From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 31 09:24:16 2019 Received: (at submit) by debbugs.gnu.org; 31 Dec 2019 14:24:16 +0000 Received: from localhost ([127.0.0.1]:33901 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1imIRT-0006gq-Nz for submit@debbugs.gnu.org; Tue, 31 Dec 2019 09:24:15 -0500 Received: from lists.gnu.org ([209.51.188.17]:37681) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1imIRS-0006gj-D6 for submit@debbugs.gnu.org; Tue, 31 Dec 2019 09:24:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35474) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1imIRR-0002hB-23 for bug-guix@gnu.org; Tue, 31 Dec 2019 09:24:14 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1imIRP-0004wG-NZ for bug-guix@gnu.org; Tue, 31 Dec 2019 09:24:12 -0500 Received: from pat.zlotemysli.pl ([37.59.186.212]:60988) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1imIRP-0004JW-BM for bug-guix@gnu.org; Tue, 31 Dec 2019 09:24:11 -0500 Received: (qmail 6995 invoked by uid 1009); 31 Dec 2019 15:24:03 +0100 Received: from 188.123.215.55 (kuba@kadziolka.net@188.123.215.55) by pat (envelope-from , uid 1002) with qmail-scanner-2.08st (clamdscan: 0.98.6/25679. spamassassin: 3.4.0. perlscan: 2.08st. Clear:RC:1(188.123.215.55):. Processed in 0.02759 secs); 31 Dec 2019 14:24:03 -0000 Received: from unknown (HELO zdrowyportier.kadziolka.net) (kuba@kadziolka.net@188.123.215.55) by pat.zlotemysli.pl with SMTP; 31 Dec 2019 15:24:02 +0100 Date: Tue, 31 Dec 2019 15:24:01 +0100 From: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= To: bug-guix@gnu.org Subject: IceCat: some codecs don't work without workaround Message-ID: <20191231142401.qt2oxe6jkefsxxnd@zdrowyportier.kadziolka.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 37.59.186.212 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: mhw@netris.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, I had some problems with video codecs in IceCat 68.3.0-guix0-preview1. For example, consider this page: http://demo.nimius.net/video_test/. By default, the videos under the headings H.264 / AAC and MPEG4 don't work ("No video with supported format and MIME type found."). The following steps make the first of these videos work: 1. Open about:config 2. Click "I accept the risk!" 3. Set security.sandbox.content.read_path_whitelist to /gnu/store/ (the trailing / is important). The instructions were originally sketched out in this help-guix message: https://lists.gnu.org/archive/html/help-guix/2019-12/msg00150.html I believe it would be beneficial to make this a default. On IRC, bandali suggested that it would be better to only whitelist the necessary store subdirectories. I don't know how to gather such a list, but it it seems like a good idea. I don't know how about:config entries modified by the user behave when IceCat is updated, but in some of the behaviors I can imagine, the config entry stops updating, in which case it would be better to add the paths to some internal whitelist (I reckon such a whitelist already exists and contains something like /usr/lib). Regards, Jakub Kądziołka CC: mhw as suggested by nckx From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 15 08:18:15 2020 Received: (at control) by debbugs.gnu.org; 15 Jan 2020 13:18:15 +0000 Received: from localhost ([127.0.0.1]:34385 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iriYo-00005L-T3 for submit@debbugs.gnu.org; Wed, 15 Jan 2020 08:18:15 -0500 Received: from pat.zlotemysli.pl ([37.59.186.212]:42684) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iriYn-00005A-U5 for control@debbugs.gnu.org; Wed, 15 Jan 2020 08:18:14 -0500 Received: (qmail 7737 invoked by uid 1009); 15 Jan 2020 14:18:11 +0100 Received: from 188.123.215.55 (kuba@kadziolka.net@188.123.215.55) by pat (envelope-from , uid 1002) with qmail-scanner-2.08st (clamdscan: 0.98.6/25695. spamassassin: 3.4.0. perlscan: 2.08st. Clear:RC:1(188.123.215.55):. Processed in 0.008748 secs); 15 Jan 2020 13:18:11 -0000 Received: from unknown (HELO zdrowyportier.kadziolka.net) (kuba@kadziolka.net@188.123.215.55) by pat.zlotemysli.pl with SMTP; 15 Jan 2020 14:18:11 +0100 Date: Wed, 15 Jan 2020 14:18:09 +0100 From: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= To: control@debbugs.gnu.org Subject: Merge bugs about IceCat sandboxing Message-ID: <20200115131809.aoxbh5siqblbf4rh@zdrowyportier.kadziolka.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) merge 38831 39127 tags 38831 + patch From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 16 01:26:32 2020 Received: (at 38831-done) by debbugs.gnu.org; 16 Jan 2020 06:26:32 +0000 Received: from localhost ([127.0.0.1]:36620 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1irybu-0001BM-Ii for submit@debbugs.gnu.org; Thu, 16 Jan 2020 01:26:32 -0500 Received: from world.peace.net ([64.112.178.59]:53684) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1irybp-0001B6-E5; Thu, 16 Jan 2020 01:26:28 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1irybo-0007EO-7M; Thu, 16 Jan 2020 01:26:24 -0500 From: Mark H Weaver To: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= Subject: Re: IceCat: some codecs don't work without workaround Date: Thu, 16 Jan 2020 01:24:50 -0500 Message-ID: <87pnfj7waa.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 38831-done Cc: 38831-done@debbugs.gnu.org, 38045-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Jakub, Jakub K=C4=85dzio=C5=82ka wrote: > I had some problems with video codecs in IceCat 68.3.0-guix0-preview1. > For example, consider this page: http://demo.nimius.net/video_test/. By > default, the videos under the headings H.264 / AAC and MPEG4 don't work > ("No video with supported format and MIME type found."). >=20 > The following steps make the first of these videos work: > 1. Open about:config > 2. Click "I accept the risk!" > 3. Set security.sandbox.content.read_path_whitelist to /gnu/store/ > (the trailing / is important). >=20 > The instructions were originally sketched out in this help-guix > message: > https://lists.gnu.org/archive/html/help-guix/2019-12/msg00150.html >=20 > I believe it would be beneficial to make this a default. >=20 > On IRC, bandali suggested that it would be better to only whitelist the > necessary store subdirectories. I don't know how to gather such a list, > but it it seems like a good idea. Thank you for bringing this to my attention. I agree with Amin Bandali that a more precise whitelist is preferable. Moreover, I was not comfortable whitelisting all of /gnu/store. I'm glad to report that it appears to be sufficient to whitelist the RUNPATH of libavcodec.so, plus the /share/mime/ directory from shared-mime-info. I've implemented this in commit 429c8284d232c3f9fbe3dc87a3da323f3a864c03 and pushed it to 'master'. > I don't know how about:config entries modified by the user behave when > IceCat is updated, but in some of the behaviors I can imagine, the > config entry stops updating, As currently implemented, we now arrange to set the *default* value of 'security.sandbox.content.read_path_whitelist' to an appropriate whitelist. Users who have customized 'security.sandbox.content.read_path_whitelist' to work around this issue should now erase that customization, by right-clicking on its entry in , and clicking on "Reset". It might also be necessary to restart IceCat after doing so. > in which case it would be better to add the paths to some internal > whitelist (I reckon such a whitelist already exists and contains > something like /usr/lib). I agree that it would be preferable, but I wasn't sufficiently motivated to implement it. Feel free to propose a patch. I'm not sure it would make much of a difference in practice though, because the net result for anyone who has customized it to /gnu/store/ will be the same: until they reset their customization, their effective whitelist will be all of /gnu/store/*. What do you think? Anyway, thanks to everyone who contributed to this fix! I'm closing both the older bug (38045) and the more recent duplicate (38831), but feel free to reopen if appropriate. Mark From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 16 07:29:38 2020 Received: (at submit) by debbugs.gnu.org; 16 Jan 2020 12:29:38 +0000 Received: from localhost ([127.0.0.1]:36845 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1is4HG-0003p1-6I for submit@debbugs.gnu.org; Thu, 16 Jan 2020 07:29:38 -0500 Received: from lists.gnu.org ([209.51.188.17]:39854) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1is4HB-0003or-SG for submit@debbugs.gnu.org; Thu, 16 Jan 2020 07:29:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34478) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1is4H9-0001BD-MN for bug-guix@gnu.org; Thu, 16 Jan 2020 07:29:29 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1is4H8-0003zu-BH for bug-guix@gnu.org; Thu, 16 Jan 2020 07:29:27 -0500 Received: from lepiller.eu ([2a00:5884:8208::1]:47178) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1is4H7-0003xW-MU for bug-guix@gnu.org; Thu, 16 Jan 2020 07:29:26 -0500 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 5be809b4; Thu, 16 Jan 2020 12:29:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:from:message-id; s=dkim; bh=F0AFxrOryZ80uKWLvdtD8zmAtG8=; b=idI6MmbgF31qwq9UxiYtq7cH/dkc mFVQcf4aIFiLMmxElrNBpNc9wi8LDkz9yT9Ns1Gjswh8X0H1q01WrJkUFeU+FcA+ qOE+F0ymAmvA+SI8i0ZXp4oFB/96TvwF1Z3X+1ex/TOYAvASBLr3qNHl0R80IXN7 irUjsCmLcKHgAvWuJ6JmDFUhWFjU6c4SGkKa/TFWxtGRP9NzjOF3bmSS629lc5nm GonwYL7Gcbpyc/d7lSjRGckniFzLWvlpZcvQAkjTx/37FVIUp9ZYJGgKP5owmqI5 GacMVNetV/bJuZKAbWHjz6YLmyzHKdL13YkDBipm7U9Na6T428aqzGxbeA== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 7b43333f (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Thu, 16 Jan 2020 12:29:20 +0000 (UTC) Date: Thu, 16 Jan 2020 07:29:01 -0500 User-Agent: K-9 Mail for Android In-Reply-To: <87pnfj7waa.fsf@netris.org> References: <20191231142401.qt2oxe6jkefsxxnd@zdrowyportier.kadziolka.net> <87pnfj7waa.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: bug#38831: IceCat: some codecs don't work without workaround To: bug-guix@gnu.org, Mark H Weaver , =?UTF-8?Q?Jakub_K=C4=85dzio=C5=82ka?= From: Julien Lepiller Message-ID: <28E76491-53BA-47BA-B00E-669D1DC93B61@lepiller.eu> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:5884:8208::1 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Le 16 janvier 2020 01:24:50 GMT-05:00, Mark H Weaver a = =C3=A9crit : >Hi Jakub, > >Jakub K=C4=85dzio=C5=82ka wrote: >> I had some problems with video codecs in IceCat >68=2E3=2E0-guix0-preview1=2E >> For example, consider this page: http://demo=2Enimius=2Enet/video_test/= =2E >By >> default, the videos under the headings H=2E264 / AAC and MPEG4 don't >work >> ("No video with supported format and MIME type found=2E")=2E >>=20 >> The following steps make the first of these videos work: >> 1=2E Open about:config >> 2=2E Click "I accept the risk!" >> 3=2E Set security=2Esandbox=2Econtent=2Eread_path_whitelist to /gnu/sto= re/ >> (the trailing / is important)=2E >>=20 >> The instructions were originally sketched out in this help-guix >> message: >> https://lists=2Egnu=2Eorg/archive/html/help-guix/2019-12/msg00150=2Ehtm= l >>=20 >> I believe it would be beneficial to make this a default=2E >>=20 >> On IRC, bandali suggested that it would be better to only whitelist >the >> necessary store subdirectories=2E I don't know how to gather such a >list, >> but it it seems like a good idea=2E > >Thank you for bringing this to my attention=2E I agree with Amin Bandali >that a more precise whitelist is preferable=2E Moreover, I was not >comfortable whitelisting all of /gnu/store=2E > >I'm glad to report that it appears to be sufficient to whitelist the >RUNPATH of libavcodec=2Eso, plus the /share/mime/ directory from >shared-mime-info=2E I've implemented this in commit >429c8284d232c3f9fbe3dc87a3da323f3a864c03 and pushed it to 'master'=2E > >> I don't know how about:config entries modified by the user behave >when >> IceCat is updated, but in some of the behaviors I can imagine, the >> config entry stops updating, > >As currently implemented, we now arrange to set the *default* value of >'security=2Esandbox=2Econtent=2Eread_path_whitelist' to an appropriate >whitelist=2E > >Users who have customized >'security=2Esandbox=2Econtent=2Eread_path_whitelist' >to work around this issue should now erase that customization, by >right-clicking on its entry in , and clicking on "Reset"=2E >It might also be necessary to restart IceCat after doing so=2E > >> in which case it would be better to add the paths to some internal >> whitelist (I reckon such a whitelist already exists and contains >> something like /usr/lib)=2E > >I agree that it would be preferable, but I wasn't sufficiently >motivated >to implement it=2E Feel free to propose a patch=2E I'm not sure it woul= d >make much of a difference in practice though, because the net result >for >anyone who has customized it to /gnu/store/ will be the same: until >they >reset their customization, their effective whitelist will be all of >/gnu/store/*=2E > >What do you think? > >Anyway, thanks to everyone who contributed to this fix! I'm closing >both the older bug (38045) and the more recent duplicate (38831), but >feel free to reopen if appropriate=2E > > Mark Hi, Thanks for the fix! We'll need something similar for webgl (mesa and depen= dencies at least), unless your patch already fixes it? I haven't checked=2E From unknown Fri Jun 13 10:27:33 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 14 Feb 2020 12:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator