summaryrefslogtreecommitdiff
path: root/pcr/iceweasel-hardening/PKGBUILD
diff options
context:
space:
mode:
authorAndré Fabian Silva Delgado <emulatorman@parabola.nu>2016-10-25 06:30:50 -0300
committerAndré Fabian Silva Delgado <emulatorman@parabola.nu>2016-10-25 07:28:43 -0300
commitb44ad96bf07b4b849f46a011a85ec6c2a8a245c8 (patch)
treeb0c58940639eee1da9525afa020747c7ad38f051 /pcr/iceweasel-hardening/PKGBUILD
parent3e3fb2d6801149802cbf2c2a2e6cbdfcc5149add (diff)
downloadabslibre-b44ad96bf07b4b849f46a011a85ec6c2a8a245c8.tar.gz
abslibre-b44ad96bf07b4b849f46a011a85ec6c2a8a245c8.tar.bz2
abslibre-b44ad96bf07b4b849f46a011a85ec6c2a8a245c8.zip
ice{dove,weasel}-hardening: add new package to [pcr] -> https://lists.parabola.nu/pipermail/dev/2016-October/004522.html
Diffstat (limited to 'pcr/iceweasel-hardening/PKGBUILD')
-rw-r--r--pcr/iceweasel-hardening/PKGBUILD213
1 files changed, 213 insertions, 0 deletions
diff --git a/pcr/iceweasel-hardening/PKGBUILD b/pcr/iceweasel-hardening/PKGBUILD
new file mode 100644
index 000000000..790b18177
--- /dev/null
+++ b/pcr/iceweasel-hardening/PKGBUILD
@@ -0,0 +1,213 @@
+# Maintainer: André Silva <emulatorman@parabola.nu>
+# Contributor: Márcio Silva <coadde@parabola.nu>
+# Contributor (ConnochaetOS): Henry Jensen <hjensen@connochaetos.org>
+# Contributor: Luke Shumaker <lukeshu@sbcglobal.net>
+# Contributor: fauno <fauno@kiwwwi.com.ar>
+# Contributor: vando <facundo@esdebian.org>
+# Contributor (Arch): Jakub Schmidtke <sjakub@gmail.com>
+# Contributor: Figue <ffigue at gmail>
+# Contributor: taro-k <taro-k@movasense_com>
+# Contributor: Michał Masłowski <mtjm@mtjm.eu>
+# Contributor: Luke R. <g4jc@openmailbox.org>
+# Contributor: Isaac David <isacdaavid@isacdaavid.info>
+# Thank you very much to the older contributors:
+# Contributor: evr <evanroman at gmail>
+# Contributor: Muhammad 'MJ' Jassim <UnbreakableMJ@gmail.com>
+
+_pgo=false
+
+# We're getting this from Debian Sid
+_debname=firefox
+_brandingver=49.0
+_brandingrel=1
+_debver=49.0
+_debrel=deb4
+_debrepo=http://ftp.debian.org/debian/pool/main/
+_parabolarepo=https://repo.parabola.nu/other/iceweasel
+debfile() { echo $@|sed -r 's@(.).*@\1/&/&@'; }
+
+_pkgname=firefox
+pkgname=iceweasel-hardening
+epoch=1
+pkgver=$_debver.$_debrel
+pkgrel=1
+pkgdesc="A libre version of Debian Iceweasel, the standalone web browser based on Mozilla Firefox, with several patches that were introduced to strengthen and protect the end user from security threats"
+arch=(i686 x86_64 armv7h)
+license=(MPL GPL LGPL)
+depends=(alsa-lib dbus-glib ffmpeg gtk2 gtk3 hunspell icu=57.1 libevent libvpx=1.6.0 libxt mime-types mozilla-common nss sqlite startup-notification ttf-font)
+makedepends=(autoconf2.13 diffutils gconf imagemagick imake inetutils libidl2 libpulse librsvg-stable libxslt mesa mozilla-searchplugins pkg-config python2 quilt unzip yasm zip)
+makedepends_i686=(rust)
+makedepends_x86_64=("${makedepends_i686[@]}")
+options=(!emptydirs !makeflags debug)
+if $_pgo; then
+ makedepends+=(xorg-server-xvfb)
+ options+=(!ccache)
+fi
+optdepends=('networkmanager: Location detection via available WiFi networks'
+ 'libnotify: Notification integration'
+ 'upower: Battery API')
+url="https://wiki.parabola.nu/${pkgname%-*}"
+replaces=("${pkgname%-*}-libre" "$_pkgname")
+conflicts=("${pkgname%-*}-libre" "${pkgname%-*}")
+provides=("${pkgname%-*}")
+install=${pkgname%-*}.install
+source=("$_debrepo/`debfile $_debname`_$_debver.orig.tar.xz"
+ "$_debrepo/`debfile $_debname`_$_debver-${_debrel#deb}.debian.tar.xz"
+ "$_parabolarepo/${pkgname}_$_brandingver-$_brandingrel.branding.tar.xz"
+ "$_parabolarepo/${pkgname}_$_brandingver-$_brandingrel.branding.tar.xz.sig"
+ mozconfig
+ libre.patch
+ remove-default-and-shell-icons-in-packaging-manifest.patch
+ gnu_headshadow.png
+ drm-free.png
+ ${pkgname%-*}.desktop
+ ${pkgname%-*}-install-dir.patch
+ vendor.js
+ enable-object-directory-paths.patch
+ mozilla-1253216.patch
+ mozilla-build-arm.patch)
+sha256sums=('2f463afd3c74eb9477f58525214f06498357ff90f01b45fb2675fc77c57bcffe'
+ '8e4051a587e380849226fa0de89a02468c45133a758665dc2a7064a248f138a8'
+ 'c0fd88e37187298a7658919cf2e4b6d024425b781d6aff5bdba49dc991f379d3'
+ 'SKIP'
+ '8212fd5e341a251c97871c0f114f6332c78326f707f9d20eddc8d644e0c5c988'
+ '013af398e97da9e855a143582816bf819e0d9d8d2b0e323d6b832f3df1157fdd'
+ '32f1fe3ad4f80d0ae419064db2abe49b97cd7cb18c35d68be1a2befb60172a2a'
+ '93e3001ce152e1d142619e215a9ef07dd429943b99d21726c25da9ceb31e31cd'
+ '56eba484179c7f498076f8dc603d8795e99dce8c6ea1da9736318c59d666bff6'
+ '87034dbb640f70454b27d1695a6f03b6fd1ab81c82eb4d8c771db925ae03d408'
+ '3aea6676f1e53a09673b6ae219d281fc28054beb6002b09973611c02f827651d'
+ 'aec1e2c3a1f5626c39d5d71000a45033de5b67b5fb9cb437a45f16ee5c5d2dc3'
+ 'e260e555b261aabab1e48786dd514eeea056e4402af7cfd4dfd1d32858441484'
+ 'fbb6011501a74a8ea6d01c041870fcefb7ef2859c134aedc676e5f6452833f65'
+ '56eecee8162c138c442773d66483886f1242c8dd2b16eed5711ae5e63d9b0e3a')
+validpgpkeys=(
+ 'C92BAA713B8D53D3CAE63FC9E6974752F9704456' # André Silva
+ '684D54A189305A9CC95446D36B888913DDB59515' # Márcio Silva
+)
+
+prepare() {
+ cd "$srcdir/$_pkgname-$_debver"
+ mv "$srcdir/debian" .
+ mv "$srcdir/${pkgname%-*}-$_brandingver/branding" debian
+ mv "$srcdir/${pkgname%-*}-$_brandingver/patches/iceweasel-branding" debian/patches
+ cat "$srcdir/${pkgname%-*}-$_brandingver/patches/series" >> debian/patches/series
+
+ export QUILT_PATCHES=debian/patches
+ export QUILT_REFRESH_ARGS='-p ab --no-timestamps --no-index'
+ export QUILT_DIFF_ARGS='--no-timestamps'
+
+ quilt push -av
+
+ # Put gnu_headshadow.png and drm-free.png in the source code
+ install -m644 "$srcdir/"{gnu_headshadow,drm-free}.png \
+ browser/base/content/abouthome
+
+ # Useless since we are doing it ourselves
+ patch -Np1 -i "$srcdir/remove-default-and-shell-icons-in-packaging-manifest.patch"
+
+ # Enable object directory paths for Iceweasel rebranding
+ patch -Np1 -i "$srcdir/enable-object-directory-paths.patch"
+
+ # Install to /usr/lib/${pkgname%-*}
+ patch -Np1 -i "$srcdir/${pkgname%-*}-install-dir.patch"
+
+ # Patch and remove anything that's left
+ patch -Np1 -i "$srcdir/libre.patch"
+ sed -i 's|Adobe Flash|SWF Player|g;
+ ' browser/base/content/pageinfo/permissions.js \
+ browser/base/content/browser-plugins.js
+ sed -i '\|["]displayName["][:] ["]Flash["]| s|Flash|SWF Player|
+ \|["]displayName["][:] ["]Shockwave["]| s|Shockwave|DCR Player|
+ \|["]displayName["][:] ["]QuickTime["]| s|QuickTime|MOV Player|
+ \|installLinux| s|true|false|
+ ' browser/base/content/browser-plugins.js
+
+ # Load our build config, disable SafeSearch
+ cp "$srcdir/mozconfig" .mozconfig
+
+ mkdir "$srcdir/path"
+ ln -s /usr/bin/python2 "$srcdir/path/python"
+
+ # Load our searchplugins
+ rm -rv browser/locales/en-US/searchplugins
+ cp -av /usr/lib/mozilla/searchplugins browser/locales/en-US
+
+ # Disable various components at the source level
+ sed -i 's|[;]1|;0|' toolkit/components/telemetry/TelemetryStartup.manifest || die "failed break telemetry startup"
+ sed -i 's|[;]1|;0|' browser/experiments/Experiments.manifest || die "failed to break ExperimentsService"
+ sed -i '/pocket/d' browser/extensions/moz.build || die "failed to wipe pocket"
+
+ # ARM-specific changes:
+ if [[ "$CARCH" == arm* ]]; then
+ sed -i '/ac_add_options --enable-rust/d' .mozconfig
+ echo "ac_add_options --disable-ion" >> .mozconfig
+ echo "ac_add_options --disable-elf-hack" >> .mozconfig
+ echo "ac_add_options --disable-webrtc" >> .mozconfig
+
+ # Disable gold linker, reduce memory consumption at link time
+ sed -i '/ac_add_options --enable-gold/d' .mozconfig
+ LDFLAGS+=" -Wl,--no-keep-memory -Wl,--reduce-memory-overheads"
+ echo "ac_add_options --disable-tests" >> .mozconfig
+ echo "ac_add_options --disable-debug" >> .mozconfig
+
+ patch -p1 -i ../mozilla-1253216.patch
+ patch -p1 -i ../mozilla-build-arm.patch
+ fi
+}
+
+build() {
+ cd "$srcdir/$_pkgname-$_debver"
+
+ # _FORTIFY_SOURCE causes configure failures
+ CPPFLAGS+=" -O2"
+
+ # Hardening
+ LDFLAGS+=" -Wl,-z,now"
+
+ # GCC 6
+ CXXFLAGS+=" -fno-delete-null-pointer-checks -fno-schedule-insns2"
+
+ export PATH="$srcdir/path:$PATH"
+
+ if $_pgo; then
+ # Do PGO
+ xvfb-run -a -s "-extension GLX -screen 0 1280x1024x24" \
+ make -f client.mk build MOZ_PGO=1
+ else
+ make -f client.mk build
+ fi
+}
+
+package() {
+ cd "$srcdir/$_pkgname-$_debver"
+ make -f client.mk DESTDIR="$pkgdir" INSTALL_SDK= install
+
+ install -Dm644 ../vendor.js "$pkgdir/usr/lib/${pkgname%-*}/browser/defaults/preferences/vendor.js"
+
+ _brandingdir=debian/branding
+ brandingdir=moz-objdir/$_brandingdir
+ icondir="$pkgdir/usr/share/icons/hicolor"
+ for i in 16 22 24 32 48 64 128 192 256 384; do
+ rsvg-convert -w $i -h $i "$_brandingdir/${pkgname}_icon.svg" \
+ -o "$brandingdir/default$i.png"
+ install -Dm644 "$brandingdir/default$i.png" \
+ "$icondir/${i}x${i}/apps/${pkgname%-*}.png"
+ done
+
+ install -Dm644 "$_brandingdir/${pkgname}_icon.svg" \
+ "$icondir/scalable/apps/${pkgname%-*}.svg"
+
+ install -d "$pkgdir/usr/share/applications"
+ install -m644 "$srcdir/${pkgname%-*}.desktop" \
+ "$pkgdir/usr/share/applications"
+
+ # Use system-provided dictionaries
+ rm -rf "$pkgdir/usr/lib/${pkgname%-*}/"{dictionaries,hyphenation}
+ ln -s /usr/share/hunspell "$pkgdir/usr/lib/${pkgname%-*}/dictionaries"
+ ln -s /usr/share/hyphen "$pkgdir/usr/lib/${pkgname%-*}/hyphenation"
+
+ # Replace duplicate binary with symlink
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=658850
+ ln -sf ${pkgname%-*} "$pkgdir/usr/lib/${pkgname%-*}/${pkgname%-*}-bin"
+}