source: xsoft/graphweb/firefox.xml@ 883e376

11.0 11.1 lazarus qt5new trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 883e376 was 883e376, checked in by Ken Moffat <ken@…>, 9 months ago

Firefox security updates:

JS78 using firefox-78.13.0esr
and introducing firefox-78.13.0esr as Firefox Legacy.

The first two have been tested and measured on glibc-2.34 systems.
The latter has been measured on a slightly older system where 91.0
fails to build.

If anyone likes ff78 so much that they want to use it on a
glibc-2.34 system, feel free to create the necessary patches
but note that I expect to remove Firefox Legacy in November,
it is only a transitional item.

  • Property mode set to 100644
File size: 24.4 KB
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
7 <!ENTITY firefox-download-http "&mozilla-http;/firefox/releases/&firefox-version;esr/source/firefox-&firefox-version;esr.source.tar.xz">
8 <!ENTITY firefox-download-ftp " ">
9 <!ENTITY firefox-md5sum "18045807c2f3969b41867f08fb645210">
10 <!ENTITY firefox-size "365 MB">
11 <!-- NB with stylo, much of the build uses rust, and therefore cargo files.
12 But the extra cached cargo files, if any, seem to be minimal -->
13 <!ENTITY firefox-buildsize "6.7 GB (196 MB installed) without tests">
14 <!-- editors: with ff63 and rust-1.29, ./mach build -j4 is probably the
15 most practical way to get a timing on a machine with more cores, if taking
16 cores offline is not practical. If in doubt, round up -->
17 <!ENTITY firefox-time "28 SBU (on a typical 4-core machine) without tests">
20<sect1 id="firefox" xreflabel="Firefox-&firefox-version;">
21 <?dbhtml filename="firefox.html" ?>
23 <sect1info>
24 <date>$Date$</date>
25 </sect1info>
27 <title>Firefox-&firefox-version;</title>
29 <indexterm zone="firefox">
30 <primary sortas="a-Firefox">Firefox</primary>
31 </indexterm>
33 <sect2 role="package">
34 <title>Introduction to Firefox</title>
36 <para>
37 <application>Firefox</application> is a stand-alone browser based on the
38 <application>Mozilla</application> codebase.
39 </para>
41 &lfs101_checked;
43 <bridgehead renderas="sect3">Package Information</bridgehead>
44 <itemizedlist spacing="compact">
45 <listitem>
46 <para>
47 Download (HTTP): <ulink url="&firefox-download-http;"/>
48 </para>
49 </listitem>
50 <listitem>
51 <para>
52 Download (FTP): <ulink url="&firefox-download-ftp;"/>
53 </para>
54 </listitem>
55 <listitem>
56 <para>
57 Download MD5 sum: &firefox-md5sum;
58 </para>
59 </listitem>
60 <listitem>
61 <para>
62 Download size: &firefox-size;
63 </para>
64 </listitem>
65 <listitem>
66 <para>
67 Estimated disk space required: &firefox-buildsize;
68 </para>
69 </listitem>
70 <listitem>
71 <para>
72 Estimated build time: &firefox-time;
73 </para>
74 </listitem>
75 </itemizedlist>
77 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
78 <itemizedlist spacing="compact">
79 <listitem>
80 <para>
81 Required patch:
82 <ulink url="&patch-root;/firefox-&firefox-version;esr-glibc234-1.patch"/>
83 </para>
84 </listitem>
85 </itemizedlist>
87 <note>
89 <!-- temporary note -->
90 <para>
91 With the 91 ESR series, firefox no-longer works on ftp: links. Also,
92 on a few machines which have been adequately updated for the necessary
93 dependencies 91.0 fails to build with a message that a python check on
94 libgkrust.a identified 1 networking function (getsockname) in the rust
95 static library. The reason for this is not understood, but systems with
96 binutils-2.37, gcc-11.2.0 and glibc-2.34 appear to be unaffected.
97 </para>
98 <!-- end of temporary note -->
100 <para>
101 The directory name is firefox-&firefox-version;
102 </para>
104 <para>
105 Extracting the tarball
106 will reset the permissions of the current directory to 0755 if you
107 have permission to do that. If you do this in a directory where
108 the sticky bit is set, such
109 as <filename class="directory">/tmp</filename> it will end with error
110 messages:
111 </para>
113<literallayout>tar: .: Cannot utime: Operation not permitted
114tar: .: Cannot change mode to rwxr-xr-t: Operation not permitted
115tar: Exiting with failure status due to previous errors
118 <para>
119 This does finish with non-zero status, but it does
120 <emphasis>NOT</emphasis> mean there is a real problem.
121 Do not untar as the <systemitem class="username">root</systemitem> user
122 in a directory where the sticky bit is set - that will unset it.
123 </para>
125 <para>
126 As with other large packages which use C++ (or rust), the SBU times
127 to build this vary more widely than you might expect. The build times
128 will increase significantly if your machine has to swap.
129 </para>
131 <!-- commented, by 78.0 it seems to work reliably
132 <para>
133 The mach build system (Python scripts) can be somewhat unreliable: if
134 the build fails and reports an Error, it can still return a status of
135 success, causing a scripted build to try to install (which does not rerun
136 the build), fail during the preparations for installing, but still exit
137 with a status of success. Also, on occasion it may limit itself to only
138 running one set of jobs - that will make the build take about 3 times as
139 long as running with four sets of jobs.
140 </para>-->
142 <para>
143 Although upstream prefer to use <application>PulseAudio</application>,
144 for the moment <application>Alsa</application> can still be used. Both
145 may need runtime configuration to get sound working.
146 </para>
147 </note>
149 <bridgehead renderas="sect3">Firefox Dependencies</bridgehead>
151 <bridgehead renderas="sect4">Required</bridgehead>
152 <para role="required">
153 <xref linkend="autoconf213"/>,
154 <xref linkend="cbindgen"/>,
155 <xref linkend="dbus-glib"/>,
156 both <xref linkend="gtk3"/> and
157 <xref linkend="gtk2"/>,
158 <xref linkend="libnotify"/>,
159 <xref linkend="llvm"/> (clang, used for bindgen even if using gcc),
160 <xref linkend="nodejs"/>,
161 <xref linkend="nss"/>,
162 <xref linkend="pulseaudio"/>
163 (or
164 <xref linkend="alsa-lib"/> if you edit the mozconfig;
165 now deprecated by mozilla), in either case please read the
166 Configuration Information,
167 <!-- rustc is required by cbindgen so not needed here
168 <xref linkend="rust"/>,-->
169 <xref linkend="python3"/> (rebuilt after installing <xref linkend="sqlite"/>),
170 <xref linkend="startup-notification"/>,
171 <xref linkend="unzip"/>,
172 <xref linkend="yasm"/>, and
173 <xref linkend="zip"/>
174 </para>
176 <bridgehead renderas="sect4">Recommended</bridgehead>
177 <para role="recommended">
178 <xref linkend="icu"/>,
179 <xref linkend="libevent"/>,
180 <xref linkend="libwebp"/>,
181 <xref linkend="nasm"/>
182 </para>
184 <note>
185 <para>
186 If you don't install recommended dependencies, then internal copies of
187 those packages will be used. They might be tested to work, but they can
188 be out of date or contain security holes.
189 </para>
190 </note>
192 <bridgehead renderas="sect4">Optional</bridgehead>
193 <para role="optional">
194 <xref linkend="curl"/>,
195 <xref linkend="doxygen"/>,
196 <xref role="runtime" linkend="ffmpeg"/> (runtime, to play mov, mp3 or mp4 files),
197 <!-- <phrase revision="sysv"><ulink url="">liboauth</ulink></phrase> -->
198 <xref linkend="liboauth"/>,
199 <xref linkend="openjdk"/>,
200 <xref linkend="valgrind"/>,
201 <xref linkend="wget"/>,
202 <xref linkend="wireless_tools"/>,
203 <ulink url="">libproxy</ulink>
204 </para>
206 <para condition="html" role="usernotes">
207 User Notes: <ulink url="&blfs-wiki;/firefox"/>
208 </para>
209 </sect2>
211 <sect2 role="installation">
212 <title>Installation of Firefox</title>
214 <para>
215 The configuration of <application>Firefox</application> is accomplished
216 by creating a <filename>mozconfig</filename> file containing the desired
217 configuration options. A default <filename>mozconfig</filename> is
218 created below. To see the entire list of available configuration options
219 (and an abbreviated description of some of them), issue <command>./mach
220 configure &amp;&amp; ./configure --help | less</command>. You may also
221 wish to review the entire file and uncomment any other desired options.
222 Create the file by issuing the following command:
223 </para>
225<screen><userinput>cat &gt; mozconfig &lt;&lt; "EOF"
226<literal># If you have a multicore machine, all cores will be used by default.
228# If you have installed (or will install) wireless-tools, and you wish
229# to use geolocation web services, comment out this line
230ac_add_options --disable-necko-wifi
232# API Keys for geolocation APIs - necko-wifi (above) is required for MLS
233# Uncomment the following line if you wish to use Mozilla Location Service
234#ac_add_options --with-mozilla-api-keyfile=$PWD/mozilla-key
236# Uncomment the following line if you wish to use Google's geolocaton API
237# (needed for use with saved maps with Google Maps)
238#ac_add_options --with-google-location-service-api-keyfile=$PWD/google-key
240# startup-notification is required since firefox-78
242# Uncomment the following option if you have not installed PulseAudio
243#ac_add_options --disable-pulseaudio
244# or uncomment this if you installed alsa-lib instead of PulseAudio
245#ac_add_options --enable-alsa
247# Comment out following options if you have not installed
248# recommended dependencies:
249ac_add_options --with-system-libevent
250ac_add_options --with-system-webp
251ac_add_options --with-system-nspr
252ac_add_options --with-system-nss
253ac_add_options --with-system-icu
255# Do not specify the gold linker which is not the default. It will take
256# longer and use more disk space when debug symbols are disabled.
258# libdavid (av1 decoder) requires nasm. Uncomment this if nasm
259# has not been installed.
260#ac_add_options --disable-av1
262# You cannot distribute the binary if you do this
263ac_add_options --enable-official-branding
265# Stripping is now enabled by default.
266# Uncomment these lines if you need to run a debugger:
267#ac_add_options --disable-strip
268#ac_add_options --disable-install-strip
270# Disabling debug symbols makes the build much smaller and a little
271# faster. Comment this if you need to run a debugger. Note: This is
272# required for compilation on i686.
273ac_add_options --disable-debug-symbols
275# The elf-hack is reported to cause failed installs (after successful builds)
276# on some machines. It is supposed to improve startup time and it shrinks
277# by a few MB - comment this if you know your machine is not affected.
278ac_add_options --disable-elf-hack
280# The BLFS editors recommend not changing anything below this line:
281ac_add_options --prefix=/usr
282ac_add_options --enable-application=browser
283ac_add_options --disable-crashreporter
284ac_add_options --disable-updater
285# enabling the tests will use a lot more space and significantly
286# increase the build time, for no obvious benefit.
287ac_add_options --disable-tests
289# The default level of optimization again produces a working build with gcc.
290ac_add_options --enable-optimize
292ac_add_options --enable-system-ffi
293ac_add_options --enable-system-pixman
295ac_add_options --with-system-jpeg
296ac_add_options --with-system-png
297ac_add_options --with-system-zlib
299# The following option unsets Telemetry Reporting. With the Addons Fiasco,
300# Mozilla was found to be collecting user's data, including saved passwords and
301# web form data, without users consent. Mozilla was also found shipping updates
302# to systems without the user's knowledge or permission.
303# As a result of this, use the following command to permanently disable
304# telemetry reporting in Firefox.
307mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/firefox-build-dir</literal>
310 <para>
311 Compile <application>Firefox</application> by issuing the following
312 commands:
313 </para>
315 <para>
316 Apply a patch which allows compilation on systems running glibc-2.34:
317 </para>
319<screen><userinput>patch -Np1 -i ../firefox-&firefox-version;esr-glibc234-1.patch</userinput></screen>
321 <para>
322 If the geolocation APIs are needed:
323 </para>
325 <note>
326 <para>
327 <!-- Taken from Arch Linux - an immensely helpful link - Thanks -->
328 The Google and Mozilla API Keys below are specific to LFS. If using
329 these instructions for another distro, or if you intend to distribute
330 binary copies of the software using these instructions, please obtain
331 your own keys following the instructions located at
332 <ulink url=""/> and
333 <ulink url=""/> respectively.
334 <!-- BLFS Devs, register an account at Google with your
335 email address, and I'll make you an administrator
336 for the 'Google APIs for LFS' project (where the API and OAuth keys
337 were created for use in the book).-->
338 </para>
339 </note>
341<screen><userinput>echo "AIzaSyDxKL42zsPjbke5O8_rPVpVrLrJ8aeE9rQ" > google-key
342echo "613364a7-9418-4c86-bcee-57e32fd70c23" > mozilla-key</userinput></screen>
344 <note>
346 <xi:include xmlns:xi=""
347 href="../../xincludes/mozshm.xml"/>
349 <xi:include xmlns:xi=""
350 href="../../xincludes/mozmach.xml"/>
352 </note>
353 <!--
354 <para>
355 If you are building on i686, apply a fix to prevent Internal Compiler
356 Errors in GCC-7+:
357 </para>
359<screen><userinput remap="pre">case $(uname -m) in
360 i?86) sed -i "562 s/mips64/i386/" gfx/skia/skia/third_party/skcms/src/Transform_inl.h ;;
362 -->
364 Apply a patch to allow this to be compiled with <xref linkend="rust"/>:
365 </para>
367<screen><userinput remap="pre">patch -p1 -i ../firefox-&firefox-version;esr-rustc1470-1.patch</userinput></screen>-->
369 <para>
370 Now invoke the Python script to compile the package.
371 </para>
373<screen><userinput>export CC=gcc CXX=g++ &amp;&amp;
374export MOZBUILD_STATE_PATH=${PWD}/mozbuild &amp;&amp;
375./mach create-mach-environment &amp;&amp;
376./mach configure &amp;&amp;
377./mach build</userinput></screen>
379 <para>
380 The <filename>mozconfig</filename> above disables the tests because
381 they use a lot more time and disk space for no obvious benefit. If
382 you have nevertheless enabled them, you can run the tests by executing
383 <command>./mach gtest</command>. This will require a network connection,
384 and to be run from within an Xorg session - there is a popup dialog
385 when it fails to connect to ALSA (that does not create a failed test).
386 One or two tests will fail. To see the details of the failure(s) you
387 will need to log the output from that command so that you can review it.
388 </para>
390 <para>
391 Now, as the <systemitem class="username">root</systemitem> user:
392 </para>
394<screen role="root"><userinput>./mach install</userinput></screen>
396 <para>
397 Set environment variables back to their values:
398 </para>
400<screen><userinput>unset CC CXX MOZBUILD_STATE_PATH</userinput></screen>
402 </sect2>
404 <sect2 role="commands">
405 <title>Command Explanations</title>
407<!--<xi:include xmlns:xi=""
408 href="../../xincludes/SIOCGSTAMP.xml"/>-->
410 <para>
411 <command>export CC=gcc CXX=g++ ...</command>: Upstream now prefer
412 <application>clang</application> so that they can use one compiler
413 everywhere. On the X86 architectures <application>clang</application>
414 now appears to support most of the same security-hardening options as
415 <application>GCC</application>.
416 <!-- supported in llvm-11
417 but the newer
418 <literal>-fstack-clash-protection</literal> is still not supported.-->
419 With the current versions and the default flags,
420 <application>GCC</application> creates a marginally bigger build but
421 takes typically 2 SBU less time on a 4-core machine using the mozconfig
422 above.
423 </para>
425 <para>
426 <command>export MOZBUILD_STATE_PATH=${PWD}/mozbuild</command>: The build
427 is now supposed to tell you that it intends to create <filename
428 class="directory">~/.mozbuild</filename>, and offer you an option to
429 press &lt;ENTER&gt; to accept this, or Ctrl-C to cancel and restart the
430 build after specifying the directory. In practice, the message may not
431 appear until after &lt;ENTER&gt; is keyed, i.e. the build stalls.
432 </para>
434 <para>
435 That directory is used for a (probably random) telemetry identifier.
436 Creating this in the build directory, and deleting that after the
437 installation, prevents it being used. If you wish to participate in
438 telemetry, export MOZBUILD_STATE_PATH to point to its default directory
439 and remove the entry from the <filename>mozconfig</filename>.
440 </para>
442 <para>
443 <command>./mach create-mach-environment</command>: This uses the system
444 python to create a virtual environment for <command>mach</command>.
445 </para>
447 <para>
448 <command>./mach configure</command>: This validates the supplied
449 dependencies and the <filename>mozconfig</filename>.
450 </para>
452 <para>
453 <command>./mach build</command>: <application>Firefox</application>
454 now uses this <application>python</application> script to run the
455 build and install.
456 </para>
458 <para>
459 <option>./mach build --verbose</option>: Use this alternative if you
460 need details of which files are being compiled, together with any C or
461 C++ flags being used. But do not add '--verbose' to the install command,
462 it is not accepted there.
463 </para>
465 <para>
466 <option>./mach build -jN</option>: The build should, by default, use
467 all the online CPU cores. If using all the cores causes the build to swap
468 because you have insufficient memory, using fewer cores can be faster.
469 </para>
472 <para>
473 <command>mkdir -pv /usr/lib/mozilla/plugins</command>: This ensures
474 that <filename class="directory">/usr/lib/mozilla/plugins/</filename>
475 exists.
476 </para>
478 <para>
479 <command>ln -sv ... /usr/lib/firefox/browser</command>:
480 This command creates a symbolic link to <filename
481 class="directory">/usr/lib/mozilla/plugins</filename>. It's not really
482 needed, as <application>Firefox</application> checks <filename
483 class="directory">/usr/lib/mozilla/plugins</filename> by default, but the
484 symbolic link is made to keep all the plugins installed in one folder.
485 </para>
488 </sect2>
490 <sect2 role="configuration">
491 <title>Configuring Firefox</title>
493 <para>
494 If you use a desktop environment like <application>Gnome</application> or
495 <application>KDE</application> you may like to create a
496 <filename>firefox.desktop</filename> file so that
497 <application>Firefox</application> appears in the panel's menus. <!--If you
498 didn't enable startup-notification in your mozconfig change the
499 StartupNotify line to false.--> As the
500 <systemitem class="username">root</systemitem> user:
501 </para>
503<screen role="root"><userinput>mkdir -pv /usr/share/applications &amp;&amp;
504mkdir -pv /usr/share/pixmaps &amp;&amp;
506cat &gt; /usr/share/applications/firefox.desktop &lt;&lt; "EOF" &amp;&amp;
507<literal>[Desktop Entry]
509Name=Firefox Web Browser
510Comment=Browse the World Wide Web
511GenericName=Web Browser
512Exec=firefox %u
521ln -sfv /usr/lib/firefox/browser/chrome/icons/default/default128.png \
522 /usr/share/pixmaps/firefox.png</userinput></screen>
524 <sect3><title>Configuration Information</title>
526 <para>
527 The application settings for firefox are accessible by keying
528 <command>about:config</command> in the address bar.
529 </para>
531 <para>
532 Occasionally, getting working sound in
533 <application>firefox</application> can be a problem. Although upstream
534 prefers pulseaudio,
535 on balance using <application>Alsa</application> may be easier.
536 </para>
538 <para>
539 If you enabled <application>Alsa</application> for sound, you may need
540 to alter one variable to get working sound. If you run
541 <command>firefox</command> from a term and try to play something with
542 sound you might encounter error messages like:
543 </para>
545 <para>
546 <literal>Sandbox: seccomp sandbox violation: pid 3941, tid 4030,
547 syscall 16, args 48 2147767296 139909894784796 0 0 0.</literal>
548 </para>
550 <para>
551 That was on x86_64, on i686 the syscall number is 54. To allow this
552 syscall, in <command>about:config</command> change
553 <command>security.sandbox.content.syscall_whitelist</command> to 16
554 (or 54 if using i686).
555 </para>
557 <para>
558 If you use <command>pulseaudio</command> in a Desktop Environment, it
559 might already be started by that DE. But if it is not, although
560 firefox-57 managed to start it, firefox-58 did not. If you run
561 <command>firefox</command> from a term and this problem is present,
562 trying to play sound will
563 encounter error messages warning <literal>Can't get cubeb
564 context!</literal>
565 </para>
567 <para>
568 The fix for this is to close firefox, start pulseaudio to check it
569 does start (if not, read the information on Configuring in <xref
570 linkend="pulseaudio"/>) and restart firefox to check it is working.
571 If it now works, add the following to your <filename>~/.xinitrc</filename>:
572<phrase revision="sysv">
573<literal>pulseaudio --verbose --log-target=syslog&amp;</literal></phrase>
574<phrase revision="systemd">
575<literal>pulseaudio --verbose --log-target=journald&amp;</literal></phrase>
576 (unfortunately, on some systems this does not work).
577 </para>
579 <para>
580 You may wish to use multiple profiles within firefox. To do that, invoke
581 firefox as <command>firefox --ProfileManager</command>. You can also
582 check which profile is currently in use from
583 <command>about:profiles</command>.
584 </para>
586 <para>
587 Although WebRender (using the GPU for compositing) is not used by
588 default, it now appears to work well on supported hardware (ATI, Nvidia
589 and Intel GPUs with Mesa-18 or later. For an explanation, please see
590 <ulink
591 url=""></ulink>.
592 The only downside seems to be that on a machine with limited RAM it might
593 use more RAM.
594 </para>
596 <para>
597 To check if WebRender is being used, look in about:support. In the Graphics
598 section Compositing will either show 'Basic' (i.e. not in use) or
599 'WebRender'. To enable it, go to about:config and change gfx.webrender.all
600 to True. You will need to restart firefox.
601 </para>
603 <para>
604 It may be useful to mention the processes from firefox which can appear in
605 <command>top</command> - as well as firefox itself, there may be multiple
606 Web Content processes, and now an RDD Process (Remote Data Decoder) which
607 appears when playing web videos encoded with av1 (libdav1d). If WebRender
608 has been enabled, a GPU Process will also appear when firefox has to
609 repaint (e.g. scrolling, opening a new tab, or playing a video).
610 </para>
612 </sect3>
613 </sect2>
615 <sect2 role="content">
616 <title>Contents</title>
618 <segmentedlist>
619 <segtitle>Installed Programs</segtitle>
620 <segtitle>Installed Libraries</segtitle>
621 <segtitle>Installed Directory</segtitle>
623 <seglistitem>
624 <seg>
625 firefox
626 </seg>
627 <seg>
628 Numerous libraries, browser components, plugins, extensions, and
629 helper modules installed in /usr/lib/firefox
630 </seg>
631 <seg>
632 /usr/lib/firefox and /usr/lib/mozilla
633 </seg>
634 </seglistitem>
635 </segmentedlist>
637 <variablelist>
638 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
639 <?dbfo list-presentation="list"?>
640 <?dbhtml list-presentation="table"?>
642 <varlistentry id="firefox-prog">
643 <term><command>firefox</command></term>
644 <listitem>
645 <para>
646 is a <application>GTK+-3</application> internet browser that uses
647 the Mozilla Gecko rendering engine
648 </para>
649 <indexterm zone="firefox firefox-prog">
650 <primary sortas="b-firefox">firefox</primary>
651 </indexterm>
652 </listitem>
653 </varlistentry>
655 </variablelist>
657 </sect2>
Note: See TracBrowser for help on using the repository browser.