On Fri, 20 Sep 2019 at 17:33:40 +0100, Stuart Henderson wrote:
> On 2019/09/20 10:00, joshua stein wrote:
> > While the Chrome port uses separate files in /etc/chromium for
> > unveil file lists, these patches use new comma-separated
> > about:config keys for them.
>
> > onts r,/etc/machine-id r,/etc/mailcap r,/tmp rwc,/usr/bin/lpr rx,/usr/local=
> > /bin/gio-launch-desktop rx,/usr/local/lib r,/usr/local/firefox r,/usr/local=
> > /lib/firefox rx,/usr/local/share r,/usr/share/locale r,/var/cache/fontconfi=
> > g r,/usr/X11R6/lib r,/usr/X11R6/share r,/var/run rw,~/.XCompose r,~/.Xautho=
>
> Ports shouldn't use hardcoded /usr/local - the diff attached uses
> ${LOCALBASE}/${TRUEPREFIX} instead of /usr/local as appropriate,
> ${X11BASE} instead of /usr/X11R6, ${SYSCONFDIR} for the /etc files
> that comes from ports rather than base, and ${SUBST_CMD} in
> post-patch to substitute them for the correct paths.
These patches have to go upstream, so those paths can't be dynamic.
I don't know what Landry's plan is for patching our port before they
are committed upstream, but once they are committed, I guess there
can be a post-patch step to turn them from hard-coded defaults to
${LOCALBASE} and friends.
> fwiw, I'm a bit worried about the per-user config for this, will the
> list be copied as-is to individual user prefs (my test build isn't done
> yet) .. The list will definitely need to be updated in the future and
> that won't work if users have to hand apply the changes to their own
> profile. (Also it makes life difficult for multi-user installs ..).
The new preferences are like any other default in Firefox and don't
actually get stored in the user's profile unless they have been
modified. So for most users, each Firefox/package update will be
using the new lists as shipped with Firefox or our package.
I would have preferred local files like Chromium because they are
much easier to view/edit, easier to diff, and if root-owned, an
unprivileged user can't modify them. But for integration into
Firefox, this is what they wanted and Landry and I would rather not
maintain our own ball of local patches (see Chromium).
