From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Lepiller Subject: bug#38831: IceCat: some codecs don't work without workaround Date: Thu, 16 Jan 2020 07:29:01 -0500 Message-ID: <28E76491-53BA-47BA-B00E-669D1DC93B61@lepiller.eu> References: <20191231142401.qt2oxe6jkefsxxnd@zdrowyportier.kadziolka.net> <87pnfj7waa.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:34546) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1is4Hk-0001Xv-Oq for bug-guix@gnu.org; Thu, 16 Jan 2020 07:30:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1is4Hi-0004D2-74 for bug-guix@gnu.org; Thu, 16 Jan 2020 07:30:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:59105) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1is4Hi-0004Cw-2I for bug-guix@gnu.org; Thu, 16 Jan 2020 07:30:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1is4Hh-0003q0-TN for bug-guix@gnu.org; Thu, 16 Jan 2020 07:30:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:470:142:3::10]:34478) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1is4H9-0001BD-MN for bug-guix@gnu.org; Thu, 16 Jan 2020 07:29:29 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1is4H8-0003zu-BH for bug-guix@gnu.org; Thu, 16 Jan 2020 07:29:27 -0500 Received: from lepiller.eu ([2a00:5884:8208::1]:47178) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1is4H7-0003xW-MU for bug-guix@gnu.org; Thu, 16 Jan 2020 07:29:26 -0500 In-Reply-To: <87pnfj7waa.fsf@netris.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org Sender: "bug-Guix" To: 38831@debbugs.gnu.org, mhw@netris.org, kuba@kadziolka.net Le 16 janvier 2020 01:24:50 GMT-05:00, Mark H Weaver a = =C3=A9crit : >Hi Jakub, > >Jakub K=C4=85dzio=C5=82ka wrote: >> I had some problems with video codecs in IceCat >68=2E3=2E0-guix0-preview1=2E >> For example, consider this page: http://demo=2Enimius=2Enet/video_test/= =2E >By >> default, the videos under the headings H=2E264 / AAC and MPEG4 don't >work >> ("No video with supported format and MIME type found=2E")=2E >>=20 >> The following steps make the first of these videos work: >> 1=2E Open about:config >> 2=2E Click "I accept the risk!" >> 3=2E Set security=2Esandbox=2Econtent=2Eread_path_whitelist to /gnu/sto= re/ >> (the trailing / is important)=2E >>=20 >> The instructions were originally sketched out in this help-guix >> message: >> https://lists=2Egnu=2Eorg/archive/html/help-guix/2019-12/msg00150=2Ehtm= l >>=20 >> I believe it would be beneficial to make this a default=2E >>=20 >> On IRC, bandali suggested that it would be better to only whitelist >the >> necessary store subdirectories=2E I don't know how to gather such a >list, >> but it it seems like a good idea=2E > >Thank you for bringing this to my attention=2E I agree with Amin Bandali >that a more precise whitelist is preferable=2E Moreover, I was not >comfortable whitelisting all of /gnu/store=2E > >I'm glad to report that it appears to be sufficient to whitelist the >RUNPATH of libavcodec=2Eso, plus the /share/mime/ directory from >shared-mime-info=2E I've implemented this in commit >429c8284d232c3f9fbe3dc87a3da323f3a864c03 and pushed it to 'master'=2E > >> I don't know how about:config entries modified by the user behave >when >> IceCat is updated, but in some of the behaviors I can imagine, the >> config entry stops updating, > >As currently implemented, we now arrange to set the *default* value of >'security=2Esandbox=2Econtent=2Eread_path_whitelist' to an appropriate >whitelist=2E > >Users who have customized >'security=2Esandbox=2Econtent=2Eread_path_whitelist' >to work around this issue should now erase that customization, by >right-clicking on its entry in , and clicking on "Reset"=2E >It might also be necessary to restart IceCat after doing so=2E > >> in which case it would be better to add the paths to some internal >> whitelist (I reckon such a whitelist already exists and contains >> something like /usr/lib)=2E > >I agree that it would be preferable, but I wasn't sufficiently >motivated >to implement it=2E Feel free to propose a patch=2E I'm not sure it woul= d >make much of a difference in practice though, because the net result >for >anyone who has customized it to /gnu/store/ will be the same: until >they >reset their customization, their effective whitelist will be all of >/gnu/store/*=2E > >What do you think? > >Anyway, thanks to everyone who contributed to this fix! I'm closing >both the older bug (38045) and the more recent duplicate (38831), but >feel free to reopen if appropriate=2E > > Mark Hi, Thanks for the fix! We'll need something similar for webgl (mesa and depen= dencies at least), unless your patch already fixes it? I haven't checked=2E