-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
firefox: Added checks for new addon behaviour since v91 #133504
Conversation
pkgs/top-level/all-packages.nix
Outdated
@@ -24470,6 +24470,7 @@ with pkgs; | |||
firefox-esr-wayland = wrapFirefox firefox-esr-91-unwrapped { forceWayland = true; }; | |||
firefox-esr-78 = wrapFirefox firefox-esr-78-unwrapped { }; | |||
firefox-esr-91 = wrapFirefox firefox-esr-91-unwrapped { }; | |||
firefox-esr-unwrapped = firefoxPackages.firefox-esr-91; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
firefox-esr-unwrapped being 91.x while firefox-esr is 78.x seems… interesting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True, but it seems a mistake by a previous committer as firefox-esr-wayland is v91. I will bump firefox-esr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. Just look through the commit history.
Result of 2 packages built successfully:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will bump firefox-esr
That's honestly not up to you, leave that to us maintainers, please.
a mistake by a previous committer as firefox-esr-wayland is v91.
The sole reason I created firefox-esr-wayland
based on 91esr is that I didn't want to introduce this on old 78esr, which I never actually tested on wayland. I'm much more confident in 91 for this and there didn't need to be any backward compat, because it was newly introduced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs more clarification about 91.0 vs 91.0 ESR, also carries a stray change that needs to be removed.
|
||
```nix | ||
{ | ||
myFirefox = wrapFirefox firefox-unwrapped { | ||
# Nix firefox addons only work in ESR build. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only in ESR builds meaning 91.0 ESR works, but 91.0 does not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe say 78/91 ESR to be clearer here. We can likely expect 91 ESR to be the last ESR series to allow for unsigned addons.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm I don't think so because there needs to be a way for corporations to deploy internal addons not published in the firefox addon store~ I rewrote it to Nix firefox addons only work in the firefox-esr package
. Is that okay?
Firefox 61 started to enforce signatures for add-ons and since commit d031843, we get an evaluation error that recommends the user to switch to Firefox ESR. This isn't an option for everyone and as I also pointed out in the pull request[1] introducing the above commit, I've been building Firefox like this: let firefoxNoSigning = firefox-unwrapped.overrideAttrs (lib.const { MOZ_REQUIRE_SIGNING = false; }); in wrapFirefox firefoxNoSigning { nixExtensions = ...; } However, this only works after manually modifying nixpkgs (or copy & paste wrapper.nix elsewhere) every time I want to have a new Firefox version. Of course, this gets annoying and tedious after a while, so this motivated me to properly fix this to not only check for an ESR version but also check the value of MOZ_REQUIRE_SIGNING. Note that I'm using toString here to check for the value because there are several ways (false, null, "", ...) to set the environment variable to an empty string and toString makes sure that it really is the desired behaviour. I specifically checked the Firefox source and also tested this with multiple values and only building with MOZ_REQUIRE_SIGNING set to an empty string seems to work (no "0", "false" or other variants). Additionally, there is another method to allow unsigned add-ons, which is by using the --with-unsigned-addon-scopes configure option[2]. Unfortunately, this does not work with nixExtensions because we don't have (or want) a central directory where those add-ons reside. Given that nixExtensions disallows manually installing add-ons, setting MOZ_REQUIRE_SIGNING to false should be safe in this case. [1]: NixOS#133504 [2]: https://bugs.archlinux.org/task/63075 Signed-off-by: aszlig <aszlig@nix.build>
Motivation for this change
Firefox v91 does not support addons with invalid signature anymore. Firefox ESR needs to be used for nix addon support.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)