On Sun, Mar 15 2026, Stuart Henderson wrote: > On 2026/03/14 21:13, Renato Aguiar wrote: >> I agree that, in general, pledge/unveil shouldn't be configurable, but, >> in this particular case, ungoogled-chromium is loading an external >> library (openwv) that isn't distributed with the main application. It is >> impossible for it to know for sure what permissions are needed. This is >> similar to the shell situation, where it cannot set pledge/unveil for >> processes it spawns. >> >> Even if we assume that ungoogled-chromium will only ever support a >> single implementation, it can still break if openwv changes in a way >> that requires different pledge/unveil configuration. > > This is the same with many programs that use pledge/unveil, loads of > them use external libraries, they just have to take account of what > those libraries need. > > If you've got some other cdm library that works then it might be > reasonable to extend the compiled-in pledge to support it; that doesn't > require moving it to a file. >
That makes sense. Also, I missed that cdm library would have to know what pledges ungoogled-chromium need, so it wouldn't solve the problem anyway. >> Maybe openwv should just call pledge/unveil instead. > > If openwv were used in a different program, having pledge/unveil in > openwv might stop that other program from doing what it needs. > (For example if it were used in qtwebengine, which is used by a much > wider range of programs than a browser). > > Typically you need to pledge in the program which knows what else it's > going to do, not in the library. Right, I totaally forgot that openwv is not just a ungoogled-chromium plugin and it could also be used with other browsers.
