From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 06 Apr 2021 22:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47628@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161774928112366 (code B ref -1); Tue, 06 Apr 2021 22:48:01 +0000 Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 22:48:01 +0000 Received: from localhost ([127.0.0.1]:42275 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuUL-0003DO-4O for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:48:01 -0400 Received: from lists.gnu.org ([209.51.188.17]:60430) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuUJ-0003DG-6d for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:47:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60772) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTuUI-0001Qz-V2 for bug-guix@gnu.org; Tue, 06 Apr 2021 18:47:58 -0400 Received: from world.peace.net ([64.112.178.59]:57336) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTuUG-0007Qq-TY for bug-guix@gnu.org; Tue, 06 Apr 2021 18:47:58 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lTuUE-0004Cy-TE; Tue, 06 Apr 2021 18:47:55 -0400 From: Mark H Weaver Date: Tue, 06 Apr 2021 18:46:14 -0400 Message-ID: <87tuojni9a.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) FYI, since updating to webkitgtk-2.32.0 (commit 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no window appears, although GNOME Shell shows an empty outline in overview mode, as if there's a window but it has never been painted. When running 'epiphany' from the command line, I see the followin warning from 'bwrap', which indicates that it's looking in /usr/bin: --8<---------------cut here---------------start------------->8--- mhw@jojen ~$ epiphany ** (epiphany:1016): WARNING **: 18:36:48.495: Registering special URI scheme ftp is no longer allowed bwrap: Can't find source path /usr/bin: No such file or directory --8<---------------cut here---------------end--------------->8--- I wonder if this only works when Guix is run on top of a more traditional OS that has /usr/bin. Is anyone successfully able to use Epiphany on a pure Guix system (without /usr/bin) with Webkitgtk-2.32.0? (The Webkitgtk version is shown in the "About Web" window, which is accessible from the hamburger menu. Mark From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 06 Apr 2021 23:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47628@debbugs.gnu.org Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.161775035514381 (code B ref 47628); Tue, 06 Apr 2021 23:06:02 +0000 Received: (at 47628) by debbugs.gnu.org; 6 Apr 2021 23:05:55 +0000 Received: from localhost ([127.0.0.1]:42372 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTulf-0003jt-6A for submit@debbugs.gnu.org; Tue, 06 Apr 2021 19:05:55 -0400 Received: from world.peace.net ([64.112.178.59]:46844) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTulc-0003jg-P9 for 47628@debbugs.gnu.org; Tue, 06 Apr 2021 19:05:53 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lTulW-0005Sr-4Q; Tue, 06 Apr 2021 19:05:46 -0400 From: Mark H Weaver In-Reply-To: <87tuojni9a.fsf@netris.org> References: <87tuojni9a.fsf@netris.org> Date: Tue, 06 Apr 2021 19:04:06 -0400 Message-ID: <87r1jnnhfi.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) retitle 47628 webkitgtk-2.32.0 is broken on my system thanks Mark H Weaver writes: > FYI, since updating to webkitgtk-2.32.0 (commit > 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no > window appears, although GNOME Shell shows an empty outline in overview > mode, as if there's a window but it has never been painted. > > When running 'epiphany' from the command line, I see the followin > warning from 'bwrap', which indicates that it's looking in /usr/bin: I see exactly the same behavior with 'eolie': the window never appears, (except for an outline in GNOME Shell's overview mode), and I see the same warning: "bwrap: Can't find source path /usr/bin: No such file or directory" In both cases, if I try to close the phantom window from overview mode, it informs me that the application is not responding, and I have to force quit to make the phantom window go away. Mark From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 is broken on my system Resent-From: Guillaume Le Vaillant Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 07 Apr 2021 07:37:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver Cc: 47628@debbugs.gnu.org Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.161778097531026 (code B ref 47628); Wed, 07 Apr 2021 07:37:02 +0000 Received: (at 47628) by debbugs.gnu.org; 7 Apr 2021 07:36:15 +0000 Received: from localhost ([127.0.0.1]:42916 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lU2jW-00084M-US for submit@debbugs.gnu.org; Wed, 07 Apr 2021 03:36:15 -0400 Received: from mout01.posteo.de ([185.67.36.65]:35220) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lU2jU-000845-0B for 47628@debbugs.gnu.org; Wed, 07 Apr 2021 03:36:13 -0400 Received: from submission (posteo.de [89.146.220.130]) by mout01.posteo.de (Postfix) with ESMTPS id 4CB3216005C for <47628@debbugs.gnu.org>; Wed, 7 Apr 2021 09:36:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1617780964; bh=5Y6fJ6D5LwMQvquDmmMG0e2pyvi20nZWGLW5NFEQkoU=; h=From:To:Cc:Subject:Date:From; b=f7bdnsgXlQXBcxn9W1Gp5eNj2jXQiWg89a8Y7f3H20QBt1rJp4xqYlketAVE9AyQ3 fSu1aRQysDsr4MVuNNhq2VAdjQ8gnLiRn4TSEXTYDYIO1IlTTIJZffjW/xA1ee+oaW UOSlIrbHf29sYgR9W/PqMkcvvPE1hl8WSfH+z58jmzw27JRqVt+5uolUAnlg8gEPOE v4zERSeaZejEoFTKjrnBmZJUrr26w6Vqdt1nMdvuBzQjPlzVU67i+Vo8dyFK08aUkZ 5+yZtVeNzKCvxz0cR1sEV0G98Xv6F0aqd9qDiB+VmsuExxhNrBrIOdMv83z4hktmnd HAPQ6f0Gp4HMA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4FFbmK5jsmz6tm6; Wed, 7 Apr 2021 09:36:01 +0200 (CEST) References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> User-agent: mu4e 1.4.15; emacs 27.2 From: Guillaume Le Vaillant In-reply-to: <87r1jnnhfi.fsf@netris.org> Date: Wed, 07 Apr 2021 09:35:48 +0200 Message-ID: <87lf9upmwb.fsf@yamatai> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain Mark H Weaver skribis: > retitle 47628 webkitgtk-2.32.0 is broken on my system > thanks > > Mark H Weaver writes: > >> FYI, since updating to webkitgtk-2.32.0 (commit >> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no >> window appears, although GNOME Shell shows an empty outline in overview >> mode, as if there's a window but it has never been painted. >> >> When running 'epiphany' from the command line, I see the followin >> warning from 'bwrap', which indicates that it's looking in /usr/bin: > > I see exactly the same behavior with 'eolie': the window never appears, > (except for an outline in GNOME Shell's overview mode), and I see the > same warning: > > "bwrap: Can't find source path /usr/bin: No such file or directory" > > In both cases, if I try to close the phantom window from overview mode, > it informs me that the application is not responding, and I have to > force quit to make the phantom window go away. > > Mark On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine (with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95). The window appears and I can browse websites, and it doesn't print any error about 'bwrap'. I'm using StumpWM and not Gnome Shell; I don't know if it has an impact on epiphany's behavior. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIUEAREKAC0WIQTLxZxm7Ce5cXlAaz5r6CCK3yH+PwUCYG1g1A8cZ2x2QHBvc3Rl by5uZXQACgkQa+ggit8h/j8/kwEAkDrle8aC6DFPULHrUgybXCG7bXuugUzt81Yl YQwuvbYA/0xwWlNgKR88qepCX+bmGOOD0OMOT8FBsyGLha1I67OF =gP6t -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 is broken on my system Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 08 Apr 2021 08:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Guillaume Le Vaillant Cc: Mark H Weaver , 47628@debbugs.gnu.org Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.161787021422763 (code B ref 47628); Thu, 08 Apr 2021 08:24:01 +0000 Received: (at 47628) by debbugs.gnu.org; 8 Apr 2021 08:23:34 +0000 Received: from localhost ([127.0.0.1]:45972 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUPws-0005v4-Fe for submit@debbugs.gnu.org; Thu, 08 Apr 2021 04:23:34 -0400 Received: from flashner.co.il ([178.62.234.194]:53006) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUPwq-0005uo-IP for 47628@debbugs.gnu.org; Thu, 08 Apr 2021 04:23:33 -0400 Received: from localhost (unknown [31.210.177.71]) by flashner.co.il (Postfix) with ESMTPSA id 654B2402DB; Thu, 8 Apr 2021 08:23:24 +0000 (UTC) Date: Thu, 8 Apr 2021 11:22:49 +0300 From: Efraim Flashner Message-ID: References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> <87lf9upmwb.fsf@yamatai> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="N/cEB6EX5GS099dg" Content-Disposition: inline In-Reply-To: <87lf9upmwb.fsf@yamatai> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --N/cEB6EX5GS099dg Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 07, 2021 at 09:35:48AM +0200, Guillaume Le Vaillant wrote: > Mark H Weaver skribis: >=20 > > retitle 47628 webkitgtk-2.32.0 is broken on my system > > thanks > > > > Mark H Weaver writes: > > > >> FYI, since updating to webkitgtk-2.32.0 (commit > >> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no > >> window appears, although GNOME Shell shows an empty outline in overview > >> mode, as if there's a window but it has never been painted. > >> > >> When running 'epiphany' from the command line, I see the followin > >> warning from 'bwrap', which indicates that it's looking in /usr/bin: > > > > I see exactly the same behavior with 'eolie': the window never appears, > > (except for an outline in GNOME Shell's overview mode), and I see the > > same warning: > > > > "bwrap: Can't find source path /usr/bin: No such file or directory" > > > > In both cases, if I try to close the phantom window from overview mode, > > it informs me that the application is not responding, and I have to > > force quit to make the phantom window go away. > > > > Mark >=20 > On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine > (with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95). > The window appears and I can browse websites, and it doesn't print any > error about 'bwrap'. > I'm using StumpWM and not Gnome Shell; I don't know if it has an impact > on epiphany's behavior. It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix System with Enlightenment. I get errors about not committing changes to dconf and I'm unable to change settings in preferences. Does your system have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --N/cEB6EX5GS099dg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmBuvVkACgkQQarn3Mo9 g1ESjg//edsV1kkK43vk/jFq6pp5jvjpoxZrNr5Ua6S0k0QBELHHTc1X8+WFwqBw UEMMdbRtFVbhoof1tK9Wmse662GRvs4f/v51v0jVoADa/dIBM0HJ3FbuHd63lbWz QewLblOlN6kRsLgwjP3vGfwj7qvaPoqfqcMuEMoSRnfj16y+Fvwqb8UZ6Fvx5Rm1 3q4Cenpnzui+6uZ76CJgEtRJoPZkqcbNgdIbN/jIWf0WoGvAlIsV9jzG9A5hqf4B lCx1LABVkK+8no7BDyM/DcC56tD5/4VMU3GT9GNKkK0XsDdmCphSOA6DWaGMWjaH Iwn8dZCaySceXPwNGQqBQYyVNAlfEKJOxLl0dNioKJNc4diynIsRfWLHLTI5zJoM CyNI+BCYpR+du/eK5TZhthGZGt6w7Ftt8Q4+yf1s+/4Rmkdc/ip9Mop/t6/ugYNg UwOMRlkLqehGAct2lh1uDs2r71A6ovuQMZ7Du5xxZZpdS68yU3CukPUz2q7t/2r4 Bkdopp9TP6XJ5rtNXT/ilUlMg6gVpA7rm6LHQ7rKFC7ltazYeyYxufQFFK/NlslY EovbUTFRiPP6j32J0Kf7HEZXR657v43dQFIpCKhufCub3xCvJUX/o0JJjCnol+/t nQb78GH9WX/2igxF++DGC8zgFd/iPN6ruhjPPcX27kfcMfj6hDE= =OzZN -----END PGP SIGNATURE----- --N/cEB6EX5GS099dg-- From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 08 Apr 2021 14:22:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Efraim Flashner , Guillaume Le Vaillant Cc: 47628@debbugs.gnu.org Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.16178916881390 (code B ref 47628); Thu, 08 Apr 2021 14:22:02 +0000 Received: (at 47628) by debbugs.gnu.org; 8 Apr 2021 14:21:28 +0000 Received: from localhost ([127.0.0.1]:47929 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUVXE-0000MM-BV for submit@debbugs.gnu.org; Thu, 08 Apr 2021 10:21:28 -0400 Received: from world.peace.net ([64.112.178.59]:51072) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUVXB-0000M6-Sn for 47628@debbugs.gnu.org; Thu, 08 Apr 2021 10:21:27 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUVX4-0005UU-DF; Thu, 08 Apr 2021 10:21:18 -0400 From: Mark H Weaver In-Reply-To: References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> <87lf9upmwb.fsf@yamatai> Date: Thu, 08 Apr 2021 10:19:37 -0400 Message-ID: <87h7kgoo2z.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin/env thanks Hi Efraim, Efraim Flashner writes: > It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix > System with Enlightenment. I get errors about not committing changes to > dconf and I'm unable to change settings in preferences. Does your system > have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin. That's it! I have /bin/sh but not /usr/bin/env. Adding /usr/bin/env fixes the problem for me. It would be good to eliminate that dependency. If webkitgtk is using /usr/bin/env from within its sandbox, that's worrisome. I want it using software components determined at build time. I do *not* want it searching in PATH for things. To be continued... Mark From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 08 10:21:54 2021 Received: (at control) by debbugs.gnu.org; 8 Apr 2021 14:21:54 +0000 Received: from localhost ([127.0.0.1]:47932 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUVXe-0000N0-KB for submit@debbugs.gnu.org; Thu, 08 Apr 2021 10:21:54 -0400 Received: from world.peace.net ([64.112.178.59]:51080) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUVXd-0000Mn-Rl for control@debbugs.gnu.org; Thu, 08 Apr 2021 10:21:54 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUVXX-0005XG-4G; Thu, 08 Apr 2021 10:21:47 -0400 From: Mark H Weaver To: control@debbugs.gnu.org Date: Thu, 08 Apr 2021 10:20:07 -0400 Message-ID: <87eefkoo25.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin/env thanks Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin/env thanks From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 08 Apr 2021 14:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Efraim Flashner , Guillaume Le Vaillant Cc: 47628@debbugs.gnu.org Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.161789247010783 (code B ref 47628); Thu, 08 Apr 2021 14:35:01 +0000 Received: (at 47628) by debbugs.gnu.org; 8 Apr 2021 14:34:30 +0000 Received: from localhost ([127.0.0.1]:47945 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUVjp-0002nl-4P for submit@debbugs.gnu.org; Thu, 08 Apr 2021 10:34:30 -0400 Received: from world.peace.net ([64.112.178.59]:51100) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUVjl-0002nP-TT; Thu, 08 Apr 2021 10:34:26 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUVje-0006Qz-MK; Thu, 08 Apr 2021 10:34:18 -0400 From: Mark H Weaver In-Reply-To: <87h7kgoo2z.fsf@netris.org> References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> <87lf9upmwb.fsf@yamatai> <87h7kgoo2z.fsf@netris.org> Date: Thu, 08 Apr 2021 10:32:38 -0400 Message-ID: <87blaoonha.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin thanks Earlier, I wrote: > That's it! I have /bin/sh but not /usr/bin/env. Adding /usr/bin/env > fixes the problem for me. Actually, it suffices for /usr/bin to exist as an empty directory. /usr/bin/env is never actually used. Mark From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 08 Apr 2021 15:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Efraim Flashner , Guillaume Le Vaillant Cc: 47628@debbugs.gnu.org Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.161789456522131 (code B ref 47628); Thu, 08 Apr 2021 15:10:02 +0000 Received: (at 47628) by debbugs.gnu.org; 8 Apr 2021 15:09:25 +0000 Received: from localhost ([127.0.0.1]:47982 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUWHc-0005km-Lz for submit@debbugs.gnu.org; Thu, 08 Apr 2021 11:09:25 -0400 Received: from world.peace.net ([64.112.178.59]:51176) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUWHY-0005kO-4O; Thu, 08 Apr 2021 11:09:21 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lUWHQ-0000Wj-MN; Thu, 08 Apr 2021 11:09:12 -0400 From: Mark H Weaver In-Reply-To: <87blaoonha.fsf@netris.org> References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> <87lf9upmwb.fsf@yamatai> <87h7kgoo2z.fsf@netris.org> <87blaoonha.fsf@netris.org> Date: Thu, 08 Apr 2021 11:07:31 -0400 Message-ID: <878s5solv5.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) I suspect that the relevant bit that needs to be changed is line 779 of the following file in the webkitgtk-2.32.0 source code: Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp Most likely, that line can simply be deleted. Here's the relevant excerpt, with line 779 marked by "==>": --8<---------------cut here---------------start------------->8--- GRefPtr bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error) { ASSERT(launcher); // For now we are just considering the network process trusted as it // requires a lot of access but doesn't execute arbitrary code like // the WebProcess where our focus lies. if (launchOptions.processType == ProcessLauncher::ProcessType::Network) return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error)); const char* runDir = g_get_user_runtime_dir(); Vector sandboxArgs = { "--die-with-parent", "--unshare-pid", "--unshare-uts", // We assume /etc has safe permissions. // At a later point we can start masking privacy-concerning files. "--ro-bind", "/etc", "/etc", "--dev", "/dev", "--proc", "/proc", "--tmpfs", "/tmp", "--unsetenv", "TMPDIR", "--dir", runDir, "--setenv", "XDG_RUNTIME_DIR", runDir, "--symlink", "../run", "/var/run", "--symlink", "../tmp", "/var/tmp", "--ro-bind", "/sys/block", "/sys/block", "--ro-bind", "/sys/bus", "/sys/bus", "--ro-bind", "/sys/class", "/sys/class", "--ro-bind", "/sys/dev", "/sys/dev", "--ro-bind", "/sys/devices", "/sys/devices", "--ro-bind-try", "/usr/share", "/usr/share", "--ro-bind-try", "/usr/local/share", "/usr/local/share", "--ro-bind-try", DATADIR, DATADIR, // Bind mount the store inside the WebKitGTK sandbox. "--ro-bind", "@storedir@", "@storedir@", // We only grant access to the libdirs webkit is built with and // guess system libdirs. This will always have some edge cases. "--ro-bind-try", "/lib", "/lib", "--ro-bind-try", "/usr/lib", "/usr/lib", "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", "--ro-bind-try", LIBDIR, LIBDIR, "--ro-bind-try", "/lib64", "/lib64", "--ro-bind-try", "/usr/lib64", "/usr/lib64", "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, }; if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) { sandboxArgs.appendVector(Vector({ ==> "--ro-bind", "/usr/bin", "/usr/bin", // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed // only because we have to mount .flatpak-info in its mount namespace. The user rundir // is where we mount our proxy socket. "--bind", runDir, runDir, })); } else { // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure // host services must not use abstract sockets. Otherwise, only the network process should // have network access, and the network process is not sandboxed at all. sandboxArgs.appendVector(Vector({ "--unshare-net" })); } --8<---------------cut here---------------end--------------->8--- Mark From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 13 Apr 2021 11:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver Cc: Guillaume Le Vaillant , 47628@debbugs.gnu.org Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.16183136914614 (code B ref 47628); Tue, 13 Apr 2021 11:35:01 +0000 Received: (at 47628) by debbugs.gnu.org; 13 Apr 2021 11:34:51 +0000 Received: from localhost ([127.0.0.1]:59037 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWHJj-0001CM-31 for submit@debbugs.gnu.org; Tue, 13 Apr 2021 07:34:51 -0400 Received: from flashner.co.il ([178.62.234.194]:55412) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWHJh-0001C9-1W for 47628@debbugs.gnu.org; Tue, 13 Apr 2021 07:34:49 -0400 Received: from localhost (unknown [31.210.177.71]) by flashner.co.il (Postfix) with ESMTPSA id CB661405C9; Tue, 13 Apr 2021 11:34:42 +0000 (UTC) Date: Fri, 9 Apr 2021 13:09:03 +0300 From: Efraim Flashner Message-ID: References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> <87lf9upmwb.fsf@yamatai> <87h7kgoo2z.fsf@netris.org> <87blaoonha.fsf@netris.org> <878s5solv5.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="6KZcnYiQUZRRFNmU" Content-Disposition: inline In-Reply-To: <878s5solv5.fsf@netris.org> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-Spam-Score: 2.1 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: > I suspect that the relevant bit that needs to be changed is line 779 of > the following file in the webkitgtk-2.32.0 source code: > > S [...] Content analysis details: (2.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 2.1 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.1 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: > I suspect that the relevant bit that needs to be changed is line 779 of > the following file in the webkitgtk-2.32.0 source code: > > S [...] Content analysis details: (1.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 2.1 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date -0.0 SPF_PASS SPF: sender matches SPF record -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --6KZcnYiQUZRRFNmU Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: > I suspect that the relevant bit that needs to be changed is line 779 of > the following file in the webkitgtk-2.32.0 source code: >=20 > Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp >=20 > Most likely, that line can simply be deleted. Here's the relevant > excerpt, with line 779 marked by "=3D=3D>": Looking at the other lines above it, we could just change it from ro-bind to ro-bind-try. >=20 > --8<---------------cut here---------------start------------->8--- > GRefPtr bubblewrapSpawn(GSubprocessLauncher* launcher, const= ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error) > { > ASSERT(launcher); >=20 > // For now we are just considering the network process trusted as it > // requires a lot of access but doesn't execute arbitrary code like > // the WebProcess where our focus lies. > if (launchOptions.processType =3D=3D ProcessLauncher::ProcessType::Ne= twork) > return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, err= or)); >=20 > const char* runDir =3D g_get_user_runtime_dir(); > Vector sandboxArgs =3D { > "--die-with-parent", > "--unshare-pid", > "--unshare-uts", >=20 > // We assume /etc has safe permissions. > // At a later point we can start masking privacy-concerning files. > "--ro-bind", "/etc", "/etc", > "--dev", "/dev", > "--proc", "/proc", > "--tmpfs", "/tmp", > "--unsetenv", "TMPDIR", > "--dir", runDir, > "--setenv", "XDG_RUNTIME_DIR", runDir, > "--symlink", "../run", "/var/run", > "--symlink", "../tmp", "/var/tmp", > "--ro-bind", "/sys/block", "/sys/block", > "--ro-bind", "/sys/bus", "/sys/bus", > "--ro-bind", "/sys/class", "/sys/class", > "--ro-bind", "/sys/dev", "/sys/dev", > "--ro-bind", "/sys/devices", "/sys/devices", >=20 > "--ro-bind-try", "/usr/share", "/usr/share", > "--ro-bind-try", "/usr/local/share", "/usr/local/share", > "--ro-bind-try", DATADIR, DATADIR, >=20 > // Bind mount the store inside the WebKitGTK sandbox. > "--ro-bind", "@storedir@", "@storedir@", >=20 > // We only grant access to the libdirs webkit is built with and > // guess system libdirs. This will always have some edge cases. > "--ro-bind-try", "/lib", "/lib", > "--ro-bind-try", "/usr/lib", "/usr/lib", > "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", > "--ro-bind-try", LIBDIR, LIBDIR, > "--ro-bind-try", "/lib64", "/lib64", > "--ro-bind-try", "/usr/lib64", "/usr/lib64", > "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", >=20 > "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, > }; >=20 > if (launchOptions.processType =3D=3D ProcessLauncher::ProcessType::DB= usProxy) { > sandboxArgs.appendVector(Vector({ > =3D=3D> "--ro-bind", "/usr/bin", "/usr/bin", > // This is a lot of access, but xdg-dbus-proxy is trusted so = that's OK. It's sandboxed > // only because we have to mount .flatpak-info in its mount n= amespace. The user rundir > // is where we mount our proxy socket. > "--bind", runDir, runDir, > })); > } else { > // xdg-dbus-proxy needs access to host abstract sockets to connec= t to the a11y bus. Secure > // host services must not use abstract sockets. Otherwise, only t= he network process should > // have network access, and the network process is not sandboxed = at all. > sandboxArgs.appendVector(Vector({ > "--unshare-net" > })); > } > --8<---------------cut here---------------end--------------->8--- >=20 > Mark --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --6KZcnYiQUZRRFNmU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmBwJ78ACgkQQarn3Mo9 g1GJERAAgZ74bdAp37HWR8pMOxxJ3gviHRve3Fygw1H8jI1ucAkEqqttVLNwebTT zrPe27Jk/oHorap6r1J8K9beIrRJwOZRe/zJbIwmKa2tAU/myiCqUhHbXDmprqhV qsx2U7fRLgLaSiGktBYbTVkTkwCQlPSl/8PbPqvdfCKkWtxduJiX2f4AkGFGtUit TFAnguXl1MOUnhKhdMNABH7KlVZ2ZXN0eVm/h8m5+4CMhlv3xKzD18EQ5O+r17aQ JQAABJ4C3epk6pQ70Ys9miVHVRL+Il0zvrbnHHtheeC0MBK8lU0HwEHJChzsdZZW fvDxH49fClVmCkGuZmCDRzuLDFfWeTb/0uB3pGV68icJkSexExsM391M9F1PQ84Q tuzgRlTZel5NCvSEh4C9OynDgo8sHiBmqO0kEi7myszXb78ysFwnyyB2k/KBDsJl SbS5mBwfqyLM/EgpD+uT1DTLPW6paUuw2LBcc4OL6eAHOB2FZcHyqkIF/KotJNLK fWKMKDY5cPeBL3Bp99cOURuwqWPBJUbIjji8a/I3t40NzkfkdQ035jj9lgn587kI 6ZksTM0gTvpEjxfTlU1pGfo5w+NJhnqvQGPa8YGgL5wPRoZSpZ09b6y15nLE3LLt JYZ8z7SyzXgcKUYpJbw/85FZh3L4shAIN50UAcgS+XnKDiJIrWM= =phWq -----END PGP SIGNATURE----- --6KZcnYiQUZRRFNmU-- From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 13 Apr 2021 19:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Efraim Flashner Cc: Guillaume Le Vaillant , 47628@debbugs.gnu.org Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.161834187918829 (code B ref 47628); Tue, 13 Apr 2021 19:25:01 +0000 Received: (at 47628) by debbugs.gnu.org; 13 Apr 2021 19:24:39 +0000 Received: from localhost ([127.0.0.1]:60855 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWOeM-0004td-Kx for submit@debbugs.gnu.org; Tue, 13 Apr 2021 15:24:39 -0400 Received: from world.peace.net ([64.112.178.59]:35572) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWOeL-0004tQ-5v for 47628@debbugs.gnu.org; Tue, 13 Apr 2021 15:24:37 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lWOeE-000121-81; Tue, 13 Apr 2021 15:24:30 -0400 From: Mark H Weaver In-Reply-To: References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> <87lf9upmwb.fsf@yamatai> <87h7kgoo2z.fsf@netris.org> <87blaoonha.fsf@netris.org> <878s5solv5.fsf@netris.org> Date: Tue, 13 Apr 2021 15:22:47 -0400 Message-ID: <87mtu2rntp.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Hi Efraim, Efraim Flashner writes: > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: >> I suspect that the relevant bit that needs to be changed is line 779 of >> the following file in the webkitgtk-2.32.0 source code: >> >> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp >> >> Most likely, that line can simply be deleted. Here's the relevant >> excerpt, with line 779 marked by "==>": > > Looking at the other lines above it, we could just change it from > ro-bind to ro-bind-try. I expect that would work, but why should we give the sandbox access to /usr/bin at all? I took a different approach: I removed access to *all* of the FHS directories, since they should not be needed for a Guix-compiled package. Below, I've attached the patch that I'm currently using successfully on my private branch of Guix. What do you think? Thanks, Mark --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-DRAFT-gnu-webkitgtk-Trim-system-dirs-made-available-.patch Content-Description: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to sandbox. >From 4a10e1deb63d1b2227a0bcc60a17ddb9af7b8cc3 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 8 Apr 2021 11:27:55 -0400 Subject: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to sandbox. * gnu/packages/patches/webkitgtk-share-store.patch: Adjust patch. --- .../patches/webkitgtk-share-store.patch | 46 ++++++++++++++----- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch index 053d86fcf4..c02157076e 100644 --- a/gnu/packages/patches/webkitgtk-share-store.patch +++ b/gnu/packages/patches/webkitgtk-share-store.patch @@ -1,19 +1,41 @@ -Tell bubblewrap to share the store. Required for programs that use the +Tell bubblewrap to share the store, and _not_ to share traditional FHS +directories that are not used in Guix. Required for programs that use the sandboxing features such as Epiphany. -See . -Author: Jack Hill ---- +See and . +Authors: Jack Hill and Mark H Weaver . + diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -@@ -737,6 +737,9 @@ GRefPtr bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces - "--ro-bind-try", "/usr/local/share", "/usr/local/share", +@@ -749,26 +749,18 @@ + "--ro-bind", "/sys/dev", "/sys/dev", + "--ro-bind", "/sys/devices", "/sys/devices", + +- "--ro-bind-try", "/usr/share", "/usr/share", +- "--ro-bind-try", "/usr/local/share", "/usr/local/share", "--ro-bind-try", DATADIR, DATADIR, -+ // Bind mount the store inside the WebKitGTK sandbox. -+ "--ro-bind", "@storedir@", "@storedir@", -+ - // We only grant access to the libdirs webkit is built with and - // guess system libdirs. This will always have some edge cases. - "--ro-bind-try", "/lib", "/lib", +- // We only grant access to the libdirs webkit is built with and +- // guess system libdirs. This will always have some edge cases. +- "--ro-bind-try", "/lib", "/lib", +- "--ro-bind-try", "/usr/lib", "/usr/lib", +- "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", +- "--ro-bind-try", LIBDIR, LIBDIR, +- "--ro-bind-try", "/lib64", "/lib64", +- "--ro-bind-try", "/usr/lib64", "/usr/lib64", +- "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", ++ // Bind mount the store inside the WebKitGTK sandbox. ++ "--ro-bind", "@storedir@", "@storedir@", + ++ // We only grant access to the libdirs webkit is built with. ++ "--ro-bind-try", LIBDIR, LIBDIR, + "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, + }; + + if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) { + sandboxArgs.appendVector(Vector({ +- "--ro-bind", "/usr/bin", "/usr/bin", + // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed + // only because we have to mount .flatpak-info in its mount namespace. The user rundir + // is where we mount our proxy socket. -- 2.31.1 --=-=-=-- From unknown Sat Jun 21 10:44:56 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 14 Apr 2021 15:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver Cc: Guillaume Le Vaillant , 47628@debbugs.gnu.org Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.161841380427918 (code B ref 47628); Wed, 14 Apr 2021 15:24:01 +0000 Received: (at 47628) by debbugs.gnu.org; 14 Apr 2021 15:23:24 +0000 Received: from localhost ([127.0.0.1]:35546 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWhMS-0007GE-6Z for submit@debbugs.gnu.org; Wed, 14 Apr 2021 11:23:24 -0400 Received: from flashner.co.il ([178.62.234.194]:60844) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWhMP-0007Fy-VG for 47628@debbugs.gnu.org; Wed, 14 Apr 2021 11:23:22 -0400 Received: from localhost (unknown [31.210.177.71]) by flashner.co.il (Postfix) with ESMTPSA id B85DE405BC; Wed, 14 Apr 2021 15:23:15 +0000 (UTC) Date: Wed, 14 Apr 2021 18:22:29 +0300 From: Efraim Flashner Message-ID: Mail-Followup-To: Efraim Flashner , Mark H Weaver , Guillaume Le Vaillant , 47628@debbugs.gnu.org References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> <87lf9upmwb.fsf@yamatai> <87h7kgoo2z.fsf@netris.org> <87blaoonha.fsf@netris.org> <878s5solv5.fsf@netris.org> <87mtu2rntp.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="QRLpmdHQ+b+sKZpr" Content-Disposition: inline In-Reply-To: <87mtu2rntp.fsf@netris.org> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --QRLpmdHQ+b+sKZpr Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 13, 2021 at 03:22:47PM -0400, Mark H Weaver wrote: > Hi Efraim, >=20 > Efraim Flashner writes: >=20 > > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: > >> I suspect that the relevant bit that needs to be changed is line 779 of > >> the following file in the webkitgtk-2.32.0 source code: > >>=20 > >> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp > >>=20 > >> Most likely, that line can simply be deleted. Here's the relevant > >> excerpt, with line 779 marked by "=3D=3D>": > > > > Looking at the other lines above it, we could just change it from > > ro-bind to ro-bind-try. >=20 > I expect that would work, but why should we give the sandbox access to > /usr/bin at all? I took a different approach: I removed access to *all* > of the FHS directories, since they should not be needed for a > Guix-compiled package. >=20 > Below, I've attached the patch that I'm currently using successfully on > my private branch of Guix. >=20 > What do you think? >=20 Since we should be linking to any libraries we need anyway and patching any calls out to other binaries then I suppose this should work. I suggested ro-bind-try to minimize the patch size. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --QRLpmdHQ+b+sKZpr Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmB3CLUACgkQQarn3Mo9 g1FVQQ//Wz/Ox+482uB9GKdjQFAKxWdEGiR6ESiVvGwYZ7oZkVUsW3bbg84NvB2+ WxvXHrVp7CHR7wg47Ap4N0fsV+u1FHy8waRbCHmTFKBzVewznUkFuxhVrC2+wjGz 6tXyOIq9YYAqbE8KJb6/fA6ix0AFsXKRSKPShmCN0bPI7dvM9lpigspM3mteEPDV 9KkIU5O87WhpfMaAfT3b/RBMwh7SXZngs1PGS9hV8GUDpmYIyuA9C6ewH10ZxYhG lLQf5fLdrqe2z4jtkH/rDP8eVqLtSrJtAhlw0ZELATL3oGj5tdEtA/u3EltFNdL3 JAcRope9zFZzAlFxCp2i/yEXK65llaqXHzy56/aALfSqf9rmeZVZf/sCXltm0s4e 59ryvgOee53z0jlJ+Oq5Et2Gxx2XHLKC3KsxKtzg6vbutAvlmLujUQlYxcTvjIkB wkKW+3FHRFicz8YtzY4PoroM6mBoQ6pfLH+Qkx857a0va2O3DhM1nvYAy/xd//Bv A1T/f/tnZLomT9/R0jcx1BZaenNVQpVFT7QE3DxWAPosDT/JjuLB2PuztEscuakp BlsxtQl+cyAEmh4zi7P1LAHoe7JfqF6o72n7axgbXSZ2blX+Y84U/5w0sNXPE6lE mziDXpHcOhllekwWgsES0caGQ0GBA6TgthF/PnWSPve5YyxuCco= =76HD -----END PGP SIGNATURE----- --QRLpmdHQ+b+sKZpr-- From unknown Sat Jun 21 10:44:56 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Mark H Weaver Subject: bug#47628: closed (Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin) Message-ID: References: <87a6do6kpd.fsf@gmail.com> <87tuojni9a.fsf@netris.org> X-Gnu-PR-Message: they-closed 47628 X-Gnu-PR-Package: guix Reply-To: 47628@debbugs.gnu.org Date: Fri, 18 Mar 2022 02:48:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1647571682-31069-1" This is a multi-part message in MIME format... ------------=_1647571682-31069-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #47628: webkitgtk-2.32.0 fails to launch without /usr/bin which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 47628@debbugs.gnu.org. --=20 47628: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D47628 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1647571682-31069-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 47628-done) by debbugs.gnu.org; 18 Mar 2022 02:47:19 +0000 Received: from localhost ([127.0.0.1]:55833 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nV2e7-0007ig-4h for submit@debbugs.gnu.org; Thu, 17 Mar 2022 22:47:19 -0400 Received: from mail-qv1-f45.google.com ([209.85.219.45]:41626) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nV2e5-0007fb-LK for 47628-done@debbugs.gnu.org; Thu, 17 Mar 2022 22:47:18 -0400 Received: by mail-qv1-f45.google.com with SMTP id gh15so1025326qvb.8 for <47628-done@debbugs.gnu.org>; Thu, 17 Mar 2022 19:47:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=jvLiLqVlqke7AxsPOBAxME4IX0GfGQu32Q9zadqGqdE=; b=oeDP2akHIZXwRXvVln9aTC0sk7rXtaLbVCLwXHyfiSJUMjGVYsxZIjRc/3il9S7691 2OOXWUxL89NlSy3sqh/8r3NJrcatFqEYx235xAqXNOcK87B30omB/I8/YLZOw8vSfgCZ FZ/mQ1kAyjaCDV8G9Funy5JbAZRkpqyfUFBhq4bsogVXebwNveCWhVwvTBhJCdjlUMGB XvLOySuK2jvV6DpOee6JVInmbycHVa8TonqiMEYgFelKn+XsZ44PA1jzdmryJFYpmP9z epkmbBHoXmpBPUv7QyhAZygYXtXHPDsbeUkJwjA3h9lwAiVK8qgz3Kv76Xh8Tm56qCVG hGWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=jvLiLqVlqke7AxsPOBAxME4IX0GfGQu32Q9zadqGqdE=; b=mNBUgw+kQehjzeQLIu6lVODgS1NpeuWnb4FH5DQbpVScbDimMN65ljZiofab3VMsFn DjOaEaygtmclYyER+bcuM0OtIRBqkSSCvCTU6EmwCTGVdv62TrZq0/pUUwDIOhpyc6ol FBd09Ssuu85Bol5QwcOJQJHuZKnN2HSZXjeHknk6A2wtE/trhq4zNPG8N/oZvlwMVOPR c3z98fRjEkzuNljLlXhf9S9DlaJcAO/Fdk5bfzTCt6/0z3+vRxmrfwvmeVjMeOs+cF2J y85+LLoYI4R7jnBbtRLA9MFlD6LrfgaVw3gSxOltcgmxFj61N9ejzSHS+E5gSwqe+XwU T2cA== X-Gm-Message-State: AOAM533UlbSxI5Uajee38gq6a2cixZBZcUEKIgSmzcf3aihbjpjBiH8w OduoZ/E9dqKw4HcT8aaFfgz4Ginn0Iz7PA== X-Google-Smtp-Source: ABdhPJwYJ98gCbUqW2M7aAkyvA/PqebEZv4XXsymHKwcVY7gRBVXjqGLqd3WeVHYht+6+mJpQFXHBg== X-Received: by 2002:ad4:404b:0:b0:440:dee0:4ab3 with SMTP id r11-20020ad4404b000000b00440dee04ab3mr5612614qvp.129.1647571632039; Thu, 17 Mar 2022 19:47:12 -0700 (PDT) Received: from hurd (dsl-10-131-58.b2b2c.ca. [72.10.131.58]) by smtp.gmail.com with ESMTPSA id c3-20020ac87d83000000b002e1d1b3df15sm4929536qtd.44.2022.03.17.19.47.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Mar 2022 19:47:11 -0700 (PDT) From: Maxim Cournoyer To: Mark H Weaver Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> <87lf9upmwb.fsf@yamatai> <87h7kgoo2z.fsf@netris.org> <87blaoonha.fsf@netris.org> <878s5solv5.fsf@netris.org> <87mtu2rntp.fsf@netris.org> Date: Thu, 17 Mar 2022 22:47:10 -0400 In-Reply-To: <87mtu2rntp.fsf@netris.org> (Mark H. Weaver's message of "Tue, 13 Apr 2021 15:22:47 -0400") Message-ID: <87a6do6kpd.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 47628-done Cc: Guillaume Le Vaillant , 47628-done@debbugs.gnu.org, Efraim Flashner X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Mark, Mark H Weaver writes: > Hi Efraim, > > Efraim Flashner writes: > >> On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: >>> I suspect that the relevant bit that needs to be changed is line 779 of >>> the following file in the webkitgtk-2.32.0 source code: >>> >>> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp >>> >>> Most likely, that line can simply be deleted. Here's the relevant >>> excerpt, with line 779 marked by "==>": >> >> Looking at the other lines above it, we could just change it from >> ro-bind to ro-bind-try. > > I expect that would work, but why should we give the sandbox access to > /usr/bin at all? I took a different approach: I removed access to *all* > of the FHS directories, since they should not be needed for a > Guix-compiled package. > > Below, I've attached the patch that I'm currently using successfully on > my private branch of Guix. > > What do you think? Our webkitgtk package is patched in such a way (and more) since commit b9a4705f80e89fff3b65288cbbe8df73a365aee3. Thanks, Maxim ------------=_1647571682-31069-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 22:48:01 +0000 Received: from localhost ([127.0.0.1]:42275 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuUL-0003DO-4O for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:48:01 -0400 Received: from lists.gnu.org ([209.51.188.17]:60430) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuUJ-0003DG-6d for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:47:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60772) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTuUI-0001Qz-V2 for bug-guix@gnu.org; Tue, 06 Apr 2021 18:47:58 -0400 Received: from world.peace.net ([64.112.178.59]:57336) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTuUG-0007Qq-TY for bug-guix@gnu.org; Tue, 06 Apr 2021 18:47:58 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lTuUE-0004Cy-TE; Tue, 06 Apr 2021 18:47:55 -0400 From: Mark H Weaver To: bug-guix@gnu.org Subject: Epiphany fails to launch after webkitgtk-2.32.0 update Date: Tue, 06 Apr 2021 18:46:14 -0400 Message-ID: <87tuojni9a.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) FYI, since updating to webkitgtk-2.32.0 (commit 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no window appears, although GNOME Shell shows an empty outline in overview mode, as if there's a window but it has never been painted. When running 'epiphany' from the command line, I see the followin warning from 'bwrap', which indicates that it's looking in /usr/bin: --8<---------------cut here---------------start------------->8--- mhw@jojen ~$ epiphany ** (epiphany:1016): WARNING **: 18:36:48.495: Registering special URI scheme ftp is no longer allowed bwrap: Can't find source path /usr/bin: No such file or directory --8<---------------cut here---------------end--------------->8--- I wonder if this only works when Guix is run on top of a more traditional OS that has /usr/bin. Is anyone successfully able to use Epiphany on a pure Guix system (without /usr/bin) with Webkitgtk-2.32.0? (The Webkitgtk version is shown in the "About Web" window, which is accessible from the hamburger menu. Mark ------------=_1647571682-31069-1--