firefox: Added checks for new addon behaviour since v91 #133504
Conversation
ofborg
bot
added
8.has: package (new)
10.rebuild-darwin: 1-10
10.rebuild-darwin: 1
10.rebuild-linux: 1-10
10.rebuild-linux: 1
and removed
10.rebuild-linux: 1
labels
pkgs/top-level/all-packages.nix
Outdated
| @@ -24470,6 +24470,7 @@ with pkgs; | |||
| firefox-esr-wayland = wrapFirefox firefox-esr-91-unwrapped { forceWayland = true; }; | |||
| firefox-esr-78 = wrapFirefox firefox-esr-78-unwrapped { }; | |||
| firefox-esr-91 = wrapFirefox firefox-esr-91-unwrapped { }; | |||
| firefox-esr-unwrapped = firefoxPackages.firefox-esr-91; | |||
There was a problem hiding this comment.
firefox-esr-unwrapped being 91.x while firefox-esr is 78.x seems… interesting
There was a problem hiding this comment.
True, but it seems a mistake by a previous committer as firefox-esr-wayland is v91. I will bump firefox-esr
There was a problem hiding this comment.
No. Just look through the commit history.
|
Result of 2 packages built successfully:
|
There was a problem hiding this comment.
I will bump firefox-esr
That's honestly not up to you, leave that to us maintainers, please.
a mistake by a previous committer as firefox-esr-wayland is v91.
The sole reason I created firefox-esr-wayland based on 91esr is that I didn't want to introduce this on old 78esr, which I never actually tested on wayland. I'm much more confident in 91 for this and there didn't need to be any backward compat, because it was newly introduced.
|
|
||
| ```nix | ||
| { | ||
| myFirefox = wrapFirefox firefox-unwrapped { | ||
| # Nix firefox addons only work in ESR build. |
There was a problem hiding this comment.
Only in ESR builds meaning 91.0 ESR works, but 91.0 does not?
There was a problem hiding this comment.
Maybe say 78/91 ESR to be clearer here. We can likely expect 91 ESR to be the last ESR series to allow for unsigned addons.
There was a problem hiding this comment.
Hmm I don't think so because there needs to be a way for corporations to deploy internal addons not published in the firefox addon store~ I rewrote it to Nix firefox addons only work in the firefox-esr package . Is that okay?
Firefox 61 started to enforce signatures for add-ons and since commit d031843, we get an evaluation error that recommends the user to switch to Firefox ESR. This isn't an option for everyone and as I also pointed out in the pull request[1] introducing the above commit, I've been building Firefox like this: let firefoxNoSigning = firefox-unwrapped.overrideAttrs (lib.const { MOZ_REQUIRE_SIGNING = false; }); in wrapFirefox firefoxNoSigning { nixExtensions = ...; } However, this only works after manually modifying nixpkgs (or copy & paste wrapper.nix elsewhere) every time I want to have a new Firefox version. Of course, this gets annoying and tedious after a while, so this motivated me to properly fix this to not only check for an ESR version but also check the value of MOZ_REQUIRE_SIGNING. Note that I'm using toString here to check for the value because there are several ways (false, null, "", ...) to set the environment variable to an empty string and toString makes sure that it really is the desired behaviour. I specifically checked the Firefox source and also tested this with multiple values and only building with MOZ_REQUIRE_SIGNING set to an empty string seems to work (no "0", "false" or other variants). Additionally, there is another method to allow unsigned add-ons, which is by using the --with-unsigned-addon-scopes configure option[2]. Unfortunately, this does not work with nixExtensions because we don't have (or want) a central directory where those add-ons reside. Given that nixExtensions disallows manually installing add-ons, setting MOZ_REQUIRE_SIGNING to false should be safe in this case. [1]: NixOS#133504 [2]: https://bugs.archlinux.org/task/63075 Signed-off-by: aszlig <aszlig@nix.build>
Motivation for this change
Firefox v91 does not support addons with invalid signature anymore. Firefox ESR needs to be used for nix addon support.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)