87r1jnnhfi.fsf@HIDDEN>
User-agent: mu4e 1.4.15; emacs 27.2
From: Guillaume Le Vaillant <glv@HIDDEN>
To: Mark H Weaver <mhw@HIDDEN>
Subject: Re: bug#47628: webkitgtk-2.32.0 is broken on my system
In-reply-to: <87r1jnnhfi.fsf@HIDDEN>
Date: Wed, 07 Apr 2021 09:35:48 +0200
Message-ID: <87lf9upmwb.fsf@yamatai>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47628
Cc: 47628 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain

Mark H Weaver <mhw@HIDDEN> skribis:

> retitle 47628 webkitgtk-2.32.0 is broken on my system
> thanks
>
> Mark H Weaver <mhw@HIDDEN> writes:
>
>> FYI, since updating to webkitgtk-2.32.0 (commit
>> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
>> window appears, although GNOME Shell shows an empty outline in overview
>> mode, as if there's a window but it has never been painted.
>>
>> When running 'epiphany' from the command line, I see the followin
>> warning from 'bwrap', which indicates that it's looking in /usr/bin:
>
> I see exactly the same behavior with 'eolie': the window never appears,
> (except for an outline in GNOME Shell's overview mode), and I see the
> same warning:
>
>   "bwrap: Can't find source path /usr/bin: No such file or directory"
>
> In both cases, if I try to close the phantom window from overview mode,
> it informs me that the application is not responding, and I have to
> force quit to make the phantom window go away.
>
>        Mark

On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine
(with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95).
The window appears and I can browse websites, and it doesn't print any
error about 'bwrap'.
I'm using StumpWM and not Gnome Shell; I don't know if it has an impact
on epiphany's behavior.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIUEAREKAC0WIQTLxZxm7Ce5cXlAaz5r6CCK3yH+PwUCYG1g1A8cZ2x2QHBvc3Rl
by5uZXQACgkQa+ggit8h/j8/kwEAkDrle8aC6DFPULHrUgybXCG7bXuugUzt81Yl
YQwuvbYA/0xwWlNgKR88qepCX+bmGOOD0OMOT8FBsyGLha1I67OF
=gP6t
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.

Message received at 47628 <at> debbugs.gnu.org:


Received: (at 47628) by debbugs.gnu.org; 6 Apr 2021 23:05:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 06 19:05:55 2021
Received: from localhost ([127.0.0.1]:42372 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lTulf-0003jt-6A
	for submit <at> debbugs.gnu.org; Tue, 06 Apr 2021 19:05:55 -0400
Received: from world.peace.net ([64.112.178.59]:46844)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>) id 1lTulc-0003jg-P9
 for 47628 <at> debbugs.gnu.org; Tue, 06 Apr 2021 19:05:53 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@HIDDEN>)
 id 1lTulW-0005Sr-4Q; Tue, 06 Apr 2021 19:05:46 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: 47628 <at> debbugs.gnu.org
Subject: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628:
 Epiphany fails to launch after webkitgtk-2.32.0 update)
In-Reply-To: <87tuojni9a.fsf@HIDDEN>
References: <87tuojni9a.fsf@HIDDEN>
Date: Tue, 06 Apr 2021 19:04:06 -0400
Message-ID: <87r1jnnhfi.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47628
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

retitle 47628 webkitgtk-2.32.0 is broken on my system
thanks

Mark H Weaver <mhw@HIDDEN> writes:

> FYI, since updating to webkitgtk-2.32.0 (commit
> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
> window appears, although GNOME Shell shows an empty outline in overview
> mode, as if there's a window but it has never been painted.
>
> When running 'epiphany' from the command line, I see the followin
> warning from 'bwrap', which indicates that it's looking in /usr/bin:

I see exactly the same behavior with 'eolie': the window never appears,
(except for an outline in GNOME Shell's overview mode), and I see the
same warning:

  "bwrap: Can't find source path /usr/bin: No such file or directory"

In both cases, if I try to close the phantom window from overview mode,
it informs me that the application is not responding, and I have to
force quit to make the phantom window go away.

       Mark




Information forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 22:48:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 06 18:48:01 2021
Received: from localhost ([127.0.0.1]:42275 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lTuUL-0003DO-4O
	for submit <at> debbugs.gnu.org; Tue, 06 Apr 2021 18:48:01 -0400
Received: from lists.gnu.org ([209.51.188.17]:60430)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>) id 1lTuUJ-0003DG-6d
 for submit <at> debbugs.gnu.org; Tue, 06 Apr 2021 18:47:59 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:60772)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@HIDDEN>) id 1lTuUI-0001Qz-V2
 for bug-guix@HIDDEN; Tue, 06 Apr 2021 18:47:58 -0400
Received: from world.peace.net ([64.112.178.59]:57336)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@HIDDEN>) id 1lTuUG-0007Qq-TY
 for bug-guix@HIDDEN; Tue, 06 Apr 2021 18:47:58 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@HIDDEN>)
 id 1lTuUE-0004Cy-TE; Tue, 06 Apr 2021 18:47:55 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: bug-guix@HIDDEN
Subject: Epiphany fails to launch after webkitgtk-2.32.0 update
Date: Tue, 06 Apr 2021 18:46:14 -0400
Message-ID: <87tuojni9a.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@HIDDEN;
 helo=world.peace.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

FYI, since updating to webkitgtk-2.32.0 (commit
3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
window appears, although GNOME Shell shows an empty outline in overview
mode, as if there's a window but it has never been painted.

When running 'epiphany' from the command line, I see the followin
warning from 'bwrap', which indicates that it's looking in /usr/bin:

--8<---------------cut here---------------start------------->8---
mhw@jojen ~$ epiphany

** (epiphany:1016): WARNING **: 18:36:48.495: Registering special URI scheme ftp is no longer allowed
bwrap: Can't find source path /usr/bin: No such file or directory
--8<---------------cut here---------------end--------------->8---

I wonder if this only works when Guix is run on top of a more
traditional OS that has /usr/bin.

Is anyone successfully able to use Epiphany on a pure Guix system
(without /usr/bin) with Webkitgtk-2.32.0?  (The Webkitgtk version is
shown in the "About Web" window, which is accessible from the hamburger
menu.

      Mark




Acknowledgement sent to Mark H Weaver <mhw@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47628; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 14 Apr 2021 15:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.