GNU logs - #72265, boring messages

Message sent to guix-patches@HIDDEN:

Subject: [bug#72265] [PATCH 0/1] Fix hardware acceleration support for librewolf
Resent-From: Nikita Domnitskii <nikita@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 24 Jul 2024 05:45:02 +0000
Resent-Message-ID: <handler.72265.B.172179989226960 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 72265 <at> debbugs.gnu.org
From: Nikita Domnitskii <nikita@HIDDEN>
Message-Id: <cover.1721797552.git.nikita@HIDDEN>
Date: Wed, 24 Jul 2024 11:44:31 +0600
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2001:41d0:1004:224b::ac;
 envelope-from=nikita@HIDDEN; helo=out-172.mta0.migadu.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

Current approach with LD_LIBRARY_PATH seems wrong for multiple reasons:
1. It doesn't work
2. It would require us to add all available drivers and every shared
library that drivers load

Currently it works like that:

--8<---------------cut here---------------start------------->8---
$ MOZ_SANDBOX_LOGGING=1 librewolf
libva info: Trying to open /run/current-system/profile/lib/dri/iHD_drv_video.so
[3323] Sandbox: SandboxBroker: denied op=open rflags=2000000 perms=0 path=/gnu/store/371amhgyc25i0frgxkllp94v6rvvyl0y-intel-media-driver-nonfree-24.1.5/lib/dri/iHD_drv_video.so for pid=3971
[3971] Sandbox: Failed errno -13 op open flags 02000000 path /run/current-system/profile/lib/dri/iHD_drv_video.so
[3323] Sandbox: SandboxBroker: denied op=access rflags=0 perms=0 path=/gnu/store/371amhgyc25i0frgxkllp94v6rvvyl0y-intel-media-driver-nonfree-24.1.5/lib/dri/iHD_drv_video.so for pid=3971
[3971] Sandbox: Failed errno -13 op access flags 00 path /run/current-system/profile/lib/dri/iHD_drv_video.so
libva info: va_openDriver() returns -1
--8<---------------cut here---------------end--------------->8---

If I'll add /run/current-system/profile/lib/dri to LD_LIBRARY_PATH it
tries to load gmmlib:

--8<---------------cut here---------------start------------->8---
$ MOZ_SANDBOX_LOGGING=1 LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/run/current-system/profile/lib librewolf
libva info: Trying to open /run/current-system/profile/lib/dri/iHD_drv_video.so
[5004] Sandbox: Failed errno -2 op open flags 02000000 path /gnu/store/z987j9j71l114051dg3722amqcnv84c6-librewolf-126.0-1/lib/librewolf/libigdgmm.so.12
[5004] Sandbox: Failed errno -2 op open flags 02000000 path /gnu/store/9i3zzv8kmv2rkkiyn70lp594fz637vna-mesa-24.0.4/lib/libigdgmm.so.12
... tries to lookup libigdgmm.so.12
[5004] Sandbox: Failed errno -2 op open flags 02000000 path /gnu/store/ln6hxqjvz6m9gdd9s97pivlqck7hzs99-glibc-2.35/lib/libigdgmm.so.12
libva error: dlopen of /run/current-system/profile/lib/dri/iHD_drv_video.so failed: libigdgmm.so.12: cannot open shared object file: No such file or directory
libva info: va_openDriver() returns -1
--8<---------------cut here---------------end--------------->8---

So I propose to use NixOS approach (already upstreamed) 

Nikita Domnitskii (1):
  gnu: librewolf: Add guix drivers paths to RDD whitelist

 gnu/packages/librewolf.scm                    | 20 ++++---------------
 ...librewolf-add-paths-to-rdd-whitelist.patch | 11 ++++++++++
 2 files changed, 15 insertions(+), 16 deletions(-)
 create mode 100644 gnu/packages/patches/librewolf-add-paths-to-rdd-whitelist.patch


base-commit: ee7e5e00bf2b9257e67d785b37efddb008c5da37


-- 
Best Regards,
Nikita Domnitskii

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Nikita Domnitskii <nikita@HIDDEN>
Subject: bug#72265: Acknowledgement ([PATCH 0/1] Fix hardware acceleration
 support for librewolf)
Message-ID: <handler.72265.B.172179989226960.ack <at> debbugs.gnu.org>
References: <cover.1721797552.git.nikita@HIDDEN>
X-Gnu-PR-Message: ack 72265
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 72265 <at> debbugs.gnu.org
Date: Wed, 24 Jul 2024 05:45:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 guix-patches@HIDDEN

If you wish to submit further information on this problem, please
send it to 72265 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
72265: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D72265
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to guix-patches@HIDDEN:

Subject: [bug#72265] [PATCH 1/1] gnu: librewolf: Add guix drivers paths to RDD whitelist
Resent-From: Nikita Domnitskii <nikita@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 24 Jul 2024 05:46:02 +0000
Resent-Message-ID: <handler.72265.B.172179990527050 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 72265 <at> debbugs.gnu.org
From: Nikita Domnitskii <nikita@HIDDEN>
In-Reply-To: <cover.1721797552.git.nikita@HIDDEN>
References: <cover.1721797552.git.nikita@HIDDEN>
Message-Id: <d58e28b577d0c7f9ba30314b409dc5d4749b69ec.1721797552.git.nikita@HIDDEN>
Date: Wed, 24 Jul 2024 11:44:51 +0600
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2001:41d0:1004:224b::b1;
 envelope-from=nikita@HIDDEN; helo=out-177.mta0.migadu.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

Change-Id: I5aaf590b625dfbacb19b6dc54d7f83f73bea1fda
---
 gnu/packages/librewolf.scm                    | 20 ++++---------------
 ...librewolf-add-paths-to-rdd-whitelist.patch | 11 ++++++++++
 2 files changed, 15 insertions(+), 16 deletions(-)
 create mode 100644 gnu/packages/patches/librewolf-add-paths-to-rdd-whitelist.patch

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 3e46477724..b34e29d9db 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -203,7 +203,9 @@ (define librewolf-source
                (invoke "make" "all")
                (copy-file (string-append "librewolf-" #$version
                                          ".source.tar.gz")
-                          #$output))))))))
+                          #$output)))))
+      (patches
+       (search-patches "librewolf-add-paths-to-rdd-whitelist.patch")))))
 
 ;; Define the versions of rust needed to build librewolf, trying to match
 ;; upstream.  See the file taskcluster/ci/toolchain/rust.yml at
@@ -573,26 +575,12 @@ (define-public librewolf
                                        ;; For U2F and WebAuthn
                                        "eudev")))
 
-                              ;; VA-API is run in the RDD (Remote Data Decoder) sandbox
-                              ;; and must be explicitly given access to files it needs.
-                              ;; Rather than adding the whole store (as Nix had
-                              ;; upstream do, see
-                              ;; <https://github.com/NixOS/nixpkgs/pull/165964> and
-                              ;; linked upstream patches), we can just follow the
-                              ;; runpaths of the needed libraries to add everything to
-                              ;; LD_LIBRARY_PATH.  These will then be accessible in the
-                              ;; RDD sandbox.
-                              (rdd-whitelist (map (cut string-append <> "/")
-                                                  (delete-duplicates (append-map
-                                                                      runpaths-of-input
-                                                                      '("mesa"
-                                                                        "ffmpeg")))))
                               (gtk-share (string-append (assoc-ref inputs
                                                                    "gtk+")
                                                         "/share")))
                          (wrap-program (car (find-files lib "^librewolf$"))
                            `("LD_LIBRARY_PATH" prefix
-                             (,@libs ,@rdd-whitelist))
+                             (,@libs))
                            `("XDG_DATA_DIRS" prefix
                              (,gtk-share))
                            `("MOZ_LEGACY_PROFILES" =
diff --git a/gnu/packages/patches/librewolf-add-paths-to-rdd-whitelist.patch b/gnu/packages/patches/librewolf-add-paths-to-rdd-whitelist.patch
new file mode 100644
index 0000000000..1bee0bddf5
--- /dev/null
+++ b/gnu/packages/patches/librewolf-add-paths-to-rdd-whitelist.patch
@@ -0,0 +1,11 @@
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -920,6 +920,8 @@
+   policy->AddDir(rdonly, "/usr/lib64");
+   policy->AddDir(rdonly, "/run/opengl-driver/lib");
+   policy->AddDir(rdonly, "/nix/store");
++  policy->AddDir(rdonly, "/gnu/store");
++  policy->AddDir(rdonly, "/run/current-system/profile/lib");
+
+   // Bug 1647957: memory reporting.
+   AddMemoryReporting(policy.get(), aPid);


-- 
Best Regards,
Nikita Domnitskii

Message sent to guix-patches@HIDDEN:

Subject: [bug#72265] [PATCH 0/1] Fix hardware acceleration support for librewolf
References: <cover.1721797552.git.nikita@HIDDEN>
In-Reply-To: <cover.1721797552.git.nikita@HIDDEN>
Resent-From: Ian Eure <ian@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 31 Jul 2024 00:24:01 +0000
Resent-Message-ID: <handler.72265.B72265.172238542419528 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 72265 <at> debbugs.gnu.org, Nikita Domnitskii <nikita@HIDDEN>
Feedback-ID: id9014242:Fastmail
User-agent: mu4e 1.8.13; emacs 28.2
From: Ian Eure <ian@HIDDEN>
Date: Tue, 30 Jul 2024 17:12:39 -0700
Message-ID: <87cymutnnr.fsf@meson>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Hello,

I=E2=80=99d like to have a better handle on *why* this isn=E2=80=99t workin=
g, and=20
what alternate options may exist, before granting LW=E2=80=99s sandboxed=20
processes full access to the store.  Since a lot of system config=20
stuff ends up in there, and Guix doesn=E2=80=99t have a good way to manage=
=20
secrets, it feels risky to me to open it up.

Do you have reproduction steps which demonstrate the issue?  I see=20
it complaining about not loading libva, but setting=20
`MOZ_LOG=3D"PlatformDecoderModule:5"'[1] and enabling the various=20
ffmpeg config bits, then playing a video, it *seems* like it=E2=80=99s=20
using hwaccel.

The approach in LW is taken directly from the Firefox packages in=20
Nonguix -- can you reproduce your problem with that packages?=20
That might provide a clue as to what=E2=80=99s different between the two=20
package definitions.

Thanks,

  =E2=80=94 Ian

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=3D1610199#c31

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#72265] [PATCH 0/1] Fix hardware acceleration support for librewolf
Resent-From: Nikita Domnitskii <nikita@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 31 Jul 2024 05:10:01 +0000
Resent-Message-ID: <handler.72265.B72265.172240254614945 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 72265
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ian Eure <ian@HIDDEN>, 72265 <at> debbugs.gnu.org
Received: via spool by 72265-submit <at> debbugs.gnu.org id=B72265.172240254614945
          (code B ref 72265); Wed, 31 Jul 2024 05:10:01 +0000
Received: (at 72265) by debbugs.gnu.org; 31 Jul 2024 05:09:06 +0000
Received: from localhost ([127.0.0.1]:48862 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sZ1aE-0003sy-6v
	for submit <at> debbugs.gnu.org; Wed, 31 Jul 2024 01:09:06 -0400
Received: from out-182.mta0.migadu.com ([91.218.175.182]:34936)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nikita@HIDDEN>) id 1sZ1aA-0003sN-07
 for 72265 <at> debbugs.gnu.org; Wed, 31 Jul 2024 01:09:04 -0400
X-Report-Abuse: Please report any abuse attempt to abuse@HIDDEN and
 include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domnitskii.me;
 s=key1; t=1722402489;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=9iPJP2jHRFokinPatFOd32T0R+4OGshRwQBXIXuJbDI=;
 b=Zi805fhEKuRsr9c3p3ouisiPZUuEIe68mnb3XpgAKbvOPc5nufYITDvKFKauu5dMXwWXlF
 szOdX8LiBtNN1pQzSfwEp5SqnTQWsiaug4hfJK0ejhZN5AhJOUH9lhKojIHfn8TcWBhVEl
 jYtsJSxi6M8hBdbL0uszhL8FgpPAmx0=
From: Nikita Domnitskii <nikita@HIDDEN>
In-Reply-To: <87cymutnnr.fsf@meson>
References: <87cymutnnr.fsf@meson>
Date: Wed, 31 Jul 2024 11:08:04 +0600
Message-ID: <87ed7a5etn.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Migadu-Flow: FLOW_OUT
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Ian Eure <ian@HIDDEN> writes:

> I=E2=80=99d like to have a better handle on *why* this isn=E2=80=99t work=
ing, and what
> alternate options may exist, before granting LW=E2=80=99s sandboxed proce=
sses
> full access to the store.

It doesn't work because RDD does not have access to drivers (in
/run/current-system/profile/lib/) and any shared libraries that driver
can use (anywhere in /gnu/store).  Which you could see when running LW
with MOZ_SANDBOX_LOGGING=3D1 environment variable or in my initial
message.  While we can add /run/current-system/profile/lib/ to whitelist
and partially fix this issue, I don't think we can predict what driver
would want to load.  So I don't really see any alternative solutions for
shared libraries problem.

> Since a lot of system config stuff ends up in there, and Guix doesn=E2=80=
=99t
> have a good way to manage secrets, it feels risky to me to open it up.

Is it really an issue?  Any program on your system already does that,
why LW any different?  It's a good enough solution for NixOS/FF not sure
why we have to do something different here.

> Do you have reproduction steps which demonstrate the issue?

It's in my initial message.  You just run LW with
MOZ_SANDBOX_LOGGING=3D1/MOZ_LOG=3D"PlatformDecoderModule:5" and check your
GPU usage (intel_gpu_top for Intel GPU, not sure about others) while
playing video.

> I see it complaining about not loading libva, but setting
> `MOZ_LOG=3D"PlatformDecoderModule:5"'[1] and enabling the various ffmpeg
> config bits, then playing a video, it *seems* like it=E2=80=99s using hwa=
ccel.

I'm not aware of any other hwaccel implementation in LW/FF other than
VA-API.  If it's not loading libva it doesn't use hwaccel.

> The approach in LW is taken directly from the Firefox packages in=20
> Nonguix -- can you reproduce your problem with that packages?

I can and it never worked for me.  I used to mantain my LW package
definition[1] where I put neccesary paths to LD_LIBRARY_PATH, but that
solution very specific to my setup and would not work as a general one.

--=20
Best Regards,
Nikita Domnitskii

[1] https://git.sr.ht/~krevedkokun/dotfiles/tree/master/item/src/guile/yggd=
rasil/packages/mozilla.scm

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#72265] [PATCH 0/1] Fix hardware acceleration support for librewolf
Resent-From: Ian Eure <ian@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 17 Aug 2024 22:34:02 +0000
Resent-Message-ID: <handler.72265.B72265.172393403527244 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 72265
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Nikita Domnitskii <nikita@HIDDEN>
Cc: 72265 <at> debbugs.gnu.org
Received: via spool by 72265-submit <at> debbugs.gnu.org id=B72265.172393403527244
          (code B ref 72265); Sat, 17 Aug 2024 22:34:02 +0000
Received: (at 72265) by debbugs.gnu.org; 17 Aug 2024 22:33:55 +0000
Received: from localhost ([127.0.0.1]:55052 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sfRze-00075M-KX
	for submit <at> debbugs.gnu.org; Sat, 17 Aug 2024 18:33:54 -0400
Received: from fhigh1-smtp.messagingengine.com ([103.168.172.152]:37331)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ian@HIDDEN>) id 1sfRzc-000756-BL
 for 72265 <at> debbugs.gnu.org; Sat, 17 Aug 2024 18:33:53 -0400
Received: from phl-compute-08.internal (phl-compute-08.nyi.internal
 [10.202.2.48])
 by mailfhigh.nyi.internal (Postfix) with ESMTP id 41F111145481;
 Sat, 17 Aug 2024 18:33:07 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
 by phl-compute-08.internal (MEProxy); Sat, 17 Aug 2024 18:33:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h=
 cc:cc:content-transfer-encoding:content-type:content-type:date
 :date:from:from:in-reply-to:in-reply-to:message-id:mime-version
 :references:reply-to:subject:subject:to:to; s=fm2; t=1723933987;
 x=1724020387; bh=xSZXZ4wHW9qwGaWcGowjMyw1G8IzQqKIlo5V8whEu/4=; b=
 mq/szVoe5v8IpZ4rYHpuGvYaKcDLOovNW7uYVsCPd2lzHfubfqlGMO4o7/IRHgiR
 1cSe5bmDKBxiY7z0q75A7b+KtEFvJ/ovd9dto0kwoL1+UGVD2u9IeSPnnlnDuBip
 v498eqtjPG72KCnojRSlTN7MPphvAjFY5tHBwQoc0Wl23hYq9FPAkPBAHM8GQ+nG
 IM1kzdSnG+JVmBuNhgeuLli4q1bcAdcIHf4Q7WRPStEX6+y/TVO22GnEJbzAyfv9
 Y3rpMW54NXwPQrZuR6hiKUsxnYTOnaHomJ9yG4jdpfw2qF2YBxOvNxpXlJUTKaPg
 M6rxsqWmZF9k/aOjaOTmjw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:content-type:date:date:feedback-id:feedback-id
 :from:from:in-reply-to:in-reply-to:message-id:mime-version
 :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1723933987; x=
 1724020387; bh=xSZXZ4wHW9qwGaWcGowjMyw1G8IzQqKIlo5V8whEu/4=; b=e
 kdD3rnMp9rxRcaeurvz1fyxRpHGcfXoFZLGhtKxCk5pVeNzcdXlrrON4qh5lfbuC
 LH/DH438TbF+qp/Q4sK0I5E5cZ4zshcCiZwtloauKMDSZgKv1xDTYQ7UuBjgfe1+
 90GBMAgChQyqhDyk+iv/CmY+uNpl0czYTL/zkOTkfHgMMYiGCq7ESlysWdu7KrYG
 LkkLoHBofSvVsjDAP33iNzOksXXqvgOcz4NpMbtIZdTIaxW0Odj6qtaYHUqA5kwQ
 rpcCdeaUfWMYYhr2LExfdzW9vCSAWo90HGW8980tzgpa3j1PQI2C8uHou1pmK7sg
 BWpsJFkt8psrc+N9gDRHA==
X-ME-Sender: <xms:IiXBZkVRGP8Pxatri1iU2-WxnYIXfQX5iL3rf8eUHTCtQ_8PDw4LCw>
 <xme:IiXBZom08H_HLkhHlG25F7ChyB1jJcLXbt-jNUEr2Nv4aB2YojYVxpd3mEjyVeiys
 E5FlMziaPutVqyWxQ>
X-ME-Received: <xmr:IiXBZoZMXO_EDJYTRYo1BC0WJRkUCqRZtzsk4z9Ai45I7SFb7okHBH72XXMF81riVPnc3yRVGgIdMUdY7-7rNNb4SjjczVixyGQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudduuddgudduucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
 rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
 htshculddquddttddmnecujfgurhepfhgfhffvvefuffgjkfggtgfgsehtqhertddtreej
 necuhfhrohhmpefkrghnucfguhhrvgcuoehirghnsehrvghtrhhoshhpvggtrdhtvheqne
 cuggftrfgrthhtvghrnhephfelvedtieeffffggeeivdeukedutedtveejfffhleeileef
 heeggfdugfeiuefhnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh
 hfrhhomhepihgrnhesrhgvthhrohhsphgvtgdrthhvpdhnsggprhgtphhtthhopedvpdhm
 ohguvgepshhmthhpohhuthdprhgtphhtthhopeejvddvieehseguvggssghughhsrdhgnh
 hurdhorhhgpdhrtghpthhtohepnhhikhhithgrseguohhmnhhithhskhhiihdrmhgv
X-ME-Proxy: <xmx:IiXBZjVleNtaEgHDgh6gJBJ6HfKtCZEGnQfemh3whq8czH169vArKg>
 <xmx:IiXBZul5UBwH8L-jJguhZCUNpciSchMwF4PH1Dn3tn_2LQ4Arr0DsA>
 <xmx:IiXBZofafU3EWV1ar7dEPRFAFUAmN1u7Lb2Ln7L_UHitsvyEr3paCw>
 <xmx:IiXBZgHn_AnuWNdpqfJVMzM4HeSup18sI2ztMAjBldAGOjYF-PD-_Q>
 <xmx:IyXBZjx7j7Q01d__8pZSuwZ2VUYOMn19USmXNI3cWRm8xZ1a7pWl-jyu>
Feedback-ID: id9014242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
 17 Aug 2024 18:33:06 -0400 (EDT)
References: <87cymutnnr.fsf@meson> <87ed7a5etn.fsf@HIDDEN>
User-agent: mu4e 1.8.13; emacs 28.2
From: Ian Eure <ian@HIDDEN>
Date: Sat, 17 Aug 2024 15:20:02 -0700
In-reply-to: <87ed7a5etn.fsf@HIDDEN>
Message-ID: <874j7i6aqm.fsf@meson>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Hi Nikita,

Nikita Domnitskii <nikita@HIDDEN> writes:

> Ian Eure <ian@HIDDEN> writes:
>
>> Since a lot of system config stuff ends up in there, and Guix=20
>> doesn=E2=80=99t
>> have a good way to manage secrets, it feels risky to me to open=20
>> it up.
>
> Is it really an issue?  Any program on your system already does=20
> that,
> why LW any different?  It's a good enough solution for NixOS/FF=20
> not sure
> why we have to do something different here.
>

I think it=E2=80=99s worth considering.  While any program can read the=20
store, few of them run the huge volume of untrusted code that a=20
web browser does.

That said, I=E2=80=99m okay with this approach.  Ideally, I=E2=80=99d like =
it to=20
be a stopgap solution, but it=E2=80=99s a clear improvement on the current=
=20
situation.  However, there are two changes I=E2=80=99d like to see:

1. Please remove the source patching from `make-librewolf-source'=20
and move it into the librewolf package definition.=20
`make-librewolf-source' is intended to produce a source tarball=20
identical to upstream, and isn=E2=80=99t a good place to be adding=20
Guix-specific patches.

2. Use the `substitute*' procedure instead of a patch file.  I=20
maintain LibreWolf in my personal channel first, then contribute=20
patches to Guix, and the patch file facility doesn=E2=80=99t work outside=20
the main Guix repository.  I work this way because I=E2=80=99m not a Guix=20
committer, and would like to run the latest version of LibreWolf.=20
Guix is often several versions behind due to intractable delays in=20
patch review.

With those two changes, your patch has my +1.  Though as noted, I=20
cannot commit it, since I don=E2=80=99t have those privileges.


>> The approach in LW is taken directly from the Firefox packages=20
>> in=20
>> Nonguix -- can you reproduce your problem with that packages?
>
> I can and it never worked for me.  I used to mantain my LW=20
> package
> definition[1] where I put neccesary paths to LD_LIBRARY_PATH,=20
> but that
> solution very specific to my setup and would not work as a=20
> general one.
>

Would you please file a bug report with them?  I=E2=80=99d be interested=20
to hear what they have to say on the subject.

Thanks,

  =E2=80=94 Ian

Last modified: Sun, 12 Jan 2025 05:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.