# Contributor: Natanael Copa # Contributor: Sören Tempel # Maintainer: Natanael Copa pkgname=firefox-esr pkgver=115.1.0 # Date of release, YY-MM-DD for metainfo file (see package()) _releasedate=2023-08-01 pkgrel=0 pkgdesc="Firefox web browser - Extended Support Release" url="https://www.mozilla.org/en-US/firefox/organizations/" # s390x and riscv64: blocked by rust and cargo # armhf: build failure on armhf due to wasm arch="x86_64 armv7 aarch64 x86 ppc64le" license="GPL-3.0-only AND LGPL-2.1-only AND LGPL-3.0-only AND MPL-2.0" install="$pkgname.post-upgrade" depends=" ffmpeg-libavcodec " makedepends=" alsa-lib-dev automake bsd-compat-headers cargo cbindgen clang clang-libclang dbus-glib-dev gettext gtk+3.0-dev hunspell-dev icu-dev>=69.1 libevent-dev libffi-dev libjpeg-turbo-dev libnotify-dev libogg-dev libtheora-dev libtool libvorbis-dev libvpx-dev libwebp-dev libxcomposite-dev libxt-dev lld llvm-dev m4 mesa-dev nasm nodejs nspr-dev nss-dev pipewire-dev pulseaudio-dev py3-psutil py3-zstandard python3 sed wasi-sdk wireless-tools-dev zip " source="https://ftp.mozilla.org/pub/firefox/releases/${pkgver}esr/source/firefox-${pkgver}esr.source.tar.xz audio-lfs64.patch disable-moz-stackwalk.patch esr-metainfo.patch fix-fortify-system-wrappers.patch fix-rust-target.patch fix-webrtc-glibcisms.patch lfs64.patch no-ccache-stats.patch ppc-musttail.patch ppc-webrtc.patch python-deps.patch rust-lto-thin.patch sandbox-fork.patch sandbox-largefile.patch sandbox-sched_setscheduler.patch stab.h firefox.desktop mozilla-location.keys vendor-prefs.js " builddir="$srcdir/firefox-$pkgver" _mozappdir=/usr/lib/firefox-esr # help our shared-object scanner to find the libs ldpath="$_mozappdir" # secfixes: # 102.1.0-r0: # - CVE-2022-2505 # - CVE-2022-36314 # - CVE-2022-36318 # - CVE-2022-36319 # 91.11.0-r0: # - CVE-2022-2200 # - CVE-2022-31744 # - CVE-2022-34468 # - CVE-2022-34470 # - CVE-2022-34472 # - CVE-2022-34478 # - CVE-2022-34479 # - CVE-2022-34481 # - CVE-2022-34484 # 91.10.0-r0: # - CVE-2022-31736 # - CVE-2022-31737 # - CVE-2022-31738 # - CVE-2022-31739 # - CVE-2022-31740 # - CVE-2022-31741 # - CVE-2022-31742 # - CVE-2022-31747 # 91.9.1-r0: # - CVE-2022-1529 # - CVE-2022-1802 # 91.9.0-r0: # - CVE-2022-29909 # - CVE-2022-29911 # - CVE-2022-29912 # - CVE-2022-29914 # - CVE-2022-29916 # - CVE-2022-29917 # 91.8.0-r0: # - CVE-2022-1097 # - CVE-2022-1196 # - CVE-2022-24713 # - CVE-2022-28281 # - CVE-2022-28282 # - CVE-2022-28285 # - CVE-2022-28286 # - CVE-2022-28289 # 91.7.0-r0: # - CVE-2022-26381 # - CVE-2022-26383 # - CVE-2022-26384 # - CVE-2022-26386 # - CVE-2022-26387 # 91.6.1-r0: # - CVE-2022-26485 # - CVE-2022-26486 # 91.6.0-r0: # - CVE-2022-22754 # - CVE-2022-22756 # - CVE-2022-22759 # - CVE-2022-22760 # - CVE-2022-22761 # - CVE-2022-22763 # - CVE-2022-22764 # 91.5.0-r0: # - CVE-2021-4140 # - CVE-2022-22737 # - CVE-2022-22738 # - CVE-2022-22739 # - CVE-2022-22740 # - CVE-2022-22741 # - CVE-2022-22742 # - CVE-2022-22743 # - CVE-2022-22744 # - CVE-2022-22745 # - CVE-2022-22746 # - CVE-2022-22747 # - CVE-2022-22748 # - CVE-2022-22751 # 91.4.0-r0: # - CVE-2021-43536 # - CVE-2021-43537 # - CVE-2021-43538 # - CVE-2021-43539 # - CVE-2021-43541 # - CVE-2021-43542 # - CVE-2021-43543 # - CVE-2021-43545 # - CVE-2021-43546 # 91.3.0-r0: # - CVE-2021-38503 # - CVE-2021-38504 # - CVE-2021-38505 # - CVE-2021-38506 # - CVE-2021-38507 # - CVE-2021-38508 # - CVE-2021-38509 # - CVE-2021-38510 # 91.2.0-r0: # - CVE-2021-32810 # - CVE-2021-38492 # - CVE-2021-38493 # - CVE-2021-38495 # - CVE-2021-38496 # - CVE-2021-38497 # - CVE-2021-38498 # - CVE-2021-38500 # - CVE-2021-38501 # 78.13.0-r0: # - CVE-2021-29980 # - CVE-2021-29984 # - CVE-2021-29985 # - CVE-2021-29986 # - CVE-2021-29988 # - CVE-2021-29989 # 78.12.0-r0: # - CVE-2021-29970 # - CVE-2021-29976 # - CVE-2021-30547 # 78.11.0-r0: # - CVE-2021-29967 # 78.10.0-r0: # - CVE-2021-23961 # - CVE-2021-23994 # - CVE-2021-23995 # - CVE-2021-23998 # - CVE-2021-23999 # - CVE-2021-24002 # - CVE-2021-29945 # - CVE-2021-29946 # 78.9.0-r0: # - CVE-2021-23981 # - CVE-2021-23982 # - CVE-2021-23984 # - CVE-2021-23987 # 78.8.0-r0: # - CVE-2021-23968 # - CVE-2021-23969 # - CVE-2021-23973 # - CVE-2021-23978 # 78.7.0-r0: # - CVE-2020-26976 # - CVE-2021-23953 # - CVE-2021-23954 # - CVE-2021-23960 # - CVE-2021-23964 # 78.6.1-r0: # - CVE-2020-16044 # 78.6.0-r0: # - CVE-2020-16042 # - CVE-2020-26971 # - CVE-2020-26973 # - CVE-2020-26974 # - CVE-2020-26978 # - CVE-2020-35111 # - CVE-2020-35112 # - CVE-2020-35113 # 78.5.0-r0: # - CVE-2020-15683 # - CVE-2020-15969 # - CVE-2020-15999 # - CVE-2020-16012 # - CVE-2020-26950 # - CVE-2020-26951 # - CVE-2020-26953 # - CVE-2020-26956 # - CVE-2020-26958 # - CVE-2020-26959 # - CVE-2020-26960 # - CVE-2020-26961 # - CVE-2020-26965 # - CVE-2020-26966 # - CVE-2020-26968 # 78.3.0-r0: # - CVE-2020-15673 # - CVE-2020-15676 # - CVE-2020-15677 # - CVE-2020-15678 # 78.2.0-r0: # - CVE-2020-15663 # - CVE-2020-15664 # - CVE-2020-15670 # 78.1.0-r0: # - CVE-2020-15652 # - CVE-2020-15653 # - CVE-2020-15654 # - CVE-2020-15655 # - CVE-2020-15656 # - CVE-2020-15657 # - CVE-2020-15658 # - CVE-2020-15659 # - CVE-2020-6463 # - CVE-2020-6514 # 68.10.0-r0: # - CVE-2020-12417 # - CVE-2020-12418 # - CVE-2020-12419 # - CVE-2020-12420 # - CVE-2020-12421 # 68.9.0-r0: # - CVE-2020-12399 # - CVE-2020-12405 # - CVE-2020-12406 # - CVE-2020-12410 # 68.8.0-r0: # - CVE-2020-12387 # - CVE-2020-12388 # - CVE-2020-12389 # - CVE-2020-12392 # - CVE-2020-12393 # - CVE-2020-12395 # - CVE-2020-6831 # 68.7.0-r0: # - CVE-2020-6821 # - CVE-2020-6822 # - CVE-2020-6825 # 68.6.1-r0: # - CVE-2020-6819 # - CVE-2020-6820 # 68.6.0-r0: # - CVE-2019-20503 # - CVE-2020-6805 # - CVE-2020-6806 # - CVE-2020-6807 # - CVE-2020-6811 # - CVE-2020-6812 # - CVE-2020-6814 # 68.5.0-r0: # - CVE-2020-6796 # - CVE-2020-6797 # - CVE-2020-6798 # - CVE-2020-6799 # - CVE-2020-6800 # 68.4.1-r0: # - CVE-2019-17016 # - CVE-2019-17022 # - CVE-2019-17024 # - CVE-2019-17026 # 68.3.0-r0: # - CVE-2019-17005 # - CVE-2019-17008 # - CVE-2019-17009 # - CVE-2019-17010 # - CVE-2019-17011 # - CVE-2019-17012 # 68.2.0-r0: # - CVE-2019-11757 # - CVE-2019-11758 # - CVE-2019-11759 # - CVE-2019-11760 # - CVE-2019-11761 # - CVE-2019-11762 # - CVE-2019-11763 # - CVE-2019-11764 # - CVE-2019-15903 # 68.1.0-r0: # - CVE-2019-9812 # - CVE-2019-11740 # - CVE-2019-11742 # - CVE-2019-11743 # - CVE-2019-11744 # - CVE-2019-11746 # - CVE-2019-11752 # 68.0.2-r0: # - CVE-2019-11733 # 68.0-r0: # - CVE-2019-11709 # - CVE-2019-11711 # - CVE-2019-11712 # - CVE-2019-11713 # - CVE-2019-11715 # - CVE-2019-11717 # - CVE-2019-11719 # - CVE-2019-11729 # - CVE-2019-11730 # - CVE-2019-9811 # 60.7.2-r0: # - CVE-2019-11708 # 60.7.1-r0: # - CVE-2019-11707 # 60.7.0-r0: # - CVE-2019-9815 # - CVE-2019-9816 # - CVE-2019-9817 # - CVE-2019-9818 # - CVE-2019-9819 # - CVE-2019-9820 # - CVE-2019-11691 # - CVE-2019-11692 # - CVE-2019-11693 # - CVE-2019-7317 # - CVE-2019-9797 # - CVE-2018-18511 # - CVE-2019-11694 # - CVE-2019-11698 # - CVE-2019-5798 # - CVE-2019-9800 # 60.6.1-r0: # - CVE-2019-9810 # - CVE-2019-9813 # - CVE-2019-9790 # - CVE-2019-9791 # - CVE-2019-9792 # - CVE-2019-9793 # - CVE-2019-9794 # - CVE-2019-9795 # - CVE-2019-9796 # - CVE-2019-9801 # - CVE-2018-18506 # - CVE-2019-9788 # 60.5.2-r0: # - CVE-2019-5785 # - CVE-2018-18335 # - CVE-2018-18356 # 60.5.0-r0: # - CVE-2018-18500 # - CVE-2018-18505 # - CVE-2018-18501 # 52.6.0-r0: # - CVE-2018-5089 # - CVE-2018-5091 # - CVE-2018-5095 # - CVE-2018-5096 # - CVE-2018-5097 # - CVE-2018-5098 # - CVE-2018-5099 # - CVE-2018-5102 # - CVE-2018-5103 # - CVE-2018-5104 # - CVE-2018-5117 # 52.5.2-r0: # - CVE-2017-7843 # we need this because cargo verifies checksums of all files in vendor # crates when it builds and gives us no way to override or update the # file sanely... so just clear out the file list _clear_vendor_checksums() { sed -i 's/\("files":{\)[^}]*/\1/' third_party/rust/$1/.cargo-checksum.json } export SHELL=/bin/sh export BUILD_OFFICIAL=1 export MOZILLA_OFFICIAL=1 export USE_SHORT_LIBNAME=1 export MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE=system export MOZ_APP_PROFILE="mozilla/firefox" export MOZ_APP_REMOTINGNAME=firefox-esr export MOZBUILD_STATE_PATH="$srcdir"/mozbuild # disable desktop notifications export MOZ_NOSPAM=1 # Find our triplet JSON export RUST_TARGET="$CTARGET" # Build with Clang, takes less RAM export CC="clang" export CXX="clang++" # set rpath so linker finds the libs export LDFLAGS="$LDFLAGS -Wl,-rpath,$_mozappdir" # let firefox do this itself. unset CARGO_PROFILE_RELEASE_OPT_LEVEL unset CARGO_PROFILE_RELEASE_LTO export CFLAGS="${CFLAGS/-fstack-clash-protection/} -g0 -O2" export CXXFLAGS="${CXXFLAGS/-fstack-clash-protection/} -g0 -O2 -Wno-deprecated-builtins -Wno-deprecated-declarations" prepare() { default_prepare cp "$srcdir"/stab.h toolkit/crashreporter/google-breakpad/src/ _clear_vendor_checksums audio_thread_priority base64 -d "$srcdir"/mozilla-location.keys > "$builddir"/mozilla-api-key # webrtc does not build on these case "$CARCH" in ppc64le) local webrtc_config="ac_add_options --disable-webrtc" ;; esac case "$CARCH" in armv7) # broken here local rust_simd="ac_add_options --disable-rust-simd" ;; *) local rust_simd="ac_add_options --enable-rust-simd" ;; esac case "$CARCH" in aarch64|arm*|x86*) # disable-elf-hack: exists only on aarch64, arm*, x86, x86_64 local arch_config="ac_add_options --disable-elf-hack" ;; esac # sandbox only supported here case "$CARCH" in x86*|armv7|aarch64) local sandbox="ac_add_options --enable-sandbox" ;; *) local sandbox="ac_add_options --disable-sandbox" ;; esac cat > base-mozconfig <<-EOF # disable unwanted things ac_add_options --disable-bootstrap ac_add_options --disable-cargo-incremental ac_add_options --disable-crashreporter ac_add_options --disable-debug ac_add_options --disable-debug-symbols ac_add_options --disable-install-strip ac_add_options --disable-jemalloc ac_add_options --disable-strip ac_add_options --disable-tests ac_add_options --disable-updater # features ac_add_options --enable-alsa ac_add_options --enable-dbus ac_add_options --enable-default-toolkit=cairo-gtk3-wayland ac_add_options --enable-ffmpeg ac_add_options --enable-hardening ac_add_options --enable-linker=lld ac_add_options --enable-necko-wifi ac_add_options --enable-official-branding ac_add_options --enable-optimize="$CFLAGS" ac_add_options --enable-pulseaudio ac_add_options --enable-release ac_add_options --enable-update-channel=release # system libs ac_add_options --enable-system-pixman ac_add_options --with-system-ffi ac_add_options --with-system-icu ac_add_options --with-system-jpeg ac_add_options --with-system-libevent ac_add_options --with-system-libvpx ac_add_options --with-system-nspr ac_add_options --with-system-nss ac_add_options --with-system-png ac_add_options --with-system-webp ac_add_options --with-system-zlib # misc ac_add_options --allow-addon-sideload ac_add_options --prefix=/usr ac_add_options --with-app-name=firefox-esr ac_add_options --with-distribution-id=org.alpinelinux ac_add_options --with-libclang-path=/usr/lib ac_add_options --with-unsigned-addon-scopes=app,system ac_add_options --with-wasi-sysroot=/usr/share/wasi-sysroot ac_add_options --host=$CHOST ac_add_options --target=$CTARGET # objdir mk_add_options MOZ_OBJDIR="$builddir/obj" mk_add_options RUSTFLAGS="$RUSTFLAGS" # keys # these are for alpine linux use only ac_add_options --with-mozilla-api-keyfile="$builddir/mozilla-api-key" $arch_config $rust_simd $sandbox $webrtc_config EOF } build() { cat > .mozconfig base-mozconfig export MOZ_BUILD_DATE=$(date ${SOURCE_DATE_EPOCH:+ -d@${SOURCE_DATE_EPOCH}} "+%Y%m%d%H%M%S") # for lto ulimit -n 4096 # can't be set here and fail unset RUSTFLAGS local thinlto_jobs=${JOBS:-1} case "$CARCH" in # on this platforms, lld seems to not utilise >1 threads for thinlto for some reason. # at the same time, having more than 8 also crashes lld for firefox buildsystems (why?). aarch64) if [ $thinlto_jobs -gt 8 ]; then thinlto_jobs=8 fi ;; esac export LDFLAGS="$LDFLAGS -Wl,--thinlto-jobs=$thinlto_jobs" case "$CARCH" in # lto for 64-bit systems only aarch64|x86_64|ppc64le) cat > .mozconfig base-mozconfig <<-EOF ac_add_options --enable-lto=cross EOF esac ./mach build } package() { DESTDIR="$pkgdir" ./mach install local _png for _png in ./browser/branding/official/default*.png; do local i=${_png%.png} i=${i##*/default} install -Dm644 "$_png" \ "$pkgdir"/usr/share/icons/hicolor/"$i"x"$i"/apps/firefox-esr.png done install -Dm644 browser/branding/official/content/about-logo.png \ "$pkgdir"/usr/share/icons/hicolor/192x192/apps/firefox-esr.png install -Dm644 browser/branding/official/content/about-logo@2x.png \ "$pkgdir"/usr/share/icons/hicolor/384x384/apps/firefox-esr.png install -Dm644 browser/branding/official/content/about-logo.svg \ "$pkgdir"/usr/share/icons/hicolor/scalable/apps/firefox-esr.svg install -Dm644 "$srcdir"/firefox.desktop \ "$pkgdir"/usr/share/applications/firefox-esr.desktop # install our vendor prefs install -Dm644 "$srcdir"/vendor-prefs.js \ "$pkgdir"/$_mozappdir/browser/defaults/preferences/vendor.js # Generate appdata file mkdir -p "$pkgdir"/usr/share/metainfo/ export VERSION="$pkgver" export DATE="$_releasedate" envsubst < "$builddir"/taskcluster/docker/firefox-flatpak/org.mozilla.firefox.appdata.xml.in > "$pkgdir"/usr/share/metainfo/org.mozilla.firefox-esr.appdata.xml # Replace duplicate binary with wrapper # https://bugzilla.mozilla.org/show_bug.cgi?id=658850 install -Dm755 /dev/stdin "$pkgdir"/usr/bin/firefox-esr <<- EOF #!/bin/sh exec $_mozappdir/firefox-esr "\$@" EOF rm "$pkgdir"/$_mozappdir/firefox-esr-bin ln -sfv /usr/bin/firefox-esr "$pkgdir"/$_mozappdir/firefox-esr-bin } sha512sums=" b2abb706fef2f1aa9451e7ac7c2affa0cc92cf2b0c6629f106a94c62017476380c7b6f406861fa468f60ea898d8402f534ad74844eb3932741fbd981cec66592 firefox-115.1.0esr.source.tar.xz 3e0501ae7a650346c667dfdc0ae0ca286084f22e89ab2ac671cc0d7315673dc5b6dcb9f9882f6f39d26e9a31e57f7a0fd53d6b805e520224e22b8976850e2eb8 audio-lfs64.patch 454ea3263cabce099accbdc47aaf83be26a19f8b5a4568c01a7ef0384601cf8315efd86cd917f9c8bf419c2c845db89a905f3ff9a8eb0c8e41042e93aa96a85c disable-moz-stackwalk.patch f7b3b45ba04d05d17439d009bf0c9f27881e126f424e2257552338a0c1e3771ee1289c044babcb0920f62af62873a268c0cf524e1d35711e6dc8b808ca5e9f26 esr-metainfo.patch 2f4f15974d52de4bb273b62a332d13620945d284bbc6fe6bd0a1f58ff7388443bc1d3bf9c82cc31a8527aad92b0cd3a1bc41d0af5e1800e0dcbd7033e58ffd71 fix-fortify-system-wrappers.patch cd68b89e29e5f6379fbd5679db27b9a5ef70ea65e51c0d0a8137e1f1fd210e35a8cfb047798e9549bc7275606d7ec5c8d8af1335d29da4699db7acd8bc7ff556 fix-rust-target.patch 305c874fdea3096e9c4c6aa6520ac64bb1c347c4b59db8360096646593fe684c3b5377874d91cecd33d56d1410b4714fbdea2b514923723ecbeff79d51265d9b fix-webrtc-glibcisms.patch 5fa9382c692e4bd6a2634308f24a6526fd12a60a2563d2090056d43a60505df3ec9881bbf54562e69394467529b3b0dc45955afca46ed329af03cea074fff070 lfs64.patch c0437a6753f3f350968fa12d250efdfe1bea77baf0e4c06b072b5cc9e78c774dbf4506bc536337030d349fb3ba4460097b75b0c7c5b8fb2d39d8b0a392948936 no-ccache-stats.patch 2d8dff86212d6d2a904cbb5a5a1d6c17b89adc929fc6a3f4c6cb669f5e83ecddff5a799225319ba445a187b04d111251af75dd3ce8a039164bc14d2a432a2a04 ppc-musttail.patch 6f60e83599041db1b707c21784197ea9816b2c936b89a274bfc24554a600981e6f28448fe41fab0942bd31acd49b1c00beb2eb0961149f2ffa6a4154be123ea7 ppc-webrtc.patch ff3618223bba2d7b877a16451256e67d973c5f4e24027cb5a7da4c0a6f6a028a1eb51d3cbcddae71bca584a4c13cb485950b86022ea26d4e25ae3fdf3ce5d910 python-deps.patch 1c6918dd6655d3a1251bfd4af2e1c561cbb00d540a883b4c1ebf7f5de530d754d9ac07b4b5f56cdab6c511d25c8910ec94043f5733e97501a67abffe1bafaeb1 rust-lto-thin.patch 2518f2fc75b5db30058e0735f47d60fdf1e7adfaeee4b33fb2afb1bd9a616ce943fd88f4404d0802d4083703f4acf1d5ad42377218d025bc768807fbaf7e1609 sandbox-fork.patch b7d0a6126bdf6c0569f80aabf5b37ed2c7a35712eb8a0404a2d85381552f5555d4f97d213ea26cec6a45dc2785f22439376ed5f8e78b4fd664ef0223307b333e sandbox-largefile.patch 94433c5ffdbe579c456d95c5f053f61fcbab2f652fa90bc69dcc27d9a1507a8e5c677adeadae9a7a75cc9a55184c1040737f4dfd10b279c088ef016561e6f135 sandbox-sched_setscheduler.patch 0b3f1e4b9fdc868e4738b5c81fd6c6128ce8885b260affcb9a65ff9d164d7232626ce1291aaea70132b3e3124f5e13fef4d39326b8e7173e362a823722a85127 stab.h d354f48a29bfc16719f3b230b1395063239d4420f9e47522de4662392d9697b15f931ca3bf6055d100fa33d61a9a1a13477687d5eac99e50ae7dbef9882a5808 firefox.desktop 382510375b1a2fa79be0ab79e3391a021ae2c022429ffbaa7e7a69166f99bb56d01e59a1b10688592a29238f21c9d6977672bd77f9fae439b66bdfe0c55ddb15 mozilla-location.keys fc45bc3ffb9404e5338ea26a9f04807b40f6f516324972cddd48bedb91b8bd7c6b8d4e03a0209020f5e67b703bc4ff89389985791b9bd544a0fc3951e2dc338e vendor-prefs.js "