From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:42137) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1irB1x-0006Ia-BC for guix-patches@gnu.org; Mon, 13 Jan 2020 20:30:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1irB1w-0002NS-CF for guix-patches@gnu.org; Mon, 13 Jan 2020 20:30:05 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:54510) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1irB1u-0002Kz-R9 for guix-patches@gnu.org; Mon, 13 Jan 2020 20:30:04 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1irB1u-0004Se-HB for guix-patches@gnu.org; Mon, 13 Jan 2020 20:30:02 -0500 Subject: [bug#39127] [PATCH] fixing icecat's multimedia Resent-Message-ID: References: <20200114015819.713f4e4f@tachikoma.lepiller.eu> In-reply-to: <20200114015819.713f4e4f@tachikoma.lepiller.eu> Date: Tue, 14 Jan 2020 02:29:20 +0100 Message-ID: <87eew2hllb.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" Reply-to: Tobias Geerinckx-Rice , Tobias Geerinckx-Rice via Guix-patches From: Tobias Geerinckx-Rice via Guix-patches via To: 39127@debbugs.gnu.org, Julien Lepiller --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Julien, Thanks! For anything with =E2=80=98security=E2=80=99 *and* =E2=80=98sandbo= x=E2=80=99 in the name=20 we should definitely involve IceCat upstream. Julien Lepiller =E5=86=99=E9=81=93=EF=BC=9A > (substitute* "browser/app/profile/icecat.js" > (("\"security.sandbox.content.read_path_whitelist\", \"\"") > (string-append > "\"security.sandbox.content.read_path_whitelist\", \"" > (%store-directory) "/\""))) When I asked bandali on IRC a few weeks(?) ago about this exact=20 patch, they didn't sound convinced. But we were both quite unsure=20 :-) Have things changed? Have you talked to Mark? > Since icecat has access to /lib and /usr/lib, I think we can=20 > also give > it read access (not write) to /gnu/store. That sounds reasonable, if you're certain that it's read-only. > Wdyt? LGTM from the Guix side. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl4dGXAACgkQ2Imw8BjF STxD1w//TwjqW3vUr91rsliI9WaWfCvxoGvlXXH5eR9w6JY6JN0bXOzG+kD6TNbC 6wgpL1X/ZmyMJ/E1luF/cUCrT17lCvo0qEYj1XvQ8S4rPEmTg8KnbwaBP0GbidCR 5YBvrWfM+NuM3ax5DVk589fBrhzeKtPyo4YEuHysnTdk+0sxJ7CyBY+yRvMiZ3Qv W7pVhQ3AVxAQoI2kEjOmYp3aUMuL6D/QNufZTXpcdIYVJeeluIKs5nGE7ffysxOt nMrwqyR8B4/PXNiq6gOOcayELr68ek7ReNIKoDSIkPoNrotytJ/UQ21WeJ9hPL4a 9h5b2zYAcV+CaERsQBL3cyvOObcLqpDIJSqGZcBmsnlQdbr81p1vpIyVGXAkPyRT jStGffRZoHYxncdEdGc7MhB5Z0yLThZKDBU5eNxSAwp+/wlJdkosNdCUzRUHEfoU 31bo48Z6yxiF2HQ+Ufzjue1v0Msm00uUY+48suBlefxQq/65V1w+B4zxsUlPFb0R zHacozpVMNDvaiR8sPOCUcYwtbINSVZ+pTI520A2aiMa4ZMRl/jjDKNJ4LfwhbLW nEdXteEtjn5IUcIiMj1Sj1ksE/bcmX4SrVCr1xzBHxhC1+f5Lfcbw+brL/udz3fH kpIuVb+N2WwaI/aIYoUeGoVd/6OykyAo9bio3ScPx9VSmvWCSO0= =Uob7 -----END PGP SIGNATURE----- --=-=-=--