diff options
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | 0003-Bug-1820416-Use-correct-FFVPX-headers-from-ffmpeg-6..patch | 24 | ||||
-rw-r--r-- | 0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch | 165 | ||||
-rw-r--r-- | 0005-enable-vaapi.patch (renamed from 0003-enable-vaapi.patch) | 0 | ||||
-rw-r--r-- | PKGBUILD | 20 |
5 files changed, 214 insertions, 5 deletions
@@ -1,7 +1,7 @@ pkgbase = firefox-vaapi pkgdesc = Standalone web browser from mozilla.org (with VA-API patches) pkgver = 110.0.1 - pkgrel = 2 + pkgrel = 4 url = https://www.mozilla.org/firefox/ arch = x86_64 license = GPL @@ -55,19 +55,25 @@ pkgbase = firefox-vaapi source = firefox.desktop source = identity-icons-brand.svg source = 0001-libwebrtc-screen-cast-sync.patch - source = 0003-enable-vaapi.patch + source = 0003-Bug-1820416-Use-correct-FFVPX-headers-from-ffmpeg-6..patch + source = 0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch + source = 0005-enable-vaapi.patch validpgpkeys = 14F26682D0916CDD81E37B6D61B7B526D98F0353 sha256sums = f19bb74d684b992625abca68f5776198974cd2785eb5d02d51ba007fc998491f sha256sums = SKIP sha256sums = 298eae9de76ec53182f38d5c549d0379569916eebf62149f9d7f4a7edef36abf sha256sums = a9b8b4a0a1f4a7b4af77d5fc70c2686d624038909263c795ecc81e0aec7711e9 sha256sums = 43c83101b7ad7dba6f5fffeb89b70a661a547d506a031ea2beada42ccf04eec7 + sha256sums = be9ba079a931d5e881ce38430d418cc834e8c6b157af6c79ea267998caece806 + sha256sums = e4193f0a31a11ec6f5e16ac8d25c866867742d2c6917f34a87d73fa35eb55c55 sha256sums = f2b19e14d8add13930e2ce89fa5e1b252ac979c8177a78a6fa3eb4ae2ad56633 b2sums = ff196016e0271f7828163b8f767f3321b5ee08ef6bd0b03b134e17a1e5b62666f10ae80a14569438f6ac1c995a7a8422265eaabbc505b6a86e95a66b5db07209 b2sums = SKIP b2sums = e18f2c22e394ca3b6758bc130245b254947e4d15921be3da443d6d7c3c4b0d22ead1b39fbc10a4f896edd19e2a1dffbd1cbb34dc4beb0621a6ddb70ccc53b3a7 b2sums = 63a8dd9d8910f9efb353bed452d8b4b2a2da435857ccee083fc0c557f8c4c1339ca593b463db320f70387a1b63f1a79e709e9d12c69520993e26d85a3d742e34 b2sums = 2bf65874c8c1f41c9273b68d74f4fe5c81dca5acbad0b9a5f917df1d46e1b2a1fb25d42a419eb885e76f4d193483cdeb6294e14ed4b2e241c34b84565b6ffd72 + b2sums = be47c370c1b765921a6ffbb0eeaceaabc26483629b2ebd73c38f36b3ac418d1746fa021b5d444264641ff7c0c13e688a752758bd75c84e0297aceeaec0062ff2 + b2sums = 219ad84cbd9fe6284e61ded5813c1ca36158067e796ae6532cacfe9aeeb7c716c0382d991df5026c3f880dd39c271c6478bc4f56d4cecb14baa05921cf4dd567 b2sums = 35a18c4fefac69bdbcabb5c0005a2cc3afb640a09ab92a9025c3d627a5be8857da7d182f203be55d1e64a07dd1d88d56247d8131bd45c7fa6e18526b30624a71 pkgname = firefox-vaapi diff --git a/0003-Bug-1820416-Use-correct-FFVPX-headers-from-ffmpeg-6..patch b/0003-Bug-1820416-Use-correct-FFVPX-headers-from-ffmpeg-6..patch new file mode 100644 index 000000000000..b0381041d9ae --- /dev/null +++ b/0003-Bug-1820416-Use-correct-FFVPX-headers-from-ffmpeg-6..patch @@ -0,0 +1,24 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: stransky <stransky@redhat.com> +Date: Thu, 9 Mar 2023 13:16:19 +0000 +Subject: [PATCH] Bug 1820416 Use correct FFVPX headers from ffmpeg 6.0 + r=padenot + +Differential Revision: https://phabricator.services.mozilla.com/D172116 +--- + dom/media/platforms/ffmpeg/ffvpx/moz.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dom/media/platforms/ffmpeg/ffvpx/moz.build b/dom/media/platforms/ffmpeg/ffvpx/moz.build +index 188b866fc9de..cda0960787a5 100644 +--- a/dom/media/platforms/ffmpeg/ffvpx/moz.build ++++ b/dom/media/platforms/ffmpeg/ffvpx/moz.build +@@ -20,7 +20,7 @@ SOURCES += [ + ] + LOCAL_INCLUDES += [ + "..", +- "../ffmpeg59/include", ++ "../ffmpeg60/include", + "/media/mozva", + ] + diff --git a/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch b/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch new file mode 100644 index 000000000000..eb75f7f90e0c --- /dev/null +++ b/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch @@ -0,0 +1,165 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dennis Jackson <djackson@mozilla.com> +Date: Thu, 9 Mar 2023 22:05:17 +0000 +Subject: [PATCH] Bug 1821359: Disable TLS Key Pinning for Twitter Domains. + r=keeler, a=dmeehan + +This patch removes Twitter domains from the list of sites we statically pin in Firefox +and regenerates the associated headers. Note that the Twitter domains are still +imported from Chrome's list of pins, but now have the test flag set, making them inert. + +Differential Revision: https://phabricator.services.mozilla.com/D172161 +--- + security/manager/ssl/StaticHPKPins.h | 18 ++++++++-------- + security/manager/tools/PreloadedHPKPins.json | 22 ++------------------ + 2 files changed, 11 insertions(+), 29 deletions(-) + +diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h +index 3adda637832a..e558393a3218 100644 +--- a/security/manager/ssl/StaticHPKPins.h ++++ b/security/manager/ssl/StaticHPKPins.h +@@ -602,26 +602,26 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "android.com", true, false, false, -1, &kPinset_google_root_pems }, + { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services }, +- { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN }, ++ { "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN }, + { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "apps.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "at.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "au.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services }, + { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services }, + { "az.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "be.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "bi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "blog.torproject.org", true, false, false, -1, &kPinset_tor }, + { "blogger.com", true, false, false, -1, &kPinset_google_root_pems }, + { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "br.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, + { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems }, + { "business.facebook.com", true, false, false, -1, &kPinset_facebook }, +- { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "business.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +@@ -661,7 +661,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +- { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems }, + { "developers.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "dist.torproject.org", true, false, false, -1, &kPinset_tor }, +@@ -973,34 +973,34 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "messenger.com", true, false, false, -1, &kPinset_facebook }, +- { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "mw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "myactivity.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +- { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "oauthaccountmanager.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, + { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "passwordsleakcheck-pa.googleapis.com", true, false, false, -1, &kPinset_google_root_pems }, + { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test }, + { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test }, + { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook }, + { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +- { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN }, ++ { "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN }, + { "play.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems }, + { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems }, +@@ -1043,8 +1043,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems }, + { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +- { "twimg.com", true, false, false, -1, &kPinset_twitterCDN }, +- { "twitter.com", true, false, false, -1, &kPinset_twitterCDN }, ++ { "twimg.com", true, true, false, -1, &kPinset_twitterCDN }, ++ { "twitter.com", false, true, false, -1, &kPinset_twitterCom }, + { "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "ua5v.com", true, false, false, -1, &kPinset_google_root_pems }, + { "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, +@@ -1079,7 +1079,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { + { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems }, + { "www.messenger.com", true, false, false, -1, &kPinset_facebook }, + { "www.torproject.org", true, false, false, -1, &kPinset_tor }, +- { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom }, ++ { "www.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo }, + { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems }, + { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems }, +diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json +index 243625852686..c7c20ea6f680 100644 +--- a/security/manager/tools/PreloadedHPKPins.json ++++ b/security/manager/tools/PreloadedHPKPins.json +@@ -44,29 +44,16 @@ + // Dropbox + "dropbox.com", + "www.dropbox.com", +- // Twitter +- "api.twitter.com", +- "business.twitter.com", +- "dev.twitter.com", +- "mobile.twitter.com", +- "oauth.twitter.com", +- "platform.twitter.com", +- "twimg.com", +- "www.twitter.com", + // Tor + "torproject.org", + "blog.torproject.org", + "check.torproject.org", + "dist.torproject.org", + "www.torproject.org", + // SpiderOak + "spideroak.com" + ], +- "exclude_domains" : [ +- // Chrome's entry for twitter.com doesn't include subdomains, so replace +- // it with our own entry below which also uses an expanded pinset. +- "twitter.com" +- ] ++ "exclude_domains" : [] + }, + "pinsets": [ + { +@@ -193,12 +180,7 @@ + "include_subdomains": false, "pins": "mozilla_test", + "test_mode": false }, + { "name": "test-mode.pinning.example.com", "include_subdomains": true, +- "pins": "mozilla_test", "test_mode": true }, +- // Expand twitter's pinset to include all of *.twitter.com and use +- // twitterCDN. More specific rules take precedence because we search for +- // exact domain name first. +- { "name": "twitter.com", "include_subdomains": true, +- "pins": "twitterCDN", "test_mode": false } ++ "pins": "mozilla_test", "test_mode": true } + ], + // When pinning to non-root certs, like intermediates, + // place the PEM of the pinned certificate in this array diff --git a/0003-enable-vaapi.patch b/0005-enable-vaapi.patch index ddf30d15c0e1..ddf30d15c0e1 100644 --- a/0003-enable-vaapi.patch +++ b/0005-enable-vaapi.patch @@ -6,7 +6,7 @@ pkgname=firefox-vaapi _pkgname=firefox pkgver=110.0.1 -pkgrel=2 +pkgrel=4 pkgdesc="Standalone web browser from mozilla.org (with VA-API patches)" url="https://www.mozilla.org/firefox/" arch=(x86_64) @@ -71,7 +71,9 @@ source=( $_pkgname.desktop identity-icons-brand.svg 0001-libwebrtc-screen-cast-sync.patch - 0003-enable-vaapi.patch + 0003-Bug-1820416-Use-correct-FFVPX-headers-from-ffmpeg-6..patch + 0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch + 0005-enable-vaapi.patch ) validpgpkeys=( '14F26682D0916CDD81E37B6D61B7B526D98F0353' # Mozilla Software Releases <release@mozilla.com> @@ -81,12 +83,16 @@ sha256sums=('f19bb74d684b992625abca68f5776198974cd2785eb5d02d51ba007fc998491f' '298eae9de76ec53182f38d5c549d0379569916eebf62149f9d7f4a7edef36abf' 'a9b8b4a0a1f4a7b4af77d5fc70c2686d624038909263c795ecc81e0aec7711e9' '43c83101b7ad7dba6f5fffeb89b70a661a547d506a031ea2beada42ccf04eec7' + 'be9ba079a931d5e881ce38430d418cc834e8c6b157af6c79ea267998caece806' + 'e4193f0a31a11ec6f5e16ac8d25c866867742d2c6917f34a87d73fa35eb55c55' 'f2b19e14d8add13930e2ce89fa5e1b252ac979c8177a78a6fa3eb4ae2ad56633') b2sums=('ff196016e0271f7828163b8f767f3321b5ee08ef6bd0b03b134e17a1e5b62666f10ae80a14569438f6ac1c995a7a8422265eaabbc505b6a86e95a66b5db07209' 'SKIP' 'e18f2c22e394ca3b6758bc130245b254947e4d15921be3da443d6d7c3c4b0d22ead1b39fbc10a4f896edd19e2a1dffbd1cbb34dc4beb0621a6ddb70ccc53b3a7' '63a8dd9d8910f9efb353bed452d8b4b2a2da435857ccee083fc0c557f8c4c1339ca593b463db320f70387a1b63f1a79e709e9d12c69520993e26d85a3d742e34' '2bf65874c8c1f41c9273b68d74f4fe5c81dca5acbad0b9a5f917df1d46e1b2a1fb25d42a419eb885e76f4d193483cdeb6294e14ed4b2e241c34b84565b6ffd72' + 'be47c370c1b765921a6ffbb0eeaceaabc26483629b2ebd73c38f36b3ac418d1746fa021b5d444264641ff7c0c13e688a752758bd75c84e0297aceeaec0062ff2' + '219ad84cbd9fe6284e61ded5813c1ca36158067e796ae6532cacfe9aeeb7c716c0382d991df5026c3f880dd39c271c6478bc4f56d4cecb14baa05921cf4dd567' '35a18c4fefac69bdbcabb5c0005a2cc3afb640a09ab92a9025c3d627a5be8857da7d182f203be55d1e64a07dd1d88d56247d8131bd45c7fa6e18526b30624a71') # Google API keys (see http://www.chromium.org/developers/how-tos/api-keys) @@ -115,10 +121,18 @@ prepare() { # https://bugzilla.mozilla.org/show_bug.cgi?id=1819374 patch -Np1 -i 0002-Bug-1819374-Squashed-ffmpeg-6.0-update.patch + # https://bugs.archlinux.org/task/77796 + # https://bugzilla.mozilla.org/show_bug.cgi?id=1820416 + patch -Np1 -i ../0003-Bug-1820416-Use-correct-FFVPX-headers-from-ffmpeg-6..patch + + # https://bugs.archlinux.org/task/77805 + # https://bugzilla.mozilla.org/show_bug.cgi?id=1821359 + patch -Np1 -i ../0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch + # https://bugzilla.mozilla.org/show_bug.cgi?id=1809068 # https://bbs.archlinux.org/viewtopic.php?id=281398 # https://src.fedoraproject.org/rpms/firefox/blob/rawhide/f/firefox-enable-vaapi.patch - patch -Np1 -i ../0003-enable-vaapi.patch + patch -Np1 -i ../0005-enable-vaapi.patch echo -n "$_google_api_key" >google-api-key echo -n "$_mozilla_api_key" >mozilla-api-key |