GNU bug report logs - #76616
[PATCH 0/2] gnu: librewolf: Allow installation of unsigned extensions.

Previous Next

Package: guix-patches;

Reported by: Mike Jones <mike <at> mjones.io>

Date: Thu, 27 Feb 2025 18:53:02 UTC

Severity: normal

Tags: patch

Done: Ian Eure <ian <at> retrospec.tv>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ian Eure <ian <at> retrospec.tv>
To: Mike Jones <mike <at> mjones.io>
Cc: André Batista <nandre <at> riseup.net>, Mark H Weaver <mhw <at> netris.org>, Jonathan Brielmaier <jonathan.brielmaier <at> web.de>, 76616 <at> debbugs.gnu.org, Clément Lassieur <clement <at> lassieur.org>
Subject: [bug#76616] [PATCH 0/2] gnu: librewolf: Allow installation of unsigned extensions.
Date: Thu, 27 Feb 2025 21:09:50 -0800

Hi Mike,

Mike Jones <mike <at> mjones.io> writes:

> The librewolf package does not allow extensions to be installed 
> unless
> they are signed by Mozilla's key. Even though there is an 
> about:config
> option "xpinstall.signatures.required", setting this to false 
> still
> doesn't allow it. It turns out that one needs to compile 
> librewolf with
> the option MOZ_REQUIRE_SIGNING= to permit this.
>
> I hope you'll agree that forbidding users from running software 
> on their
> own machines is not in the spirit of free software. While there 
> may be
> security advantages to enforcing signing (if you trust Mozilla), 
> it can
> still be enabled with the aforementioned about:config option, 
> even when
> compiled using this new option.

I definitely agree that unsigned extensions should be allowed.  Do 
you have an example of one I could use for testing?


> For what it's worth, upstream librewolf sets this option in 
> their
> default mozconfig:
>
> https://codeberg.org/librewolf/source/src/commit/9478c8a016460d883ee050f90a4c4410d210bb91/assets/mozconfig.new#L24

Thanks for pointing this out and sending a patch.  I think it’d be 
best if we used their config with just the Guix-specific changes 
added, like --prefix.  This has some important stuff, and it’d be 
better to let upstream handle that than risk missing something 
because the Guix config has drifted out of sync.

Would you be willing to contribute a patch which does that?  If 
not, that’s no problem, I’m working on the patches for 135.0.1 
already, and could do that at the same time.

Either way, thank you very much for the report, it’s certainly an 
oversight that needs to be corrected.

Thanks,

 -- Ian
This bug report was last modified 39 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.