Ian Eure writes: Ok, thanks for the summary Ian. Looking forward for the patch to be applied. Thanks, Roman. > Hi Roman, André, > > Roman Scherer writes: > >> André Batista writes: >> >> Hi André, >> >> thanks for taking a look. So this is fixing a security issue? Which >> one >> exactly? Is it this one? >> > > This isn’t a security issue, the concern was created in a change which > also had security updates. The current nature of the browser > ecosystem means nearly every Firefox update contains security fixes, > so presence of them isn’t a very useful signal. > >> >>> Hi Roman, >>> >>> seg 02 dez 2024 às 13:20:20 (1733156420), roman@burningswell.com >>> enviou: >>>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to >>>> open URLs. >>>> >>>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd >>>> --- >>>> gnu/packages/librewolf.scm | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/gnu/packages/librewolf.scm >>>> b/gnu/packages/librewolf.scm >>>> index 5d432cfad8..42d212e9f9 100644 >>>> --- a/gnu/packages/librewolf.scm >>>> +++ b/gnu/packages/librewolf.scm >>>> @@ -605,7 +605,7 @@ (define-public librewolf >>>> (substitute* desktop-file >>>> (("^Exec=@MOZ_APP_NAME@") >>>> (string-append "Exec=" >>>> - #$output >>>> "/bin/librewolf")) >>>> + #$output >>>> "/bin/librewolf %u")) >>>> (("@MOZ_APP_DISPLAYNAME@") >>>> >>> >>> This was its previous state and was removed on commit >>> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070. >>> >>> Copying Ian, who was the author of that change and has been >>> maintaining >>> Librewolf. >>> > > The context behind this change is that Firefox used to ship a > taskcluster/docker/firefox-snap/firefox.desktop file which had an Exec > line like this: > > Exec=@MOZ_APP_NAME@ %u > > The Guix package would use that file, replacing the token with the > path to the binary. The presence of %u in the package definition is > because the substitute* regexp is sloppy and replaces the whole line > instead of @MOZ_APP_NAME@ only. For reasons unknown to me, Firefox > stopped shipping this file and deleted it from their repo. I looked > around the repo and found > toolkit/mozapps/installer/linux/rpm/mozilla.desktop, for the rpm > package. Its Exec line is: > > Exec=@MOZ_APP_NAME@ > > So I updated the package to use that, and the regexp to match. > > The patch in #74648 looks fine to me, and I think it should be pushed. > > Thanks, > > — Ian