Julien,

Thanks!  For anything with ‘security’ *and* ‘sandbox’ in the name 
we should definitely involve IceCat upstream.

Julien Lepiller 写道：
> (substitute* "browser/app/profile/icecat.js"
>   (("\"security.sandbox.content.read_path_whitelist\", \"\"")
>    (string-append
>      "\"security.sandbox.content.read_path_whitelist\", \""
>      (%store-directory) "/\"")))

When I asked bandali on IRC a few weeks(?) ago about this exact 
patch, they didn't sound convinced.  But we were both quite unsure 
:-)  Have things changed?  Have you talked to Mark?

> Since icecat has access to /lib and /usr/lib, I think we can 
> also give
> it read access (not write) to /gnu/store.

That sounds reasonable, if you're certain that it's read-only.

> Wdyt?

LGTM from the Guix side.

Kind regards,

T G-R