diff options
author | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2016-10-25 06:30:50 -0300 |
---|---|---|
committer | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2016-10-25 07:28:43 -0300 |
commit | b44ad96bf07b4b849f46a011a85ec6c2a8a245c8 (patch) | |
tree | b0c58940639eee1da9525afa020747c7ad38f051 /pcr/iceweasel-hardening/PKGBUILD | |
parent | 3e3fb2d6801149802cbf2c2a2e6cbdfcc5149add (diff) | |
download | abslibre-b44ad96bf07b4b849f46a011a85ec6c2a8a245c8.tar.gz abslibre-b44ad96bf07b4b849f46a011a85ec6c2a8a245c8.tar.bz2 abslibre-b44ad96bf07b4b849f46a011a85ec6c2a8a245c8.zip |
ice{dove,weasel}-hardening: add new package to [pcr] -> https://lists.parabola.nu/pipermail/dev/2016-October/004522.html
Diffstat (limited to 'pcr/iceweasel-hardening/PKGBUILD')
-rw-r--r-- | pcr/iceweasel-hardening/PKGBUILD | 213 |
1 files changed, 213 insertions, 0 deletions
diff --git a/pcr/iceweasel-hardening/PKGBUILD b/pcr/iceweasel-hardening/PKGBUILD new file mode 100644 index 000000000..790b18177 --- /dev/null +++ b/pcr/iceweasel-hardening/PKGBUILD @@ -0,0 +1,213 @@ +# Maintainer: André Silva <emulatorman@parabola.nu> +# Contributor: Márcio Silva <coadde@parabola.nu> +# Contributor (ConnochaetOS): Henry Jensen <hjensen@connochaetos.org> +# Contributor: Luke Shumaker <lukeshu@sbcglobal.net> +# Contributor: fauno <fauno@kiwwwi.com.ar> +# Contributor: vando <facundo@esdebian.org> +# Contributor (Arch): Jakub Schmidtke <sjakub@gmail.com> +# Contributor: Figue <ffigue at gmail> +# Contributor: taro-k <taro-k@movasense_com> +# Contributor: Michał Masłowski <mtjm@mtjm.eu> +# Contributor: Luke R. <g4jc@openmailbox.org> +# Contributor: Isaac David <isacdaavid@isacdaavid.info> +# Thank you very much to the older contributors: +# Contributor: evr <evanroman at gmail> +# Contributor: Muhammad 'MJ' Jassim <UnbreakableMJ@gmail.com> + +_pgo=false + +# We're getting this from Debian Sid +_debname=firefox +_brandingver=49.0 +_brandingrel=1 +_debver=49.0 +_debrel=deb4 +_debrepo=http://ftp.debian.org/debian/pool/main/ +_parabolarepo=https://repo.parabola.nu/other/iceweasel +debfile() { echo $@|sed -r 's@(.).*@\1/&/&@'; } + +_pkgname=firefox +pkgname=iceweasel-hardening +epoch=1 +pkgver=$_debver.$_debrel +pkgrel=1 +pkgdesc="A libre version of Debian Iceweasel, the standalone web browser based on Mozilla Firefox, with several patches that were introduced to strengthen and protect the end user from security threats" +arch=(i686 x86_64 armv7h) +license=(MPL GPL LGPL) +depends=(alsa-lib dbus-glib ffmpeg gtk2 gtk3 hunspell icu=57.1 libevent libvpx=1.6.0 libxt mime-types mozilla-common nss sqlite startup-notification ttf-font) +makedepends=(autoconf2.13 diffutils gconf imagemagick imake inetutils libidl2 libpulse librsvg-stable libxslt mesa mozilla-searchplugins pkg-config python2 quilt unzip yasm zip) +makedepends_i686=(rust) +makedepends_x86_64=("${makedepends_i686[@]}") +options=(!emptydirs !makeflags debug) +if $_pgo; then + makedepends+=(xorg-server-xvfb) + options+=(!ccache) +fi +optdepends=('networkmanager: Location detection via available WiFi networks' + 'libnotify: Notification integration' + 'upower: Battery API') +url="https://wiki.parabola.nu/${pkgname%-*}" +replaces=("${pkgname%-*}-libre" "$_pkgname") +conflicts=("${pkgname%-*}-libre" "${pkgname%-*}") +provides=("${pkgname%-*}") +install=${pkgname%-*}.install +source=("$_debrepo/`debfile $_debname`_$_debver.orig.tar.xz" + "$_debrepo/`debfile $_debname`_$_debver-${_debrel#deb}.debian.tar.xz" + "$_parabolarepo/${pkgname}_$_brandingver-$_brandingrel.branding.tar.xz" + "$_parabolarepo/${pkgname}_$_brandingver-$_brandingrel.branding.tar.xz.sig" + mozconfig + libre.patch + remove-default-and-shell-icons-in-packaging-manifest.patch + gnu_headshadow.png + drm-free.png + ${pkgname%-*}.desktop + ${pkgname%-*}-install-dir.patch + vendor.js + enable-object-directory-paths.patch + mozilla-1253216.patch + mozilla-build-arm.patch) +sha256sums=('2f463afd3c74eb9477f58525214f06498357ff90f01b45fb2675fc77c57bcffe' + '8e4051a587e380849226fa0de89a02468c45133a758665dc2a7064a248f138a8' + 'c0fd88e37187298a7658919cf2e4b6d024425b781d6aff5bdba49dc991f379d3' + 'SKIP' + '8212fd5e341a251c97871c0f114f6332c78326f707f9d20eddc8d644e0c5c988' + '013af398e97da9e855a143582816bf819e0d9d8d2b0e323d6b832f3df1157fdd' + '32f1fe3ad4f80d0ae419064db2abe49b97cd7cb18c35d68be1a2befb60172a2a' + '93e3001ce152e1d142619e215a9ef07dd429943b99d21726c25da9ceb31e31cd' + '56eba484179c7f498076f8dc603d8795e99dce8c6ea1da9736318c59d666bff6' + '87034dbb640f70454b27d1695a6f03b6fd1ab81c82eb4d8c771db925ae03d408' + '3aea6676f1e53a09673b6ae219d281fc28054beb6002b09973611c02f827651d' + 'aec1e2c3a1f5626c39d5d71000a45033de5b67b5fb9cb437a45f16ee5c5d2dc3' + 'e260e555b261aabab1e48786dd514eeea056e4402af7cfd4dfd1d32858441484' + 'fbb6011501a74a8ea6d01c041870fcefb7ef2859c134aedc676e5f6452833f65' + '56eecee8162c138c442773d66483886f1242c8dd2b16eed5711ae5e63d9b0e3a') +validpgpkeys=( + 'C92BAA713B8D53D3CAE63FC9E6974752F9704456' # André Silva + '684D54A189305A9CC95446D36B888913DDB59515' # Márcio Silva +) + +prepare() { + cd "$srcdir/$_pkgname-$_debver" + mv "$srcdir/debian" . + mv "$srcdir/${pkgname%-*}-$_brandingver/branding" debian + mv "$srcdir/${pkgname%-*}-$_brandingver/patches/iceweasel-branding" debian/patches + cat "$srcdir/${pkgname%-*}-$_brandingver/patches/series" >> debian/patches/series + + export QUILT_PATCHES=debian/patches + export QUILT_REFRESH_ARGS='-p ab --no-timestamps --no-index' + export QUILT_DIFF_ARGS='--no-timestamps' + + quilt push -av + + # Put gnu_headshadow.png and drm-free.png in the source code + install -m644 "$srcdir/"{gnu_headshadow,drm-free}.png \ + browser/base/content/abouthome + + # Useless since we are doing it ourselves + patch -Np1 -i "$srcdir/remove-default-and-shell-icons-in-packaging-manifest.patch" + + # Enable object directory paths for Iceweasel rebranding + patch -Np1 -i "$srcdir/enable-object-directory-paths.patch" + + # Install to /usr/lib/${pkgname%-*} + patch -Np1 -i "$srcdir/${pkgname%-*}-install-dir.patch" + + # Patch and remove anything that's left + patch -Np1 -i "$srcdir/libre.patch" + sed -i 's|Adobe Flash|SWF Player|g; + ' browser/base/content/pageinfo/permissions.js \ + browser/base/content/browser-plugins.js + sed -i '\|["]displayName["][:] ["]Flash["]| s|Flash|SWF Player| + \|["]displayName["][:] ["]Shockwave["]| s|Shockwave|DCR Player| + \|["]displayName["][:] ["]QuickTime["]| s|QuickTime|MOV Player| + \|installLinux| s|true|false| + ' browser/base/content/browser-plugins.js + + # Load our build config, disable SafeSearch + cp "$srcdir/mozconfig" .mozconfig + + mkdir "$srcdir/path" + ln -s /usr/bin/python2 "$srcdir/path/python" + + # Load our searchplugins + rm -rv browser/locales/en-US/searchplugins + cp -av /usr/lib/mozilla/searchplugins browser/locales/en-US + + # Disable various components at the source level + sed -i 's|[;]1|;0|' toolkit/components/telemetry/TelemetryStartup.manifest || die "failed break telemetry startup" + sed -i 's|[;]1|;0|' browser/experiments/Experiments.manifest || die "failed to break ExperimentsService" + sed -i '/pocket/d' browser/extensions/moz.build || die "failed to wipe pocket" + + # ARM-specific changes: + if [[ "$CARCH" == arm* ]]; then + sed -i '/ac_add_options --enable-rust/d' .mozconfig + echo "ac_add_options --disable-ion" >> .mozconfig + echo "ac_add_options --disable-elf-hack" >> .mozconfig + echo "ac_add_options --disable-webrtc" >> .mozconfig + + # Disable gold linker, reduce memory consumption at link time + sed -i '/ac_add_options --enable-gold/d' .mozconfig + LDFLAGS+=" -Wl,--no-keep-memory -Wl,--reduce-memory-overheads" + echo "ac_add_options --disable-tests" >> .mozconfig + echo "ac_add_options --disable-debug" >> .mozconfig + + patch -p1 -i ../mozilla-1253216.patch + patch -p1 -i ../mozilla-build-arm.patch + fi +} + +build() { + cd "$srcdir/$_pkgname-$_debver" + + # _FORTIFY_SOURCE causes configure failures + CPPFLAGS+=" -O2" + + # Hardening + LDFLAGS+=" -Wl,-z,now" + + # GCC 6 + CXXFLAGS+=" -fno-delete-null-pointer-checks -fno-schedule-insns2" + + export PATH="$srcdir/path:$PATH" + + if $_pgo; then + # Do PGO + xvfb-run -a -s "-extension GLX -screen 0 1280x1024x24" \ + make -f client.mk build MOZ_PGO=1 + else + make -f client.mk build + fi +} + +package() { + cd "$srcdir/$_pkgname-$_debver" + make -f client.mk DESTDIR="$pkgdir" INSTALL_SDK= install + + install -Dm644 ../vendor.js "$pkgdir/usr/lib/${pkgname%-*}/browser/defaults/preferences/vendor.js" + + _brandingdir=debian/branding + brandingdir=moz-objdir/$_brandingdir + icondir="$pkgdir/usr/share/icons/hicolor" + for i in 16 22 24 32 48 64 128 192 256 384; do + rsvg-convert -w $i -h $i "$_brandingdir/${pkgname}_icon.svg" \ + -o "$brandingdir/default$i.png" + install -Dm644 "$brandingdir/default$i.png" \ + "$icondir/${i}x${i}/apps/${pkgname%-*}.png" + done + + install -Dm644 "$_brandingdir/${pkgname}_icon.svg" \ + "$icondir/scalable/apps/${pkgname%-*}.svg" + + install -d "$pkgdir/usr/share/applications" + install -m644 "$srcdir/${pkgname%-*}.desktop" \ + "$pkgdir/usr/share/applications" + + # Use system-provided dictionaries + rm -rf "$pkgdir/usr/lib/${pkgname%-*}/"{dictionaries,hyphenation} + ln -s /usr/share/hunspell "$pkgdir/usr/lib/${pkgname%-*}/dictionaries" + ln -s /usr/share/hyphen "$pkgdir/usr/lib/${pkgname%-*}/hyphenation" + + # Replace duplicate binary with symlink + # https://bugzilla.mozilla.org/show_bug.cgi?id=658850 + ln -sf ${pkgname%-*} "$pkgdir/usr/lib/${pkgname%-*}/${pkgname%-*}-bin" +} |