Thanks for the confirmation. I've been keeping up with updating our Pale Moon build as much as possible, however while debugging another project I was reminded that Nixpkgs enforces alot of hardening compiler switches by default. Our C/C++ compiler is a wrapper that automatically adds a variety of hardening-related flags. Here's our manual page about this hardening policy: https://nixos.org/nixpkgs/manual/#sec-h ... in-nixpkgsMoonchild wrote:The build configuration looks perfectly fine for official branding.
In cleartext, this adds the following compiler flags to any compilation (from what I can tell so far):
Code: Select all
-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2 -fPIC -Wstrict-overflow -z relro -z bindnow -fPIE -pie
Additionally, I've been looking into packaging the official build tarballs for Nixpkgs, like we've done with Firefox. I'm very concerned about following the licensing restrictions, so I wanted to check whether the following situation & solutions would seem problematic to you before I push anything upstream (I have a patched build that seemingly runs about as well as our source builds rn):
Unpacking Pale Moon straight from the package supplied from the website will, under absolutely no circumstances, run on our main distribution NixOS without any changes to the binary itself. Since our filesystem does not follow the common Linux FHS, all the binaries' linker references will at the very least need to be patched via patchelf.
Code: Select all
patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" $out/lib/palemoon-bin-${version}/"$exe"
Due to the package being flagged as unfree, these modifications would not be performed and further distributed by us directly; the users' package manager will, if requested, download the official tarballs and run these modifications according to our "recipe". As for the updater, our Firefox wrapper writes a preference JSON file and links it into the Firefox package tree:
Code: Select all
policies = {
DisableAppUpdate = true;
};
policiesJson = writeText "no-update-firefox-policy.json" (builtins.toJSON { inherit policies; });
[…]
# See: https://github.com/mozilla/policy-templates/blob/master/README.md
mkdir -p "$out/lib/firefox-bin-${version}/distribution";
ln -s ${policiesJson} "$out/lib/firefox-bin-${version}/distribution/policies.json";
Thanks for reading through all that, hope you can help me with my questions. Cheers.