CVSROOT: /cvs Module name: ports Changes by: lan...@cvs.openbsd.org 2018/05/11 14:00:57
Modified files: www/mozilla-firefox: Makefile distinfo www/mozilla-firefox/files: all-openbsd.js www/mozilla-firefox/patches: patch-security_manager_pki_resources_content_exceptionDialog_js patch-storage_mozStorageConnection_cpp www/mozilla-firefox/pkg: PLIST www/firefox-i18n: Makefile.inc distinfo Added files: www/mozilla-firefox/patches: patch-dom_ipc_ContentChild_cpp patch-gfx_thebes_gfxFcPlatformFontList_cpp patch-gfx_thebes_gfxFcPlatformFontList_h patch-mozglue_misc_TimeStamp_posix_cpp patch-toolkit_xre_nsAppRunner_cpp patch-widget_nsShmImage_cpp patch-xpcom_base_nsDebugImpl_cpp patch-xpcom_base_nsMemoryReporterManager_cpp Log message: Update to firefox 60. See https://www.mozilla.org/en-US/firefox/60.0/releasenotes/ Fixes https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ - Add initial/wip pledge() support, with distinct subsets for main & content processes. The promises are runtime-configurable for now via about:config knobs to ease debugging/testing. They're printed on stderr when applied by the sandboxing codepaths (cf patch-toolkit_xre_nsAppRunner_cpp and patch-dom_ipc_ContentChild_cpp). - Add a bunch of patches (patch-widget_nsShmImage_cpp, patch-xpcom_base_nsDebugImpl_cpp, patch-mozglue_misc_TimeStamp_posix_cpp and patch-xpcom_base_nsMemoryReporterManager_cpp) to neuter non-critical codepaths that calls pledge-forbidden syscalls. - All this pledge() stuff being currently discussed upstream in https://bugzilla.mozilla.org/show_bug.cgi?id=1457092 and done at p2k18. Been running with it since then, and i'm fairly confident the pledge subsets i come up with are now enough for most usages. If you encounter crashes due to pledge, look into your kernel log, and try to figure out what missing pledge is needed or what firefox codepath hits it. So far i know 'getpw' might be needed when uploading files but i havent hit it, and 'proc' might be needed by the content process when there's no dbus daemon running, but they're not needed in the 'common case', and too broad. - While here, tweak defaults to disable the pocket extension, and try to disable the activity-stream/sponsored content that is being shown by default on the new tab page in new profiles. Stop the madness, plz.