Includes fixes for CVE-2019-20503, CVE-2020-6805, CVE-2020-6806,
CVE-2020-6807, CVE-2020-6811, CVE-2020-6812, and CVE-2020-6814.
* gnu/packages/gnuzilla.scm (%icecat-version, %icecat-build-id): Update.
(icecat-source): Update gnuzilla commit, base version, and hashes.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt to new version.
* gnu/packages/gnuzilla.scm (%icecat-version, %icecat-build-id): Update.
(icecat-source): Update gnuzilla commit, base version, and hashes.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt to new version.
Fixes <https://bugs.gnu.org/38045>. Thanks to Jakub Kądziołka
<kuba@kadziolka.net> and Amin Bandali <bandali@gnu.org> for their
helpful observations and suggestions.
This is a followup to commit 8e5567195f.
* gnu/packages/gnuzilla.scm (icecat)[inputs]: Add shared-mime-info.
[arguments]: Add elf and binary I/O modules to #:modules. Add code to
the 'fix-ffmpeg-runtime-linker' phase that sets the sandbox read-path
whitelist to include libavcodec's RUNPATH, as well as shared-mime-info.
Includes fixes for CVE-2019-17015, CVE-2019-17016, CVE-2019-17017,
CVE-2019-17021, CVE-2019-17022, and CVE-2019-17024.
* gnu/packages/gnuzilla.scm (%icecat-version, %icecat-build-id): Update.
(icecat-source): Update hash of upstream firefox source tarball,
'upstream-icecat-base-version', and commit and hash of gnuzilla checkout.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt to upstream changes.
Includes fixes for CVE-2019-11745, CVE-2019-17005, CVE-2019-17008,
CVE-2019-17009, CVE-2019-17010, CVE-2019-17011, and CVE-2019-17012.
* gnu/packages/patches/icecat-gnuzilla-fixes.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
* gnu/packages/gnuzilla.scm (%icecat-version, %icecat-build-id): Update.
(icecat-source): Update hash for the firefox source tarball. Update to the
latest from gnuzilla.git. Don't apply icecat-gnuzilla-fixes.patch. Remove
determinism fix in makeicecat that is now upstream. Tweak a status message.
(icecat)[arguments]: Add "--with-unsigned-addon-scopes=app" configure flag.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt.
* gnu/packages/gnuzilla.scm (%icecat-version, %icecat-build-id): Update.
(icecat-source): Update to the latest upstream commit on '68' branch.
* gnu/packages/patches/icecat-gnuzilla-fixes.patch: Remove changes
that have been incorporated upstream, and add new pending changes,
notably the addition of several IceCat-specific preferences.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt to changes in
icecat-gnuzilla-fixes.patch.
* gnu/packages/gnuzilla.scm (%icecat-version): Update.
(%icecat-build-id): New variable.
(icecat-source): Update gnuzilla repo commit and hash.
(icecat)[arguments]: In the custom 'configure' phase, set the MOZ_BUILD_DATE
environment variable to the value of %icecat-build-id.
* gnu/packages/patches/icecat-gnuzilla-fixes.patch: Remove changes that
are now in the upstream repository. Add more pending changes, including
disabling the MOZ_SERVICES_HEALTHREPORT and MOZ_BLOCK_PROFILE_DOWNGRADE
build flags, fixing a problem that prevented MOZ_DATA_REPORTING
from being disabled, and fixes to the branding.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt to upstream changes,
and changes in icecat-gnuzilla-fixes.patch. Remove a hunk that disabled
rewrites to aboutRights.dtd in the l10n directory.
This commit moves some important fixes into a patch applied to the upstream
gnuzilla git repository, whereas previously they were applied in such a way
that only benefitted Guix users.
* gnu/packages/patches/icecat-default-search-ddg.patch,
gnu/packages/patches/icecat-disable-sync.patch: Delete files.
* gnu/packages/patches/icecat-gnuzilla-fixes.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adapt accordingly.
* gnu/packages/gnuzilla.scm (icecat-source): Apply the new patch to the
gnuzilla checkout.
(icecat)[native-inputs]: Remove deleted patches.
[arguments]: In the 'wrap-program' phase, remove MOZ_LEGACY_PROFILES=1
from the wrapper.
Fixes CVE-2019-11757, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761,
CVE-2019-11762, CVE-2019-11763, CVE-2019-11764, and CVE-2019-15903.
Note: IceCat 68 has not yet been released by the IceCat project. This is a
work-in-progress, and does not currently meet the privacy-respecting
standards of the IceCat project.
* gnu/packages/patches/icecat-default-search-ddg.patch,
gnu/packages/patches/icecat-disable-sync.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (%icecat-version): Update.
(mozilla-compare-locales, all-mozilla-locales): New variables.
(mozilla-locale): New procedure.
(mozilla-locales): New macro.
(icecat-source): Add code to populate the l10n directory. Remove the code
that copied the l10n directory from an older IceCat source tarball.
(icecat)[inputs]: Remove hunspell.
[native-inputs]: Comment out previous Guix-specific patches for now. Use the
newest rust, cargo, llvm, and clang. Add rust-cbindgen, node, nasm, python 3,
icecat-default-search-ddg.patch and icecat-disable-sync.patch.
[arguments]: In configure flags: remove "--disable-maintenance-service" and
"--enable-system-hunspell", and comment out flags to use system libraries
instead of bundled libraries for libevent, libogg, libvorbis, libvpx,
harfbuzz, graphite2, and sqlite. Add srfi-34 and srfi-35 to modules. Delete
fewer bundled libraries. Adapt the 'patch-source-shebangs' phase. Add a
custom 'build' phase that tries the standard 'build' phase up to 5 times.
In the 'wrap-program' phase, set MOZ_LEGACY_PROFILES=1 in the environment,
and add 'pulseaudio' to the front of LD_LIBRARY_PATH.
[description]: Add a warning that this is only a preview release.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt.
* gnu/packages/gnuzilla.scm (icecat)[arguments]: During custom
'patch-cargo-checksums phase, replace call to 'generate-checksums' with
call to 'generate-all-checksums'.
Includes fixes for CVE-2019-9811, CVE-2019-11709, CVE-2019-11711,
CVE-2019-11712, CVE-2019-11713, CVE-2019-11715, CVE-2019-11717,
CVE-2019-11719, CVE-2019-11729, and CVE-2019-11730.
* gnu/packages/gnuzilla.scm (%icecat-version): Update to 60.8.0-guix1.
(icecat-source)[upstream-firefox-source]: Update hash.
(icecat): Refresh some stale comments.
Includes fixes for CVE-2019-11707 and CVE-2019-11708.
* gnu/packages/gnuzilla.scm (%icecat-version): Update to 60.7.2-guix1.
(icecat-source)[upstream-firefox-source]: Update hash.
This includes updates to bundled extensions from the upstream
GNU IceCat 60.7.0-gnu1 release.
* gnu/packages/gnuzilla.scm (%icecat-version): Update to 60.7.0-guix2.
(icecat-source)[upstream-icecat-base-version]: Update to 60.7.0.
[upstream-icecat-source, gnuzilla-source]: Update hashes.
[origin]: Remove the substitutions that dealt with debian-specific package
code in the makeicecat script, since that code has been removed upstream.
(icecat)[arguments]: Adapt the 'install-desktop-entry' phase to avoid using
the Debian desktop file, which is no longer included in the IceCat sources.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt to upstream changes.
This commit changes the 'source' field of the 'icecat' package to
simply be 'icecat-source', which aims to be suitable for use on any
system that IceCat supports.
* gnu/packages/gnuzilla.scm (icecat)[source]: Change to simply
be 'icecat-source'.
[native-inputs]: Add 'patch', along with the Guix-specific patches
that were previously applied within 'source'.
[arguments]: Remove the 'ensure-no-mtimes-pre-1980' phase.
Add 'apply-guix-specific-patches' and 'remove-bundled-libraries'
phases. Touch 'configure' in the bootstrap phase. Return #t from
the 'augment-CPLUS_INCLUDE_PATH' phase. Reindent.
* gnu/packages/gnuzilla.scm (icecat-source): Check to make sure the
value of FFMAJOR in the 'makeicecat' script matches the major version
of IceCat being generated.
Includes fixes for CVE-2019-9810 and CVE-2019-9813.
* gnu/packages/gnuzilla.scm (%icecat-version): Update to 60.6.1-guix1.
(icecat-source)[upstream-firefox-source]: Update hash.
* gnu/packages/gnuzilla.scm (icecat-source): When packing the new IceCat
tarball, set the mtime of archived files to early 1980. Remove useless
'string-append' applied to one argument.
Includes fixes for CVE-2018-18335, CVE-2018-18356, and CVE-2019-5785.
* gnu/packages/gnuzilla.scm (%icecat-version): Update to 60.5.1-guix1.
(icecat-source)[upstream-firefox-source]: Update hash.
Includes fixes for CVE-2018-18500, CVE-2018-18501, and CVE-2018-18505.
* gnu/packages/gnuzilla.scm (icecat): Update to 60.5.0-guix1.
[version]: Use %icecat-version.
[source]: Inherit from 'icecat-source'. Remove obsolete patches.
* gnu/packages/patches/icecat-avoid-bundled-libraries.patch,
gnu/packages/patches/icecat-use-system-graphite2+harfbuzz.patch,
gnu/packages/patches/icecat-use-system-media-libs.patch: Adapt to 60.5.0.
* gnu/packages/gnuzilla.scm (computed-origin-method): New variable.
(%icecat-version, icecat-source): New variables.
* gnu/packages/patches/icecat-makeicecat.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
Includes fixes for CVE-2018-18494 and the remaining 7 out of 10 changesets
for CVE-2018-12405.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected changesets from
the upstream mozilla-esr60 repository.
Document that we include fixes for CVE-2018-17466, CVE-2018-18492,
CVE-2018-18493, CVE-2018-18498, and 3 out of 10 changesets for
CVE-2018-12405.
* gnu/packages/gnuzilla.scm (icecat)[source]: Relabel patches to reflect
CVE assignments.
* gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Add 'llvm-3.9.1' and
'clang-3.9.1'.
[arguments]: In the configure-flags, use quasiquote, remove "--disable-stylo",
and add "--with-clang-path=..." and "--with-libclang-path=...".
Add 'augment-CPLUS_INCLUDE_PATH' phase. In the custom 'configure' phase,
set the CC environment variable to "gcc".
Tests would fail once certificates had expired, along these lines:
chains.sh: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1
vfychain -d AllDB -pp -vv -o OID.2.16.840.1.114412.1.1 /tmp/guix-build-nss-3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. PayPalEE :
ERROR -8181: Peer's Certificate has expired.
Returned value is 1, expected result is pass
Using 'faketime' allows us to get deterministic results.
* gnu/packages/gnuzilla.scm (nss)[arguments]: In 'check' phase, run
'all.sh' under 'faketime'.
[native-inputs]: Add LIBFAKETIME.
* gnu/packages/gnuzilla.scm (icecat): Update to 60.3.0-gnu1.
[source]: Switch back to the normal source URI. Remove patches that
are no longer applicable.
* gnu/packages/patches/icecat-CVE-2018-12383.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
Includes fixes for CVE-2018-12389, CVE-2018-12390, CVE-2018-12391,
CVE-2018-12392, CVE-2018-12393, CVE-2018-12395, CVE-2018-12396, and
CVE-2018-12397.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected changesets from the
upstream mozilla-esr60 repository. Relabel some previously existing patches
to reflect CVE assignments.
Includes fixes for CVE-2018-12386 and CVE-2018-12387.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected fixes from the
upstream mozilla-esr60 repository.
Works around <https://bugs.gnu.org/32833>.
* gnu/packages/gnuzilla.scm (icecat)[source]: In snippet, don't remove NSS.
[inputs]: Remove 'nspr' and 'nss'.
[arguments]: Remove --with-system-{nspr,nss} from configure flags.
* gnu/packages/patches/icecat-use-system-media-libs.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/patches/icecat-avoid-bundled-libraries.patch: Add
another hunk to enable removal of libevent.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patch. In the snippet, add
libevent, libogg, libvorbis, and libtremor to the list of bundled libraries to
remove. Add a comment regarding theora. Remove comments regarding unbundling
cairo, which is no longer supported.
[inputs]: Add libevent, libogg, and libvorbis.
[arguments]: Add --with-system-{libevent,ogg,vorbis} to configure flags.
Add custom bootstrap phase. Add comments.
Includes fixes for CVE-2018-12383 and CVE-2018-12385.
* gnu/packages/patches/icecat-CVE-2018-12383.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/patches/icecat-avoid-bundled-libraries.patch: Adapt to apply
cleanly to IceCat 60.
* gnu/packages/gnuzilla.scm (mozilla-patch): Update to fetch from
mozilla-esr60.
(icecat): Add selected changesets from upstream mozilla-esr60.
* gnu/packages/gnuzilla.scm (icecat): Update to 60.2.0-gnu1.
[source]: Download pre-release from alpha.gnu.org. Remove obsolete patches.
Comment out the code to delete the bundled copies of libevent, cairo,
harfbuzz, and graphite2.
[inputs]: Use the latest ffmpeg. Comment out libevent, cairo, harfbuzz, and
graphite2.
[native-inputs]: Add rust and cargo.
[arguments]: Remove --enable-gio and --disable-gnomeui. Add --disable-stylo.
Comment out --with-system-{libevent,harfbuzz,graphite2}, --enable-system-cairo.
Import %cargo-build-system-modules. Add 'patch-cargo-checksums' phase.
* gnu/packages/patches/icecat-CVE-2018-5157-and-CVE-2018-5158.patch,
gnu/packages/patches/icecat-bug-1413868-pt1.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/gnuzilla.scm (mozjs-52): New variable.
(cherry picked from commit f67db495aa6e29692e368a13130a40541d5d8273)
Signed-off-by: Marius Bakke <mbakke@fastmail.com>
Includes fixes for CVE-2018-12363, CVE-2018-12364, CVE-2018-12366, the
remaining 1 out of 2 changesets for CVE-2018-5156, and the remaining 7 out
of 17 changesets for CVE-2018-5188.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected fixes from
the upstream mozilla-esr52 repository.
* gnu/packages/patches/icecat-bug-1413868-pt1.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
Document that we include fixes for CVE-2018-6126, CVE-2018-12359,
CVE-2018-12360, CVE-2018-12362, CVE-2018-12365, 1 out of 2 changesets for
CVE-2018-5156, and 10 out of 17 changesets for CVE-2018-5188.
* gnu/packages/gnuzilla.scm (icecat)[source]: Relabel patches to reflect CVE
assignments.
Document the fact that we include fixes for CVE-2018-5154, CVE-2018-5155,
CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178,
and 9/10 changesets for CVE-2018-5150.
* gnu/packages/gnuzilla.scm (icecat)[source]: Relabel patches to reflect CVE
assignments.
* gnu/packages/patches/icecat-bug-1452075.patch: Rename to...
* gnu/packages/patches/icecat-CVE-2018-5157-and-CVE-2018-5158.patch: ...this.
* gnu/local.mk (dist_patch_DATA): Rename it.
Fixes <https://bugs.gnu.org/31356>.
Reported by Clément Lassieur <clement@lassieur.org>.
* gnu/packages/gnuzilla.scm (icecat)[inputs]: Change from FFMPEG to FFMPEG-3.4.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected fixes
from the upstream mozilla-esr52 repository.
* gnu/packages/patches/icecat-bug-1452075.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (icecat)[arguments]: To configure-flags, add
"--with-distribution-id=org.gnu", "--disable-tests", "--disable-updater",
"--disable-crashreporter", "--disable-maintenance-service", and
"--disable-eme". Rename the
'arrange-to-link-libxul-with-libraries-it-might-dlopen' phase to
'link-libxul-with-libraries'.
