Hi, On Wednesday 15 February 2012 18:10:51 Hinnerk van Bruinehsen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 15.02.2012 17:39, Grant wrote: > > > > I don't get it then. Does anyone know why I can't compile Firefox > > as described in the link above? This sums it up: > > > > "firefox-9.0 ebuild stalls at the install phase while xpcshell > > command tops CPU usage for hours." > > > > Although xpcshell doesn't use any CPU for me. It just sits there > > and the install phase doesn't proceed. > > > > - Grant > > I can compile Icecat with a customized ebuild. since it's basically > the same as Firefox, maybe that helps. Basically it disables jit. >
You can't compile it on a grsec kernel because of this bug: :) https://bugs.gentoo.org/show_bug.cgi?id=396275 It's odd that it hangs at xpcshell for you as it's already paxmarked in the ebuild... Anyway, I'd suggest: 1) keyword firefox so you can get the latest one, which currently is the 10.0.1. I'm not sure if the security patches between 9.0.1 and 10.0.1 have been backported. AFAIK, Firefox-10.0.1 from the ebuild in portage tree will compile just fine on hardened. 2) As suggested, disabling JIT will do the trick and it seems like recent versions of Firefox can actually have it disabled properly. So the ebuild for icecat/firefox will work for you, you just need this in src_configure() : if use pax_kernel; then mozconfig_annotate '' --disable-methodjit mozconfig_annotate '' --disable-tracejit fi 3) the other benefit of disabling jit completely is that you can now disable the paxmarking turning MPROTECT off and benefit from properfly enforced W^X pages :) Unless you want to use FF for flash or java that is... ;) Cheers, Radek
