bug#38831: IceCat: some codecs don't work without workaround

[Julien Lepiller <julien@lepiller.eu>]

Le 16 janvier 2020 01:24:50 GMT-05:00, Mark H Weaver <mhw@netris.org> a écrit :
>Hi Jakub,
>
>Jakub Kądziołka <kuba@kadziolka.net> wrote:
>> I had some problems with video codecs in IceCat
>68.3.0-guix0-preview1.
>> For example, consider this page: http://demo.nimius.net/video_test/.
>By
>> default, the videos under the headings H.264 / AAC and MPEG4 don't
>work
>> ("No video with supported format and MIME type found.").
>> 
>> The following steps make the first of these videos work:
>> 1. Open about:config
>> 2. Click "I accept the risk!"
>> 3. Set security.sandbox.content.read_path_whitelist to /gnu/store/
>>    (the trailing / is important).
>> 
>> The instructions were originally sketched out in this help-guix
>> message:
>> https://lists.gnu.org/archive/html/help-guix/2019-12/msg00150.html
>> 
>> I believe it would be beneficial to make this a default.
>> 
>> On IRC, bandali suggested that it would be better to only whitelist
>the
>> necessary store subdirectories. I don't know how to gather such a
>list,
>> but it it seems like a good idea.
>
>Thank you for bringing this to my attention.  I agree with Amin Bandali
>that a more precise whitelist is preferable.  Moreover, I was not
>comfortable whitelisting all of /gnu/store.
>
>I'm glad to report that it appears to be sufficient to whitelist the
>RUNPATH of libavcodec.so, plus the /share/mime/ directory from
>shared-mime-info.  I've implemented this in commit
>429c8284d232c3f9fbe3dc87a3da323f3a864c03 and pushed it to 'master'.
>
>> I don't know how about:config entries modified by the user behave
>when
>> IceCat is updated, but in some of the behaviors I can imagine, the
>> config entry stops updating,
>
>As currently implemented, we now arrange to set the *default* value of
>'security.sandbox.content.read_path_whitelist' to an appropriate
>whitelist.
>
>Users who have customized
>'security.sandbox.content.read_path_whitelist'
>to work around this issue should now erase that customization, by
>right-clicking on its entry in <about:config>, and clicking on "Reset".
>It might also be necessary to restart IceCat after doing so.
>
>> in which case it would be better to add the paths to some internal
>> whitelist (I reckon such a whitelist already exists and contains
>> something like /usr/lib).
>
>I agree that it would be preferable, but I wasn't sufficiently
>motivated
>to implement it.  Feel free to propose a patch.  I'm not sure it would
>make much of a difference in practice though, because the net result
>for
>anyone who has customized it to /gnu/store/ will be the same: until
>they
>reset their customization, their effective whitelist will be all of
>/gnu/store/*.
>
>What do you think?
>
>Anyway, thanks to everyone who contributed to this fix!  I'm closing
>both the older bug (38045) and the more recent duplicate (38831), but
>feel free to reopen if appropriate.
>
>       Mark

Hi,

Thanks for the fix! We'll need something similar for webgl (mesa and dependencies at least), unless your patch already fixes it? I haven't checked.