Apple Notary Service and Debugging Impact

2019-01-11 Thread Haik Aftandilian 
Please take a look if you debug Firefox on macOS.

Apple's notary service[1] is a new way to sign macOS applications that has
some security benefits[2] and provides a slight user experience
improvement[3] when users download the application and run it for the first
time. Specifically, the dialog users have to click through to start the
application is less of a warning.

We are working on adopting the service on bug 1470607, but I wanted to
share how this will affect debugging and get some feedback. If an
application is "notarized", starting with macOS 10.14, the OS will prevent
debuggers from attaching to the application unless the user has disabled
macOS system integrity protection (SIP)[4] which requires a reboot. This
prevents debugging of the application with a debugger like lldb or gdb on a
default system.

Assuming the debugging restriction will _not_ apply to the Nightly channel,
local builds, or automation builds, will this debugging
restriction+workaround on official builds (Release, Beta, DevEd) be a
problem for your workflow or in any way you can envision?

Apple has stated that signing with the notary service will be required in a
future macOS version. I think we can assume that this means an application
that is not notarized will require special steps for first launch where the
user may also have to click through dire security warnings. Today,
launching Firefox for the first time on Mac already requires clicking
through one warning. The bug includes a screenshot[3] showing how it will
change with notarized builds.

Thanks,
Haik

1.
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
2. Using the service A) submits the application to Apple to run malware
checks on the binaries and B) requires setting some executable security
flags known as Hardened Runtime. At present, Firefox mostly does not
benefit from enabling Hardened Runtime for various reasons. Another benefit
relates to how a single version of the application can be revoked, without
having to revoke all versions signed with the same key.
3. https://bug1470607.bmoattachments.org/attachment.cgi?id=9036014
4. https://support.apple.com/en-us/HT204899
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: XPCOM Tidying Proposal

2019-01-11 Thread Kyle Machulis 
On Fri, Jan 11, 2019 at 11:59 AM Bobby Holley  wrote:

> The idea is that we should gradually pass BasePrincipal around the codebase
> rather than nsIPrincipal, which would avoid the need to invoke Cast at the
> specific callsite. I have no objection to your proposed pattern in the
> interim if it results in simpler code, but I think we should aim higher for
> the desired end state.
>

The problem for me here seems to be uneven approaches to end states across
the codebase, which is kinda of what I was wondering about in laying out
those tasks. With nsIPrincipal, I have a BasePrincipal concrete(ish) class
to work with. When I was adding infallible SchemeIs via %{C++%} blocks to
nsIURI, that was about the only choice I had because nsIURI could directly
be nsStandardURI, nsSimpleURI, etc... As we wanting to move toward more
Base* (if abstract) C++ classes as the top level of interface work in C++
where possible?
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: XPCOM Tidying Proposal

2019-01-11 Thread Bobby Holley 
On Fri, Jan 11, 2019 at 11:30 AM Boris Zbarsky  wrote:

> On 1/10/19 6:15 PM, Kyle Machulis wrote:
> > - Removal of [noscript] methods in interfaces in favor of direct calls
> via
> > Cast() where possible.
>
> This seems generally reasonably, though I'd like to put in a bit of a
> vote for the pattern I recently used for
> nsIPrincipal::IsSystemPrincipal, which looks like this:
>
> IDL:
>
>  %{C++
>inline bool IsSystemPrincipal() const;
>  %}
>
> C++ (in BasePrincipal.h):
>
>inline bool nsIPrincipal::IsSystemPrincipal() const {
>  return BasePrincipal::Cast(this)->IsSystemPrincipal();
>}
>
> which avoids having the Cast() calls scattered all over the place...
>

The idea is that we should gradually pass BasePrincipal around the codebase
rather than nsIPrincipal, which would avoid the need to invoke Cast at the
specific callsite. I have no objection to your proposed pattern in the
interim if it results in simpler code, but I think we should aim higher for
the desired end state.


>
> > - Direct getters through Cast() where possible, infallible (also where
> > possible) otherwise.
>
> Yes, please.
>
> -Boris
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: XPCOM Tidying Proposal

2019-01-11 Thread Boris Zbarsky 

On 1/10/19 6:15 PM, Kyle Machulis wrote:

- Removal of [noscript] methods in interfaces in favor of direct calls via
Cast() where possible.


This seems generally reasonably, though I'd like to put in a bit of a 
vote for the pattern I recently used for 
nsIPrincipal::IsSystemPrincipal, which looks like this:


IDL:

%{C++
  inline bool IsSystemPrincipal() const;
%}

C++ (in BasePrincipal.h):

  inline bool nsIPrincipal::IsSystemPrincipal() const {
return BasePrincipal::Cast(this)->IsSystemPrincipal();
  }

which avoids having the Cast() calls scattered all over the place...


- Direct getters through Cast() where possible, infallible (also where
possible) otherwise.


Yes, please.

-Boris
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: XPCOM Tidying Proposal

2019-01-11 Thread Kyle Machulis 
On Fri, Jan 11, 2019 at 7:21 AM Nathan Froyd  wrote:

> > - Removal of [noscript] methods in interfaces in favor of direct calls
> via
> > Cast() where possible.
> > - Direct getters through Cast() where possible, infallible (also where
> > possible) otherwise.
>
> For avoidance of doubt, since I don't think we have a global Cast()
> function, this is meant to refer to idioms like:
>
>
> https://searchfox.org/mozilla-central/rev/b4ebbe90ae4d0468fe6232bb4ce90699738c8125/caps/BasePrincipal.h#136-142
>
> and we'd prefer the explicit downcast from an interface pointer
> (assuming the interface is [builtinclass]) and a C++-side getter,
> rather than declaring the getter in the interface definition?
>

Yeah, this is why I sent this email. I'm finding unwritten rules about
XPCOM cleanup that I'd like to formalize more. I've been fixing up docshell
accesses using the Cast() idiom where I can. This has sometimes been to
avoid having to cast the same docshell to 2-3 different interfaces over the
course of the same method. It also makes it easier to whittle away at XPCOM
interfaces that we may no longer need, but that we can't tell as such due
to not knowing what's used where.

When making some changes to nsIPrincipal and BasePrincipal, bholley also
mentioned he preferred that style, wanting C++ ergonomics to live in C++.
I'm not sure if there was more reasoning for that, I'll let him respond on
that.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: PSA: Building Firefox for arm64 windows got a lot easier

2019-01-11 Thread Gabriele Svelto 
 Hi all,

On 11/01/2019 01.24, Mike Hommey wrote:
> In the MSVC installer, choose the following extra components:
> - Visual Studio C++ compiler and libraries for ARM64
> - Visual C++ ATL for ARM64
> - Visual C++ MFC for ARM64

I don't have the MFC for ARM64 libraries installed and I didn't
encounter problems during the build. I guess they're not needed? I'm
still building with WebRTC disabled though, not sure if it might require
them.

 Gabriele



signature.asc
Description: OpenPGP digital signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: XPCOM Tidying Proposal

2019-01-11 Thread Nathan Froyd 
On Thu, Jan 10, 2019 at 6:15 PM Kyle Machulis  wrote:
> In an effort to bring Marie Kondo memes to dev-platform, I'd like to
> propose an XPCOM tidying project.

+1.

> - Removal of [noscript] methods in interfaces in favor of direct calls via
> Cast() where possible.
> - Direct getters through Cast() where possible, infallible (also where
> possible) otherwise.

For avoidance of doubt, since I don't think we have a global Cast()
function, this is meant to refer to idioms like:

https://searchfox.org/mozilla-central/rev/b4ebbe90ae4d0468fe6232bb4ce90699738c8125/caps/BasePrincipal.h#136-142

and we'd prefer the explicit downcast from an interface pointer
(assuming the interface is [builtinclass]) and a C++-side getter,
rather than declaring the getter in the interface definition?

> This would probably end up continuing making XPCOM interfaces look more
> like a guide to shared parts between C++/JS than the template for all
> access that is has been for years.

+1.

-Nathan
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform