patches question

Message ID 20160623132347.GA9193@shadowwalker
State Superseded
Headers

Commit Message

non such June 23, 2016, 1:23 p.m. UTC
  Firefox wip, untested, not even run, just filling in fixes
which very likely have broken syntax looks like the later
inserted file. In this file there is a 140+ lines phase
which aims at doing what the following inserted patch
does. It is still growing (2 files left to patch).
As 'maybe' icecat can make use of the harfbuzz graphite
phase in this case it makes more sense to drop it
into gnu/packages/patches/ .. right?





...and this is the firefox.scm wip (which I said above
is broken and has broken syntax and also contradicting
statements in the comments as things need to be removed
and edited)

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages firefox)
  #:use-module ((srfi srfi-1) #:hide (zip))
  #:use-module (gnu packages)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix build-system gnu)
  #:use-module (gnu packages databases)
  #:use-module (gnu packages glib)
  #:use-module (gnu packages gstreamer)
  #:use-module (gnu packages gtk)
  #:use-module (gnu packages gnome)
  #:use-module (gnu packages libcanberra)
  #:use-module (gnu packages cups)
  #:use-module (gnu packages mit-krb5)
  #:use-module (gnu packages linux)
  #:use-module (gnu packages perl)
  #:use-module (gnu packages pkg-config)
  #:use-module (gnu packages compression)
  #:use-module (gnu packages fontutils)
  #:use-module (gnu packages libevent)
  #:use-module (gnu packages libreoffice)  ;for hunspell
  #:use-module (gnu packages image)
  #:use-module (gnu packages libffi)
  #:use-module (gnu packages pulseaudio)
  #:use-module (gnu packages python)
  #:use-module (gnu packages xorg)
  #:use-module (gnu packages gl)
  #:use-module (gnu packages assembly)
  #:use-module (gnu packages icu4c)
  #:use-module (gnu packages video)
  #:use-module (gnu packages xdisorg)
  #:use-module (gnu packages zip)
  #:use-module (gnu packages gnuzilla))

(define-public firefox
  (package
    (name "firefox")
    (version "45.2.0esr")
    (source
     (origin
       (method url-fetch)
       (uri (string-append "https://archive.mozilla.org/pub/"
                           name "/releases/" version "/source/"
                           name "-" version ".source.tar.xz"))
       (sha256
        (base32
         "0jw0firs0rsg1a6msxbw6kar49rlscbnwmasvhcwjca20ds9fwhs"))
       (patches (search-patches
                 "icecat-avoid-bundled-includes.patch"
                 "firefox_system_harfbuzz_graphite_bug847568.patch"
                 "firefox_allow-utf8-fallback.patch"))
       (modules '((guix build utils)))
       ;; we might encounter things here which have been
       ;; solved in the patchsets by gentoo.
       (snippet
        '(begin
           (for-each delete-file-recursively
                     '("intl/icu" "nsprpub"
                       "modules/freetype2" "modules/zlib"
                       "modules/libbz2"
                       "ipc/chromium/src/third_party/libevent"
                       "media/libvpx" "security/nss" "gfx/cairo"
                       "js/src/ctypes/libffi" "db/sqlite3"))
                       ;; todo? libogg libtheora
                       ;; libvorbis libopus speex
                       ;; not packaged atm: libtremor
                       ;; not packaged atm: soundtouch))
           #t))))
    ;; according to gentoo those are the deps:
    ;; rdep: >=nss-3.21.1 >=nspr-4.12
    ;; dep: opengl
    ;; how to build:
    ;; 1. do stuff, patches etc
    ;; 2. autoreconf, cd js/src autoreconf
    ;; update configure of jemalloc(? wat):
    ;;; cd memory/jemalloc/src  autoreconf
    ;; preconfigure it:
    ;; configure (build) it:
    ;; CC= CXX= LD=
    ;; also: MOZ_MAKE_FLAGS="stuff" SHELL="/bin/bash"
    ;; make -f client.mk realbuild
    ;; install it:
    ;; as branding we'll use official it seems:
    ;; part of make already:
    ;; sizes="16 22 24 32 256" icon_path="browser/branding/official" icon="firefox" name="Mozilla Firefox"
    ;; for size in ${sizes}; do
    ;;  insinto "/share/icons/hicolor/${size}x${size}/apps"
    ;;  newins "${icon_path}/default${size}.png" "${icon}.png"
    ;; done
    ;; different name for 128x128
    ;; insinto /share/icons/hicolor/128x128/apps
    ;; newins "${icon_path}/mozicon128.png" "${icon}.png"
    ;; legacy DEs:
    ;; newicon "${icon_path}/content/icon48.png" "${icon}.png"
    ;; newmenu "${FILESDIR}/icon/${PN}.desktop" "${PN}.desktop"
    ;; sed -i -e "s:@NAME@:${name}:" -e "s:@ICON@:${icon}:" \
    ;; "${ED}/usr/share/applications/${PN}.desktop" || die
    ;; update the gnome icon cache.
    ;; done.
    ;; I package this version for a future inherit of torbrowser.
    ;; some of the patches might only be specific to this version
    (build-system gnu-build-system)
    (inputs
     `(("alsa-lib" ,alsa-lib)
       ("bzip2" ,bzip2)
       ("cairo" ,cairo)
       ("cups" ,cups)
       ("dbus-glib" ,dbus-glib)
       ("gdk-pixbuf" ,gdk-pixbuf)
       ("glib" ,glib)
       ("gstreamer" ,gstreamer)
       ("gst-plugins-base" ,gst-plugins-base)
       ("gtk+" ,gtk+-2)
       ("pango" ,pango)
       ("freetype" ,freetype)
       ("hunspell" ,hunspell)
       ("libcanberra" ,libcanberra)
       ("libgnome" ,libgnome)
       ("libxft" ,libxft)
       ("libevent" ,libevent)
       ("libxinerama" ,libxinerama)
       ("libxscrnsaver" ,libxscrnsaver)
       ("libxcomposite" ,libxcomposite)
       ("libxt" ,libxt)
       ("libffi" ,libffi)
       ("libvpx" ,libvpx)
       ("icu4c" ,icu4c)
       ("pixman" ,pixman)
       ("pulseaudio" ,pulseaudio)
       ("mesa" ,mesa)
       ("mit-krb5" ,mit-krb5)
       ("nspr" ,nspr)
       ("nss" ,nss)
       ("sqlite" ,sqlite)
       ("startup-notification" ,startup-notification)
       ("unzip" ,unzip)
       ("yasm" ,yasm)
       ("zip" ,zip)
       ("zlib" ,zlib)))
    (native-inputs
     `(("perl" ,perl)
       ("python" ,python-2) ; Python 3 not supported
       ("python2-pysqlite" ,python2-pysqlite)
       ("pkg-config" ,pkg-config)))
    ;; firefox 45esr depends on either qt5 or gtk3 (or gtk2?)
    (arguments
     `(#:out-of-source? #t ; built outside of source dir
       ;;#:tests? #f ;assumption: no check target.
       ;;#:validate-runpath? #f
       #:configure-flags
       '(;; debug build: 8GiB, normal: 4GiB
         "--disable-debug" "--disable-debug-symbols"

         ;; use system libs:
         "--with-system-zlib" "--with-system-bz2"
         "--with-system-libevent" "--with-system-libvpx"
         "--with-system-icu"
         "--with-system-nspr" "--with-nspr-prefix=/location"
         "--with-system-nss" "--with-nss-prefix=/location"
         "--enable-system-pixman" "--enable-system-cairo"
         "--enable-system-ffi" "--enable-system-hunspell"
         "--enable-system-sqlite"
         ;; --enable-system-cairo ;; --with-system-jpeg
         ;; --with-system-harfbuff ;; --with-system-graphite2 (?)

         ;; other
         "--enable-pango" "--enable-svg" ; wasn't there a bug w png?

         ;; branding
         ;; If you want the resulting program to call itself "Firefox" instead
         ;; of "Shiretoko" or whatever, enable this option.  However, those
         ;; binaries may not be distributed without permission from the
         ;; Mozilla Foundation, see https://www.mozilla.org/foundation/trademarks/.
         "--with-branding=browser/branding/aurora"
         ;; necko-wifi is optional, disable it (wth is this even):
         "--disable-necko-wifi"

         ;; for now, disable google api ... however this works:
         ;; todo.

         ;; media
         "--enable-ogg" "--enable-wave"
         "--enable-gstreamer=1.0" "--enable-pulseaudio"

         ;; general
         "--libdir=/location" "--enable-gio"
         "--disable-crashreporter" "--enable-system-ffi"
         "--enable-default-toolkit=cairo-gtk3"
         ;; unclear:
         ;; "--disable-skia" "--disable-gconf"
         ;; can the guix let firefox play in sandboxes? is it necessary?
         "--enable-content-sandbox" ; wtf that
         "--disable-content-sandbox-reporter"
         ;;"--disable-installer" "--enable-release" ; ? wth
         ;;"--enable-official-branding" ; (c)!
         ;;"--enable-strip" "--enable-optimize" ;? wat.
         "--disable-updater" "--with-intl-api")
       #:modules ((ice-9 ftw)
                  (ice-9 rdelim)
                  (ice-9 match)
                  ,@%gnu-build-system-modules)
       #:phases
       (modify-phases %standard-phases
         (add-after 'unpack 'ensure-no-mtimes-pre-1980
           (lambda _
             (let ((early-1980 315619200)) ; 1980-01-02 utc
               (ftw "." (lambda (file stat flag)
                          (unless (<= early-1980 (stat:mtime stat))
                            (utime file early-1980 early-1980))
                          #t))
               #t)))
         (add-after 'unpack 'remove-h264parse-from-blacklist
           (lambda _
             (substitute* "dom/media/gstreamer/GStreamerFormatHelper.cpp"
               (("^  \"h264parse\",\n") ""))
             #t))
         (add-after 'unpack 'arrange-to-link-libxul-with-libraries-it-might-dlopen
           (lambda _
             (substitute* "toolkit/library/moz.build"
               (("^# This needs to be last")
                "OS_LIBS += [
'GL', 'gnome-2', 'canberra', 'Xss', 'cups', 'gssapi_krb5',
'gstreamer-1.0', 'gstapp-1.0', 'gstvideo-1.0', ]\n\n"))
             #t))
         (add-after 'unpack 'use-system-harfbuzz-graphite
           (lambda _
             (substitute* "config/Makefile.in"
               (("^-DMOZ_NATIVE_ICU=$(MOZ_NATIVE_ICU) \\")
                "-DMOZ_NATIVE_ICU=$(MOZ_NATIVE_ICU) \\\n
-DMOZ_NATIVE_GRAPHITE2=$(MOZ_NATIVE_GRAPHITE2) \\\n
-DMOZ_NATIVE_HARFBUZZ=$(MOZ_NATIVE_HARFBUZZ) \\\n"))
             (substitute* "config/system-headers"
               (("^unwind.h")
                "unwind.h\n
                #if MOZ_NATIVE_GRAPHITE2==1\n
                graphite2/Font.h\n
                graphite2/Segment.h\n
                #endif\n
                #if MOZ_NATIVE_HARFBUZZ==1\n
                harfbuzz/hb-ot.h\n
                harfbuzz/hb.h\n
                #endif"))
             (substitute* "dom/base/moz.build"
               (("^if CONFIG['MOZ_X11']:\n
CXXFLAGS += CONFIG['TK_CFLAGS']")
                "^if CONFIG['MOZ_X11']:\n
CXXFLAGS += CONFIG['TK_CFLAGS']\n
if CONFIG['MOZ_NATIVE_HARFBUZZ']:\n
CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']\n\n"))
             (substitute* "gfx/graphite2/moz-gr-update.sh"
               (("^# Script used to update the Graphite2 library in the mozilla source tree")
                "# Script used to update the Graphite2 library in the mozilla source tree
# and bump version for --with-system-graphite2")
               (("#find gfx/graphite2/ -name \"*.h\" -exec perl -p -i -e \"s/<cstdio>/<stdio.h>/;s/Windows.h/windows.h/;\" {} \;")
                "#find gfx/graphite2/ -name \"*.h\" -exec perl -p -i -e \"s/<cstdio>/<stdio.h>/;s/Windows.h/windows.h/;\" {} \;\n\n
# chase version for --with-system-graphite2
perl -p -i -e \"s/[0-9]+\,[0-9]+\,[0-9]+/$RELEASE/ and tr/./,/ \
if /GR2_VERSION_REQUIRE/\" configure.in\n\n")
               (("hg stat gfx/graphite2")
                "hg stat configure.in gfx/graphite2"))
             (substitute* "gfx/moz.build"
               (("^if CONFIG['MOZ_TREE_CAIRO']:\n
DIRS += ['cairo']")
                "if CONFIG['MOZ_TREE_CAIRO']:\n
DIRS += ['cairo']\n
if not CONFIG['MOZ_NATIVE_GRAPHITE2']:\n
    DIRS += ['graphite2/src' ]\n\n
if not CONFIG['MOZ_NATIVE_HARFBUZZ']:\n
    DIRS += ['harfbuzz/src']\n\n")
               (("DIRS += [\n
'2d',\n
'ycbcr',\n
'angle',\n
'src',\n
'qcms',\n
'gl',\n
'layers',\n
'graphite2/src',\n
'harfbuzz/src',\n
'ots/src',\n
'thebes',\n
'ipc',\n
'vr',\n
]\n")
                "DIRS += [\n
'2d',\n
'ycbcr',\n
'angle',\n
'src',\n
'qcms',\n
'gl',\n
'layers',\n
'ots/src',\n
'thebes',\n
'ipc',\n
'vr',\n
]\n"))
             (substitute* "intl/unicharutil/util/moz.build"
               (("if CONFIG['ENABLE_INTL_API']:\n
CXXFLAGS += CONFIG['MOZ_ICU_CFLAGS']\n
LOCAL_INCLUDES += CONFIG['MOZ_ICU_INCLUDES']\n
USE_LIBS += ['icu']\n\n")
                "if CONFIG['ENABLE_INTL_API']:\n
CXXFLAGS += CONFIG['MOZ_ICU_CFLAGS']\n
LOCAL_INCLUDES += CONFIG['MOZ_ICU_INCLUDES']\n
USE_LIBS += ['icu']\n\n
if CONFIG['MOZ_NATIVE_HARFBUZZ']:\n
CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']\n\n"))
             (substitute* "netwerk/dns/moz.build"
               (("# need to include etld_data.inc
LOCAL_INCLUDES += [\n
'/netwerk/base',\n
]\n\n")
                "# need to include etld_data.inc
330LOCAL_INCLUDES += [\n
331'/netwerk/base',\n
332]\n\n
if CONFIG['MOZ_NATIVE_HARFBUZZ']:\n
CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']\n\n"))
             (substitute* "configure.in"
               (("else\n
FT2_CFLAGS=\"$FT2_CFLAGS $_FONTCONFIG_CFLAGS\"\n
FT2_LIBS=\"$FT2_LIBS $_FONTCONFIG_LIBS\"\n
fi\n
])\n
fi\n\n
dnl ========================================================\n")
                "else\n
FT2_CFLAGS=\"$FT2_CFLAGS $_FONTCONFIG_CFLAGS\"\n
FT2_LIBS=\"$FT2_LIBS $_FONTCONFIG_LIBS\"\n
fi\n
])\n
fi\n\n
dnl ========================================================\n
dnl Check for harfbuzz\n
dnl ========================================================\n\n
MOZ_ARG_WITH_BOOL(system-harfbuzz,\n
[  --with-system-harfbuzz  Use system harfbuzz (located with pkgconfig)],\n
MOZ_NATIVE_HARFBUZZ=1,\n
MOZ_NATIVE_HARFBUZZ=)\n\n
if test -n \"$MOZ_NATIVE_HARFBUZZ\"\; then\n
PKG_CHECK_MODULES(MOZ_HARFBUZZ, harfbuzz >= 1.1.3)\n
fi\n\n
AC_SUBST(MOZ_NATIVE_HARFBUZZ)\n\n
dnl ========================================================\n
dnl Check for graphite2\n
dnl ========================================================\n\n
MOZ_ARG_WITH_BOOL(system-graphite2,\n
[  --with-system-graphite2 Use system graphite2 (located with pkgconfig)],\n
MOZ_NATIVE_GRAPHITE2=1,\n
MOZ_NATIVE_GRAPHITE2=)\n\n
if test -n \"$MOZ_NATIVE_GRAPHITE2\"\; then\n
PKG_CHECK_MODULES(MOZ_GRAPHITE2, graphite2)\n\n
dnl graphite2.pc has bogus version, check manually\n
AC_TRY_COMPILE([ #include <graphite2/Font.h>\n
#define GR2_VERSION_REQUIRE(major,minor,bugfix)  \\\n
( GR2_VERSION_MAJOR * 10000 + GR2_VERSION_MINOR \\\n
* 100 + GR2_VERSION_BUGFIX >= \\\n
(major) * 10000 + \(minor\) * 100 + \(bugfix\) \) \n
], [\n
#if !GR2_VERSION_REQUIRE(1,3,8\)\n
#error \"Insufficient graphite2 version.\"\n
#endif\n
], [],\n
[AC_MSG_ERROR([--with-system-graphite2 requested but no working libgraphite2 found]\)])\n
fi\n\n
AC_SUBST(MOZ_NATIVE_GRAPHITE2\)\n\n
dnl ========================================================\n"))
             #t))
         (replace 'configure
           (lambda* (#:key outputs configure-flags #:allow-other-keys)
             (let* ((out (assoc-ref outputs "out"))
                    (bash (which "bash"))
                    (abs-srcdir (getcwd))
                    (srcdir (string-append "../" (basename abs-srcdir)))
                    (flags `(,(string-append "--prefix=" out)
                             ,(string-append "--with-l10n-base="
                                             abs-srcdir "/l10n")
                             ,@configure-flags)))
               (setenv "SHELL" bash)
               (setenv "CONFIG_SHELL" bash)
               ;; or objdir...?:
               (mkdir "../build")
               (chdir "../build")
               (format #t "build directory: ~s~%" (getcwd))
               (format #t "configure flags: ~s~%" flags)
               (zero? (apply system* bash
                             (string-append srcdir "/configure")
                             flags)))))
         ;; we are entirely missing a .desktop afaic.
         ;;(add-before 'configure 'install-desktop-entry)
    (synopsis "I shit unicorns")
    (description "I kissed a brick and I licked it.")
    (home-page "https://www.mozilla.com/firefox")
    (license license:mpl2.0)
    ;; for graphite we want to do:
    ;; echo "sticky_pref(\"gfx.font_rendering.graphite.enabled\",true);" >> "${prefs_file}" || die
    ;; we also want gmp blobs to be disabled..

--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
  

Comments

Andreas Enge June 23, 2016, 8:27 p.m. UTC | #1
On Thu, Jun 23, 2016 at 01:23:47PM +0000, ng0 wrote:
> Firefox wip, untested, not even run, just filling in fixes
> which very likely have broken syntax looks like the later
> inserted file. In this file there is a 140+ lines phase
> which aims at doing what the following inserted patch
> does. It is still growing (2 files left to patch).
> As 'maybe' icecat can make use of the harfbuzz graphite
> phase in this case it makes more sense to drop it
> into gnu/packages/patches/ .. right?

I must admit I have difficulties understanding what you are trying to do
(after I finally managed to parse the first sentence above, in which it
is rather unclear who or what is the subject of the different verbs).
It is clear that the complicated scheme "substitute*" in your package
definition are inferior to a real patch; if all they do is just reimplement
finely chiselled patches, they do not make sense.

The example I had in mind for uses of "substitute*" was when a string could
be replaced by another one everywhere in files, for instance "/bin/sh" by
"sh" or these kinds of things; then "substitute*" will still work, even
if a few lines are swapped in the file or the string occurs once more or
less in a later version. A patch would fail in that situation.

It looks like you are trying to use the system harfbuzz instead of a bundled
copy? Or the system graphite? If that is the case, maybe it would be optimal
to propose a patch upstream? The icecat package definition contains a few
comments pointing to bug reports at bugzilla.mozilla.org.

Andreas
  
Ludovic Courtès June 24, 2016, 12:09 p.m. UTC | #2
Hello!

ng0 <ng0@we.make.ritual.n0.is> skribis:

> diff --git a/config/Makefile.in b/config/Makefile.in
> --- a/config/Makefile.in
> +++ b/config/Makefile.in

I view this patch as upstream work that Guix should not carry.  To put
it differently, it’s not Guix’s missing to maintain a fork of Firefox
(or any other package).

> (define-public firefox
>   (package
>     (name "firefox")
>     (version "45.2.0esr")

What is the goal here?

Guix proper can provide IceCat (which modifies Firefox to comply with
trademark rules, to comply with the GNU FSDG¹, and to enhance privacy),
maybe Tor Browser (assuming it complies with the FSDG as well), but not
stock Firefox (unless the trademark issue and FSDG violations are
resolved.)

Besides, I think it should be possible to (inherit icecat) rather than
duplicate all the recipe.

Hope this clarifies things!

Thanks,
Ludo’.

¹ https://www.gnu.org/distros/free-system-distribution-guidelines.html
  
non such June 24, 2016, 1:43 p.m. UTC | #3
On 2016-06-24(02:09:39PM+0200), Ludovic Courtès wrote:
> Hello!
>
> ng0 <ng0@we.make.ritual.n0.is> skribis:
>
> > diff --git a/config/Makefile.in b/config/Makefile.in
> > --- a/config/Makefile.in
> > +++ b/config/Makefile.in
>
> I view this patch as upstream work that Guix should not carry.  To put
> it differently, it’s not Guix’s missing to maintain a fork of Firefox
> (or any other package).

I cleared up some code since I posted this. We do not have to include the
patch for the libraries (if this is what this was refering to).

> > (define-public firefox
> >   (package
> >     (name "firefox")
> >     (version "45.2.0esr")
>
> What is the goal here?
>
> Guix proper can provide IceCat (which modifies Firefox to comply with
> trademark rules, to comply with the GNU FSDG¹, and to enhance privacy),
> maybe Tor Browser (assuming it complies with the FSDG as well), but not
> stock Firefox (unless the trademark issue and FSDG violations are
> resolved.)

Writing a base for torbrowser, as icecat is too old for torbrowser
(different version of firefox) and I'd like to replicate torbrowser
in a way which is compatible to us.
If this requires to construct the browser based on what icecat does
but with guix package phase patching, I see no problem with this
other than potential legal issues which need to be clarified by other
people.

> Besides, I think it should be possible to (inherit icecat) rather than
> duplicate all the recipe.

True, but between 38.8 and 45.2.0 things change, patches can not be reused,
and the reason I gave above.

> Hope this clarifies things!
>
> Thanks,
> Ludo’.
>
> ¹ https://www.gnu.org/distros/free-system-distribution-guidelines.html
>

I am more willing to maintain another fork of firefox than to
wait for icecat to be recent enough to be usable as a base for
a torbrowser package.

Additionally I was about to get in contact with torproject and
ask about possible trademark/confusion issues on their side,
the unsent email:

Hello,

I'm currently in the process of packaging a modified firefox
for GNU Guix[1], for safety labeled "icepanda" for now.
My intention with this is to provide a base package for a
torbrowser which will be compatible for us as a GNU project.

The resulting torbrowser will be different from what
torproject ships in binaries:
- we need to remove certain addons of base firefox,
- replace as much included libraries with our system
  packaged libraries as possible,
- replace the mozilla store which recommends non-free
  software
   - there are two solutions here, the long term one
     I prefer is to import browser addons into our
     reproducible store
- rebrand the firefox to prevent trademark issues.

Once torbrowser can inherit this firefox brand and
is functional this way, we will inform users that
this is an unofficial build and that usage might be
dangerous depending on their threat level etc
(comparable to the pkg_postinstall() in [0]), a note
which has yet to be written.
The base (firefox) is obviously altered, but I can not
tell at this moment how much of torbrowser, if anything
at all, needs to be adjusted. My guess is that torbrowser
specific changes can technically be included without
problems, the practical part leads me to my question.

Potential usage issues I am interested in include if/how
much the default fingerprint of the webbrowser differs
from the binary you ship.

The question I now have is, are we allowed to use the name
torbrowser for the binary substitute we will distribute,
or is this a potential trademark / confusion issue (as
written in your FAQ) and we should pick a different name
like "onionpanda" (going with the current work in progress
name "icepanda")?

[0]: https://data.gpo.zugaina.org/torbrowser/www-client/torbrowser/torbrowser-45.2.0_p602.ebuild
[1]: https://www.gnu.org/s/guix

--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
  
Ludovic Courtès June 24, 2016, 3:48 p.m. UTC | #4
ng0 <ng0@we.make.ritual.n0.is> skribis:

> On 2016-06-24(02:09:39PM+0200), Ludovic Courtès wrote:

[...]

>> > (define-public firefox
>> >   (package
>> >     (name "firefox")
>> >     (version "45.2.0esr")
>>
>> What is the goal here?
>>
>> Guix proper can provide IceCat (which modifies Firefox to comply with
>> trademark rules, to comply with the GNU FSDG¹, and to enhance privacy),
>> maybe Tor Browser (assuming it complies with the FSDG as well), but not
>> stock Firefox (unless the trademark issue and FSDG violations are
>> resolved.)
>
> Writing a base for torbrowser

Great!  Then I think you don’t need to worry about Firefox at all.
Maybe TB uses Firefox’s source and then patches it, but that doesn’t
mean we need a Firefox package.

>> Besides, I think it should be possible to (inherit icecat) rather than
>> duplicate all the recipe.
>
> True, but between 38.8 and 45.2.0 things change, patches can not be reused,
> and the reason I gave above.

Then use the Firefox 45 source as a starting point.

> I am more willing to maintain another fork of firefox than to
> wait for icecat to be recent enough to be usable as a base for
> a torbrowser package.

I think there’s a misunderstanding: if Guix provides Tor Browser, then
it should provide precisely Tor Browser, not Firecat or Icefox with 20
patches.  :-)

> Additionally I was about to get in contact with torproject and
> ask about possible trademark/confusion issues on their side,
> the unsent email:

I think we do not need to bother them.  AFAIK, we can use the name “Tor
Browser” just fine, so there’s no reason to invent another name or
anything.

The only issue that needs to be addressed (but again, we don’t need to
bother the Tor folks with that) is whether Tor Browser is FSDG-compliant
(concretely, whether it recommends non-free software, for instance.)

HTH!

Ludo’.
  
non such June 24, 2016, 5:49 p.m. UTC | #5
On 2016-06-24(05:48:49PM+0200), Ludovic Courtès wrote:
> ng0 <ng0@we.make.ritual.n0.is> skribis:
>
> > On 2016-06-24(02:09:39PM+0200), Ludovic Courtès wrote:
>
> [...]
>
> >> > (define-public firefox
> >> >   (package
> >> >     (name "firefox")
> >> >     (version "45.2.0esr")
> >>
> >> What is the goal here?
> >>
> >> Guix proper can provide IceCat (which modifies Firefox to comply with
> >> trademark rules, to comply with the GNU FSDG¹, and to enhance privacy),
> >> maybe Tor Browser (assuming it complies with the FSDG as well), but not
> >> stock Firefox (unless the trademark issue and FSDG violations are
> >> resolved.)
> >
> > Writing a base for torbrowser
>
> Great!  Then I think you don’t need to worry about Firefox at all.
> Maybe TB uses Firefox’s source and then patches it, but that doesn’t
> mean we need a Firefox package.
>
> >> Besides, I think it should be possible to (inherit icecat) rather than
> >> duplicate all the recipe.
> >
> > True, but between 38.8 and 45.2.0 things change, patches can not be reused,
> > and the reason I gave above.
>
> Then use the Firefox 45 source as a starting point.

Do we have something comparable? I thought it was better to start off
with a native 45.2.0esr, leave out this part of the gitian build of
torbrowser and try to just inherit/patch it that way.

Maybe my approach is still a bit gentoo'ish. In our Gentoo overlay we
replicated the gitian build, but I was only maintaining it and ocassionaly
doing a version bump and testing, I did not come up with the procedure.

What it does is the following:

A shallow checkout of https://git.torproject.org/tor-browser.git
which is usually pinned to a tag specified in the gitian build
repository of torproject for tor-browser,
pull in gentoo specific patchsets for the firefox version,
pull in an architecture specific torbrowser from either
https://archive.torproject.org/tor-package-archive/${PN}/${TOR_PV}or
https://dist.torproject.org/${PN}/${TOR_PV} (arch is x86 or amd64),
prepare the source:
1. apply firefox patches
2. revert "change the default firefox profile directory to be tbb-relative" (patch)
3. allow the lightspark and freshplayerplugins for whatever reasons (except them from a blocklist)
4. fix some nss problems
5. set the plugins directory to the global one of gentoo
6. fix sandbox violations
etc etc (very similar to firefox at this point and before it)
configure:
rename install executables and directories
disable the update + set the tor-browser version
install (build):
some orientation around the tor-browser-bunde.git repository
some firefox again
set a profile
install files.


After writing this out of the context of the ebuild syntax,
I can see why it could be build without a firefox package.
However we still would need to apply what icecat does,
at least part of it, where necessary.
Yesterday I wrote phases for most of what the icecat build
bash script does.

> > I am more willing to maintain another fork of firefox than to
> > wait for icecat to be recent enough to be usable as a base for
> > a torbrowser package.
>
> I think there’s a misunderstanding: if Guix provides Tor Browser, then
> it should provide precisely Tor Browser, not Firecat or Icefox with 20
> patches.  :-)

" However we still would need to apply what icecat does, or "
" at least part of it. "
" Yesterday I wrote phases for most of what the icecat build "
" bash script does. "
Does this not apply here, that we need to patch torbrowser?
You can still use the mozilla store for example.

> > Additionally I was about to get in contact with torproject and
> > ask about possible trademark/confusion issues on their side,
> > the unsent email:
>
> I think we do not need to bother them.  AFAIK, we can use the name “Tor
> Browser” just fine, so there’s no reason to invent another name or
> anything.
>
> The only issue that needs to be addressed (but again, we don’t need to
> bother the Tor folks with that) is whether Tor Browser is FSDG-compliant
> (concretely, whether it recommends non-free software, for instance.)

That's why I was about to ask them. Some parts needs to be changed,
out of the same motivation why icecat exists.
Their FAQ says that they "don't want to be trademark bullies", so
a good conversation is better than a sudden surprise on both ends.

No one can be an expert in everything, and international law is
something I don't claim to be an expert in, so I seek conversation.

~~~~~~
Aside, I wonder if crypto export laws would be applicable to
binaries of crypto software we package and some nations still
having regulations on them. And on top of that, what happens
when guix moves to secure, real distributed, peer-to-peer
package package distribution.
Not that I really care or believe that anyone is legally
responsible then, but I'm curious about the 'what if'.
~~~~~~

A bit related offtopic now, what I inteded to write in the
email to torproject and what I discussed this year with a
contact:
It would be nice to have a modified firefox
– or anything firefox based or being an application of top
of something which uses the mozilla app+extensions store –
which uses extensions, addons, apps, coming from the guix
store, imported by compatible licenses.
And I think this would be then a case where we, in the eyes
of the developers of affected software, have altered the
application, in my view just an extension of security but
for them it could mean an irritation.

Completely source based gentoo derivates can do something
in this direction already because they only provide you
with the source, not binaries.
We also provide binaries.
Would this be a modification gone too far already? I see
it as an extension to the software.

> HTH!
>
> Ludo’.
>

For the license part:

I have not double checked myself, but our ebuild says that
the codebase of torproject is under BSD license (which
probably is inaccurate and unspecific) and icons are under
the CCPL-Attribution-3.0

# BSD license applies to torproject-related code like the patches
# icons are under CCPL-Attribution-3.0
LICENSE="BSD CC-BY-3.0 MPL-2.0 GPL-2 LGPL-2.1"
--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
  
Ludovic Courtès June 26, 2016, 10:05 a.m. UTC | #6
Hi!

ng0 <ng0@we.make.ritual.n0.is> skribis:

> What it does is the following:
>
> A shallow checkout of https://git.torproject.org/tor-browser.git
> which is usually pinned to a tag specified in the gitian build
> repository of torproject for tor-browser,
> pull in gentoo specific patchsets for the firefox version,
> pull in an architecture specific torbrowser from either
> https://archive.torproject.org/tor-package-archive/${PN}/${TOR_PV}or
> https://dist.torproject.org/${PN}/${TOR_PV} (arch is x86 or amd64),
> prepare the source:
> 1. apply firefox patches
> 2. revert "change the default firefox profile directory to be tbb-relative" (patch)
> 3. allow the lightspark and freshplayerplugins for whatever reasons (except them from a blocklist)
> 4. fix some nss problems
> 5. set the plugins directory to the global one of gentoo
> 6. fix sandbox violations
> etc etc (very similar to firefox at this point and before it)
> configure:
> rename install executables and directories
> disable the update + set the tor-browser version
> install (build):
> some orientation around the tor-browser-bunde.git repository
> some firefox again
> set a profile
> install files.

I suppose TB contains a script that does all that, right?  Would it work
to simply run it?  If it invokes wget/curl, then this needs to be
replaced, but the rest should be fine.

It’s unfortunate that there’s no ready-to-build TB tarball, that would
simplify things for us.

Thanks,
Ludo’.
  
non such June 29, 2016, 12:48 p.m. UTC | #7
Ludovic Courtès writes:

> Hi!
>
> ng0 <ng0@we.make.ritual.n0.is> skribis:
>
>> What it does is the following:
>>
>> A shallow checkout of https://git.torproject.org/tor-browser.git
>> which is usually pinned to a tag specified in the gitian build
>> repository of torproject for tor-browser,
>> pull in gentoo specific patchsets for the firefox version,
>> pull in an architecture specific torbrowser from either
>> https://archive.torproject.org/tor-package-archive/${PN}/${TOR_PV}or
>> https://dist.torproject.org/${PN}/${TOR_PV} (arch is x86 or amd64),
>> prepare the source:
>> 1. apply firefox patches
>> 2. revert "change the default firefox profile directory to be tbb-relative" (patch)
>> 3. allow the lightspark and freshplayerplugins for whatever reasons (except them from a blocklist)
>> 4. fix some nss problems
>> 5. set the plugins directory to the global one of gentoo
>> 6. fix sandbox violations
>> etc etc (very similar to firefox at this point and before it)
>> configure:
>> rename install executables and directories
>> disable the update + set the tor-browser version
>> install (build):
>> some orientation around the tor-browser-bunde.git repository
>> some firefox again
>> set a profile
>> install files.
>
> I suppose TB contains a script that does all that, right?  Would it work
> to simply run it?  If it invokes wget/curl, then this needs to be
> replaced, but the rest should be fine.

It's not that easy I'm afraid.
Currently they use a gitian build, as described in this README[0],
which the person maintaining the torbrowser ebuild for Gentoo out
of portage replicates and follows in parts.
It can't be followed completely, as `builders/tor-browser-bundle'
requires a checkout of gitian of the torproject.org

So we have to look at what they do and recreate this build
procedure, there's no individual Makefile, the releases are
created in VMs.

Dependencies are kept up to date here[1].

This[2] is the script connecting/using gitian for gnu-linux releases.

The Makefile just runs the corresponding scripts.

18 Months ago they also started a trac ticket on NixOS as an idea[3]

> It’s unfortunate that there’s no ready-to-build TB tarball, that would
> simplify things for us.

Yes.. But I think icecat suffers from the same problem, only that
icecat tarballs/binaries are built using a bash script applying
all that's needed to the firefox sources again.

> Thanks,
> Ludo’.
>

[0]: https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/README.build
[1]: https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/versions
[2]: https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/mkbundle-linux.sh
[3]: https://trac.torproject.org/projects/tor/ticket/12520
--
♥Ⓐ  ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
  
Ludovic Courtès June 30, 2016, 10:29 a.m. UTC | #8
ng0@we.make.ritual.n0.is skribis:

> Ludovic Courtès writes:

[...]

>> I suppose TB contains a script that does all that, right?  Would it work
>> to simply run it?  If it invokes wget/curl, then this needs to be
>> replaced, but the rest should be fine.
>
> It's not that easy I'm afraid.
> Currently they use a gitian build, as described in this README[0],
> which the person maintaining the torbrowser ebuild for Gentoo out
> of portage replicates and follows in parts.
> It can't be followed completely, as `builders/tor-browser-bundle'
> requires a checkout of gitian of the torproject.org
>
> So we have to look at what they do and recreate this build
> procedure, there's no individual Makefile, the releases are
> created in VMs.
>
> Dependencies are kept up to date here[1].
>
> This[2] is the script connecting/using gitian for gnu-linux releases.
>
> The Makefile just runs the corresponding scripts.

Gitian is about building binaries.  There must be some script somewhere
to apply the relevant patches to the source first, before one builds it,
no?

>> It’s unfortunate that there’s no ready-to-build TB tarball, that would
>> simplify things for us.
>
> Yes.. But I think icecat suffers from the same problem, only that
> icecat tarballs/binaries are built using a bash script applying
> all that's needed to the firefox sources again.

IceCat publishes source tarballs that, AIUI, are produced essentially by
running a script that patches Firefox’s code base (same approach for
Linux-libre.)

Thanks,
Ludo’.
  
non such June 30, 2016, 4:09 p.m. UTC | #9
Ludovic Courtès writes:

> ng0@we.make.ritual.n0.is skribis:
>
>> Ludovic Courtès writes:
>
> [...]
>
>>> I suppose TB contains a script that does all that, right?  Would it work
>>> to simply run it?  If it invokes wget/curl, then this needs to be
>>> replaced, but the rest should be fine.
>>
>> It's not that easy I'm afraid.
>> Currently they use a gitian build, as described in this README[0],
>> which the person maintaining the torbrowser ebuild for Gentoo out
>> of portage replicates and follows in parts.
>> It can't be followed completely, as `builders/tor-browser-bundle'
>> requires a checkout of gitian of the torproject.org
>>
>> So we have to look at what they do and recreate this build
>> procedure, there's no individual Makefile, the releases are
>> created in VMs.
>>
>> Dependencies are kept up to date here[1].
>>
>> This[2] is the script connecting/using gitian for gnu-linux releases.
>>
>> The Makefile just runs the corresponding scripts.
>
> Gitian is about building binaries.  There must be some script somewhere
> to apply the relevant patches to the source first, before one builds it,
> no?
>
>>> It’s unfortunate that there’s no ready-to-build TB tarball, that would
>>> simplify things for us.
>>
>> Yes.. But I think icecat suffers from the same problem, only that
>> icecat tarballs/binaries are built using a bash script applying
>> all that's needed to the firefox sources again.
>
> IceCat publishes source tarballs that, AIUI, are produced essentially by
> running a script that patches Firefox’s code base (same approach for
> Linux-libre.)
>
> Thanks,
> Ludo’.

Torbrowser is due to recent events and focusing on something much
bigger (email introducing this will follow soon) not so high on
my priority list.
In fact tor circuits are so unreliable (at least it became very
annoying dealing with the connection amount of skipped circuits)
lately that I think of moving the things I use hidden-services
for to gnunet-vpn as soon as I find time to work around this on
the server.

However I will still find the relevant dirs and files so someone
I told about this might start working on it and proxy their work
through me to us (that's due to another reason I'd like to
address later).. If not, anyone else is welcome to spot this
email and start working.

Licenses used:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/Docs/Licenses

I think these are also relevant:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/patches?id=d79acaf07209445b641061b09257a0ed0dd58340

Now I wonder if it'd be enough to just inherit icecat, replace
the source, apply some additional patches and it justworks™

I hope it's that easy.

--
♥Ⓐ  ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
  
non such June 30, 2016, 6 p.m. UTC | #10
Ludovic Courtès writes:

> ng0@we.make.ritual.n0.is skribis:
>
>> Ludovic Courtès writes:
>
> [...]
>
>>> I suppose TB contains a script that does all that, right?  Would it
>>> work
>>> to simply run it?  If it invokes wget/curl, then this needs to be
>>> replaced, but the rest should be fine.
>>
>> It's not that easy I'm afraid.
>> Currently they use a gitian build, as described in this README[0],
>> which the person maintaining the torbrowser ebuild for Gentoo out
>> of portage replicates and follows in parts.
>> It can't be followed completely, as `builders/tor-browser-bundle'
>> requires a checkout of gitian of the torproject.org
>>
>> So we have to look at what they do and recreate this build
>> procedure, there's no individual Makefile, the releases are
>> created in VMs.
>>
>> Dependencies are kept up to date here[1].
>>
>> This[2] is the script connecting/using gitian for gnu-linux
>> releases.
>>
>> The Makefile just runs the corresponding scripts.
>
> Gitian is about building binaries.  There must be some script
> somewhere
> to apply the relevant patches to the source first, before one builds
> it,
> no?
>
>>> It’s unfortunate that there’s no ready-to-build TB tarball, that
>>> would
>>> simplify things for us.
>>
>> Yes.. But I think icecat suffers from the same problem, only that
>> icecat tarballs/binaries are built using a bash script applying
>> all that's needed to the firefox sources again.
>
> IceCat publishes source tarballs that, AIUI, are produced essentially
> by
> running a script that patches Firefox’s code base (same approach for
> Linux-libre.)
>
> Thanks,
> Ludo’.

Whoever is interested in continuing this, the below approach is
not the fine art and must be cut down in length, but it works.
You only have to look at what's in torbrowser sources and adapt
accordingly.

Good luck and success.


;; apparently for whatever reason torproject does not provide
;; individual language files, they are one lang included in
;; named sources as $name-$OS-$version_$lang.tar.xz
(define-public torbrowser
  (package
    (inherit icecat)
    (name "torbrowser")
    (version "6.0.2")
    (source
     (origin
       (method url-fetch)
       (uri (string-append "https://dist.torproject.org/"
                           name "/" version "/tor-browser"
                           "-linux64-" version "_en-US.tar.xz"))
       (sha256
        (base32
         "08zik2id1rkcl5cw4yscdgb8rdahx342j1fps576465sziy5z06x"))))
       ;; (modules '((guix build utils)))
       ;; (snippet
       ;;  '(begin
       ;;     ;; Remove bundled libraries that we don't use, since they may
       ;;     ;; contain unpatched security flaws, they waste disk space and
       ;;     ;; network bandwidth, and may cause confusion.
       ;;     (for-each delete-file-recursively
       ;;               '(;; FIXME: Removing the bundled icu breaks configure.
       ;;                 ;;   * The bundled icu headers are used in some places.
       ;;                 ;;   * The version number is taken from the bundled copy.
       ;;                 ;;"intl/icu"
       ;;                 ;;
       ;;                 ;; FIXME: A script from the bundled nspr is used.
       ;;                 ;;"nsprpub"
       ;;                 ;;
       ;;                 ;; TODO: Use system media libraries.  Waiting for:
       ;;                 ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=517422>
       ;;                 ;;   * libogg
       ;;                 ;;   * libtheora
       ;;                 ;;   * libvorbis
       ;;                 ;;   * libtremor (not yet in guix)
       ;;                 ;;   * libopus
       ;;                 ;;   * speex
       ;;                 ;;   * soundtouch (not yet in guix)
       ;;                 ;;
       ;;                 ;; TODO: Use system harfbuzz.  Waiting for:
       ;;                 ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=847568>
       ;;                 ;;
       ;;                 ;; TODO: Use system graphite2.
       ;;                 ;;
       ;;                 ;;;"modules/freetype2"
       ;;                 ;;;"modules/zlib"
       ;;                 ;;;"modules/libbz2"
       ;;                 "ipc/chromium/src/third_party/libevent"
       ;;                 "media/libvpx"
       ;;                 "security/nss"
       ;;                 "gfx/cairo"
       ;;                 "js/src/ctypes/libffi"
       ;;                 "db/sqlite3"))
       ;;     #t))))
    (build-system gnu-build-system)
    (inputs
     `(("alsa-lib" ,alsa-lib)
       ("bzip2" ,bzip2)
       ("cairo" ,cairo)
       ("cups" ,cups)
       ("dbus-glib" ,dbus-glib)
       ("gdk-pixbuf" ,gdk-pixbuf)
       ("glib" ,glib)
       ("gstreamer" ,gstreamer)
       ("gst-plugins-base" ,gst-plugins-base)
       ("gtk+" ,gtk+-2)
       ("pango" ,pango)
       ("freetype" ,freetype)
       ("hunspell" ,hunspell)
       ("libcanberra" ,libcanberra)
       ("libgnome" ,libgnome)
       ("libxft" ,libxft)
       ("libevent" ,libevent)
       ("libxinerama" ,libxinerama)
       ("libxscrnsaver" ,libxscrnsaver)
       ("libxcomposite" ,libxcomposite)
       ("libxt" ,libxt)
       ("libffi" ,libffi)
       ("libvpx" ,libvpx)
       ("icu4c" ,icu4c)
       ("pixman" ,pixman)
       ("pulseaudio" ,pulseaudio)
       ("mesa" ,mesa)
       ("mit-krb5" ,mit-krb5)
       ("nspr" ,nspr)
       ("nss" ,nss)
       ("sqlite" ,sqlite)
       ("startup-notification" ,startup-notification)
       ("unzip" ,unzip)
       ("yasm" ,yasm)
       ("zip" ,zip)
       ("zlib" ,zlib)))
    (native-inputs
     `(("perl" ,perl)
       ("python" ,python-2) ; Python 3 not supported
       ("python2-pysqlite" ,python2-pysqlite)
       ("pkg-config" ,pkg-config)))
    (arguments
     `(#:tests? #f          ; no check target
       #:out-of-source? #t  ; must be built outside of the source directory


       ;; XXX: There are RUNPATH issues such as
       ;; $prefix/lib/icecat-31.6.0/plugin-container NEEDing libmozalloc.so,
       ;; which is not in its RUNPATH, but they appear to be harmless in
       ;; practice somehow.  See <http://hydra.gnu.org/build/378133>.
       #:validate-runpath? #f

       #:configure-flags '("--enable-default-toolkit=cairo-gtk2"
                           "--enable-pango"
                           "--enable-gio"
                           "--enable-svg"
                           "--enable-canvas"
                           "--enable-mathml"
                           "--enable-startup-notification"
                           "--enable-pulseaudio"
                           "--enable-gstreamer=1.0"

                           "--disable-gnomevfs"
                           "--disable-gconf"
                           "--disable-gnomeui"

                           ;; Building with debugging symbols takes ~5GiB, so
                           ;; disable it.
                           "--disable-debug"
                           "--disable-debug-symbols"

                           ;; Avoid bundled libraries.
                           ;; "--with-system-zlib"
                           ;; "--with-system-bz2"
                           ;; "--with-system-libevent"
                           ;; "--with-system-libvpx"
                           ;; "--with-system-icu"
                           ;; "--with-system-nspr"
                           ;; "--with-system-nss"
                           ;; "--enable-system-pixman"
                           ;; "--enable-system-cairo"
                           ;; "--enable-system-ffi"
                           ;; "--enable-system-hunspell"
                           ;; "--enable-system-sqlite"

                           ;; Fails with "--with-system-png won't work because
                           ;; the system's libpng doesn't have APNG support".
                           ;; According to
                           ;; http://sourceforge.net/projects/libpng-apng/ ,
                           ;; "the Animated Portable Network Graphics (APNG)
                           ;; is an unofficial extension of the Portable
                           ;; Network Graphics (PNG) format";
                           ;; we probably do not wish to support it.
                           ;; "--with-system-png"

                           ;; Fails with "libjpeg-turbo JCS_EXTENSIONS
                           ;; required".
                           ;; According to
                           ;; http://sourceforge.net/projects/libjpeg-turbo/ ,
                           ;; "libjpeg-turbo is a derivative of libjpeg that
                           ;; uses MMX, SSE, SSE2, and NEON SIMD instructions
                           ;; to accelerate baseline JPEG compression/
                           ;; decompression", so we had better not use it
                           ;; "--with-system-jpeg"
                           )

       #:modules ((ice-9 ftw)
                  (ice-9 rdelim)
                  (ice-9 match)
                  ,@%gnu-build-system-modules)
       #:phases
       (modify-phases %standard-phases
         (add-after
             'unpack 'ensure-no-mtimes-pre-1980
           (lambda _
             ;; Without this, the 'source/test/addons/packed.xpi' and
             ;; 'source/test/addons/simple-prefs.xpi' targets fail while trying
             ;; to create zip archives.
             (let ((early-1980 315619200)) ; 1980-01-02 UTC
               (ftw "." (lambda (file stat flag)
                          (unless (<= early-1980 (stat:mtime stat))
                            (utime file early-1980 early-1980))
                          #t))
               #t)))
         (add-after
             'unpack 'remove-h264parse-from-blacklist
           (lambda _
             ;; Remove h264parse from gstreamer format helper blacklist.  It
             ;; was put there to work around a bug in a pre-1.0 version of
             ;; gstreamer.  See:
             ;; https://www.mozilla.org/en-US/security/advisories/mfsa2015-47/
             (substitute* "dom/media/gstreamer/GStreamerFormatHelper.cpp"
               (("^  \"h264parse\",\n") ""))
             #t))
         ;;      (add-after
         ;;       'unpack 'arrange-to-link-libxul-with-libraries-it-might-dlopen
         ;;       (lambda _
         ;;         ;; libxul.so dynamically opens libraries, so here we explicitly
         ;;         ;; link them into libxul.so instead.
         ;;         ;;
         ;;         ;; TODO: It might be preferable to patch in absolute file names in
         ;;         ;; calls to dlopen or PR_LoadLibrary, but that didn't seem to
         ;;         ;; work.  More investigation is needed.
         ;;         (substitute* "toolkit/library/moz.build"
         ;;           (("^# This needs to be last")
         ;;            "OS_LIBS += [
         ;; 'GL', 'gnome-2', 'canberra', 'Xss', 'cups', 'gssapi_krb5',
         ;; 'gstreamer-1.0', 'gstapp-1.0', 'gstvideo-1.0' ]\n\n"))
         ;;         #t))
         (replace
             'configure
           ;; configure does not work followed by both "SHELL=..." and
           ;; "CONFIG_SHELL=..."; set environment variables instead
           (lambda* (#:key outputs configure-flags #:allow-other-keys)
             (let* ((out (assoc-ref outputs "out"))
                    (bash (which "bash"))
                    (abs-srcdir (getcwd))
                    (srcdir (string-append "../" (basename abs-srcdir)))
                    (flags `(,(string-append "--prefix=" out)
                             ,(string-append "--with-l10n-base="
                                             abs-srcdir "/l10n")
                             ,@configure-flags)))
               (setenv "SHELL" bash)
               (setenv "CONFIG_SHELL" bash)
               (mkdir "../build")
               (chdir "../build")
               (format #t "build directory: ~s~%" (getcwd))
               (format #t "configure flags: ~s~%" flags)
               (zero? (apply system* bash
                             (string-append srcdir "/configure")
                             flags)))))
         (add-before 'configure 'install-desktop-entry
           (lambda* (#:key outputs #:allow-other-keys)
             ;; Install the '.desktop' file.
             (define (swallow-%%-directives input output)
               ;; Interpret '%%ifdef' directives found in the '.desktop' file.
               (let loop ((state 'top))
                 (match (read-line input 'concat)
                   ((? eof-object?)
                    #t)
                   ((? string? line)
                    (cond ((string-prefix? "%%ifdef" line)
                           (loop 'ifdef))
                          ((string-prefix? "%%else" line)
                           (loop 'else))
                          ((string-prefix? "%%endif" line)
                           (loop 'top))
                          (else
                           (case state
                             ((top else)
                              (display line output)
                              (loop state))
                             (else
                              (loop state)))))))))

             (let* ((out (assoc-ref outputs "out"))
                    (applications (string-append out "/share/applications")))
               (call-with-input-file "debian/icecat.desktop.in"
                 (lambda (input)
                   (call-with-output-file "debian/icecat.desktop"
                     (lambda (output)
                       (swallow-%%-directives input output)))))

               (substitute* "debian/icecat.desktop"
                 (("@MOZ_DISPLAY_NAME@")
                  "GNU IceCat")
                 (("^Exec=@MOZ_APP_NAME@")
                  (string-append "Exec=" out "/bin/icecat"))
                 (("@MOZ_APP_NAME@")
                  "icecat"))
               (install-file "debian/icecat.desktop" applications)
               #t))))))
    (home-page "https://torproject.org")
    (synopsis "The Tor Browser")
    (description
     "Bla.")))


--
♥Ⓐ  ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
  
non such Aug. 5, 2016, 1:35 p.m. UTC | #11
Ludovic Courtès <ludo@gnu.org> writes:

> ng0@we.make.ritual.n0.is skribis:
>
>> Ludovic Courtès writes:
>
> [...]
>
>>> I suppose TB contains a script that does all that, right?  Would it work
>>> to simply run it?  If it invokes wget/curl, then this needs to be
>>> replaced, but the rest should be fine.
>>
>> It's not that easy I'm afraid.
>> Currently they use a gitian build, as described in this README[0],
>> which the person maintaining the torbrowser ebuild for Gentoo out
>> of portage replicates and follows in parts.
>> It can't be followed completely, as `builders/tor-browser-bundle'
>> requires a checkout of gitian of the torproject.org
>>
>> So we have to look at what they do and recreate this build
>> procedure, there's no individual Makefile, the releases are
>> created in VMs.
>>
>> Dependencies are kept up to date here[1].
>>
>> This[2] is the script connecting/using gitian for gnu-linux releases.
>>
>> The Makefile just runs the corresponding scripts.
>
> Gitian is about building binaries.  There must be some script somewhere
> to apply the relevant patches to the source first, before one builds it,
> no?
>
>>> It’s unfortunate that there’s no ready-to-build TB tarball, that would
>>> simplify things for us.
>>
>> Yes.. But I think icecat suffers from the same problem, only that
>> icecat tarballs/binaries are built using a bash script applying
>> all that's needed to the firefox sources again.
>
> IceCat publishes source tarballs that, AIUI, are produced essentially by
> running a script that patches Firefox’s code base (same approach for
> Linux-libre.)
>
> Thanks,
> Ludo’.

There are the .mar files, which I suppose are the built source of
torbrowser, but I can't tell for sure since i can't find an upstream for
mar-tools. I guess it is Mozilla, but where is it available?

https://dist.torproject.org/torbrowser/6.0.3/
  
Alex Vong Aug. 6, 2016, 4:05 a.m. UTC | #12
ng0 <ng0@we.make.ritual.n0.is> writes:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> ng0@we.make.ritual.n0.is skribis:
>>
>>> Ludovic Courtès writes:
>>
>> [...]
>>
>>>> I suppose TB contains a script that does all that, right?  Would it work
>>>> to simply run it?  If it invokes wget/curl, then this needs to be
>>>> replaced, but the rest should be fine.
>>>
>>> It's not that easy I'm afraid.
>>> Currently they use a gitian build, as described in this README[0],
>>> which the person maintaining the torbrowser ebuild for Gentoo out
>>> of portage replicates and follows in parts.
>>> It can't be followed completely, as `builders/tor-browser-bundle'
>>> requires a checkout of gitian of the torproject.org
>>>
>>> So we have to look at what they do and recreate this build
>>> procedure, there's no individual Makefile, the releases are
>>> created in VMs.
>>>
>>> Dependencies are kept up to date here[1].
>>>
>>> This[2] is the script connecting/using gitian for gnu-linux releases.
>>>
>>> The Makefile just runs the corresponding scripts.
>>
>> Gitian is about building binaries.  There must be some script somewhere
>> to apply the relevant patches to the source first, before one builds it,
>> no?
>>
>>>> It’s unfortunate that there’s no ready-to-build TB tarball, that would
>>>> simplify things for us.
>>>
>>> Yes.. But I think icecat suffers from the same problem, only that
>>> icecat tarballs/binaries are built using a bash script applying
>>> all that's needed to the firefox sources again.
>>
>> IceCat publishes source tarballs that, AIUI, are produced essentially by
>> running a script that patches Firefox’s code base (same approach for
>> Linux-libre.)
>>
>> Thanks,
>> Ludo’.
>
> There are the .mar files, which I suppose are the built source of
> torbrowser, but I can't tell for sure since i can't find an upstream for
> mar-tools. I guess it is Mozilla, but where is it available?
>
> https://dist.torproject.org/torbrowser/6.0.3/

Hi, I am a tor browser and torsocks user (since a few months ago). Last
time I tried building tor browser from source (and failed), gitian will
have to download some non-free xcode stuff to build for the os x
platform. Is it possible to only build for gnu/linux without building
for windows and os x? Will the resulting binary still be byte-to-byte
identical with the tor project official build?

Also, it seems tor browser needs virtualenv and virtualbox to
build. Last time I checked virtualbox, it was on the contrib area of
debian since it requires a non-free[1] compiler to build the bios[2].
I hope we can find way around these issues since tor browser is IMHO an
essential tool nowadays. Finally, I agree that icecat could switch to
tor browser as its upstream.


[1]: https://en.wikipedia.org/wiki/Sybase_Open_Watcom_Public_License
[2]: https://wiki.debian.org/VirtualBox
  
non such Aug. 6, 2016, 11:14 a.m. UTC | #13
Hi,

in the following reply I assume that you did not read all of the
original thread[0]. If I am wrong, correct me.

Alex Vong <alexvong1995@gmail.com> writes:

> ng0 <ng0@we.make.ritual.n0.is> writes:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>> ng0@we.make.ritual.n0.is skribis:
>>>
>>>> Ludovic Courtès writes:
>>>
>>> [...]
>>>
>>>>> I suppose TB contains a script that does all that, right?  Would it work
>>>>> to simply run it?  If it invokes wget/curl, then this needs to be
>>>>> replaced, but the rest should be fine.
>>>>
>>>> It's not that easy I'm afraid.
>>>> Currently they use a gitian build, as described in this README[0],
>>>> which the person maintaining the torbrowser ebuild for Gentoo out
>>>> of portage replicates and follows in parts.
>>>> It can't be followed completely, as `builders/tor-browser-bundle'
>>>> requires a checkout of gitian of the torproject.org
>>>>
>>>> So we have to look at what they do and recreate this build
>>>> procedure, there's no individual Makefile, the releases are
>>>> created in VMs.
>>>>
>>>> Dependencies are kept up to date here[1].
>>>>
>>>> This[2] is the script connecting/using gitian for gnu-linux releases.
>>>>
>>>> The Makefile just runs the corresponding scripts.
>>>
>>> Gitian is about building binaries.  There must be some script somewhere
>>> to apply the relevant patches to the source first, before one builds it,
>>> no?
>>>
>>>>> It’s unfortunate that there’s no ready-to-build TB tarball, that would
>>>>> simplify things for us.
>>>>
>>>> Yes.. But I think icecat suffers from the same problem, only that
>>>> icecat tarballs/binaries are built using a bash script applying
>>>> all that's needed to the firefox sources again.
>>>
>>> IceCat publishes source tarballs that, AIUI, are produced essentially by
>>> running a script that patches Firefox’s code base (same approach for
>>> Linux-libre.)
>>>
>>> Thanks,
>>> Ludo’.
>>
>> There are the .mar files, which I suppose are the built source of
>> torbrowser, but I can't tell for sure since i can't find an upstream for
>> mar-tools. I guess it is Mozilla, but where is it available?
>>
>> https://dist.torproject.org/torbrowser/6.0.3/
>
> Hi, I am a tor browser and torsocks user (since a few months ago). Last
> time I tried building tor browser from source (and failed), gitian will
> have to download some non-free xcode stuff to build for the os x
> platform. Is it possible to only build for gnu/linux without building
> for windows and os x? Will the resulting binary still be byte-to-byte
> identical with the tor project official build?

Was this a build with a guix package? Can you share the code if it is?

> Also, it seems tor browser needs virtualenv and virtualbox to
> build. Last time I checked virtualbox, it was on the contrib area of
> debian since it requires a non-free[1] compiler to build the bios[2].
> I hope we can find way around these issues since tor browser is IMHO an
> essential tool nowadays.

You might want to re-read the full thread this message is part of. I
already wrote that with the builds I use for torbrowser in Gentoo, that
at least virtualbox is not needed and Ludovic said that the gitian build
is not what we should be looking into. It is mostly poncho's work on
Gentoo, but the overlay I contribute to mirrors their work. There we
don't use gitian but a combination of torbrowser source + firefox source
and distro specific patches.


We could also address tor with this when we succeed, as they have an
interest in NixOS or they are looking into it, specifically hydra for
builds: https://trac.torproject.org/projects/tor/ticket/12520

> Finally, I agree that icecat could switch to tor browser as its upstream.

Maybe you want to help me out with writing the email / post to
torproject:
https://lists.gnu.org/archive/html/guix-devel/2016-08/msg00326.html

On second note, maybe this is message should be addressed to both
torproject and icecat developer(s). What do you think? I have no fixed
plan in mind for this.

[0]: https://lists.gnu.org/archive/cgi-bin/namazu.cgi?query=torbrowser&submit=Search&idxname=guix-devel
>
> [1]: https://en.wikipedia.org/wiki/Sybase_Open_Watcom_Public_License
> [2]: https://wiki.debian.org/VirtualBox
  
Alex Vong Aug. 8, 2016, 8:03 a.m. UTC | #14
Hello,

ng0 <ng0@we.make.ritual.n0.is> writes:

> Hi,
>
> in the following reply I assume that you did not read all of the
> original thread[0]. If I am wrong, correct me.
>
You are right, I didn't read the whole thread.

> Alex Vong <alexvong1995@gmail.com> writes:
>
>> ng0 <ng0@we.make.ritual.n0.is> writes:
>>
>>> Ludovic Courtès <ludo@gnu.org> writes:
>>>
>>>> ng0@we.make.ritual.n0.is skribis:
>>>>
>>>>> Ludovic Courtès writes:
>>>>
>>>> [...]
>>>>
>>>>>> I suppose TB contains a script that does all that, right?  Would it work
>>>>>> to simply run it?  If it invokes wget/curl, then this needs to be
>>>>>> replaced, but the rest should be fine.
>>>>>
>>>>> It's not that easy I'm afraid.
>>>>> Currently they use a gitian build, as described in this README[0],
>>>>> which the person maintaining the torbrowser ebuild for Gentoo out
>>>>> of portage replicates and follows in parts.
>>>>> It can't be followed completely, as `builders/tor-browser-bundle'
>>>>> requires a checkout of gitian of the torproject.org
>>>>>
>>>>> So we have to look at what they do and recreate this build
>>>>> procedure, there's no individual Makefile, the releases are
>>>>> created in VMs.
>>>>>
>>>>> Dependencies are kept up to date here[1].
>>>>>
>>>>> This[2] is the script connecting/using gitian for gnu-linux releases.
>>>>>
>>>>> The Makefile just runs the corresponding scripts.
>>>>
>>>> Gitian is about building binaries.  There must be some script somewhere
>>>> to apply the relevant patches to the source first, before one builds it,
>>>> no?
>>>>
>>>>>> It’s unfortunate that there’s no ready-to-build TB tarball, that would
>>>>>> simplify things for us.
>>>>>
>>>>> Yes.. But I think icecat suffers from the same problem, only that
>>>>> icecat tarballs/binaries are built using a bash script applying
>>>>> all that's needed to the firefox sources again.
>>>>
>>>> IceCat publishes source tarballs that, AIUI, are produced essentially by
>>>> running a script that patches Firefox’s code base (same approach for
>>>> Linux-libre.)
>>>>
>>>> Thanks,
>>>> Ludo’.
>>>
>>> There are the .mar files, which I suppose are the built source of
>>> torbrowser, but I can't tell for sure since i can't find an upstream for
>>> mar-tools. I guess it is Mozilla, but where is it available?
>>>
>>> https://dist.torproject.org/torbrowser/6.0.3/
>>
>> Hi, I am a tor browser and torsocks user (since a few months ago). Last
>> time I tried building tor browser from source (and failed), gitian will
>> have to download some non-free xcode stuff to build for the os x
>> platform. Is it possible to only build for gnu/linux without building
>> for windows and os x? Will the resulting binary still be byte-to-byte
>> identical with the tor project official build?
>
> Was this a build with a guix package? Can you share the code if it is?
>
I was trying to reproduce the official build. I didn't write any guix
recipe.

>> Also, it seems tor browser needs virtualenv and virtualbox to
>> build. Last time I checked virtualbox, it was on the contrib area of
>> debian since it requires a non-free[1] compiler to build the bios[2].
>> I hope we can find way around these issues since tor browser is IMHO an
>> essential tool nowadays.
>
> You might want to re-read the full thread this message is part of. I
> already wrote that with the builds I use for torbrowser in Gentoo, that
> at least virtualbox is not needed and Ludovic said that the gitian build
> is not what we should be looking into. It is mostly poncho's work on
> Gentoo, but the overlay I contribute to mirrors their work. There we
> don't use gitian but a combination of torbrowser source + firefox source
> and distro specific patches.
>
I see. So poncho and you have already done the hard work :)
>
> We could also address tor with this when we succeed, as they have an
> interest in NixOS or they are looking into it, specifically hydra for
> builds: https://trac.torproject.org/projects/tor/ticket/12520
>
>> Finally, I agree that icecat could switch to tor browser as its upstream.
>
> Maybe you want to help me out with writing the email / post to
> torproject:
> https://lists.gnu.org/archive/html/guix-devel/2016-08/msg00326.html
>
> On second note, maybe this is message should be addressed to both
> torproject and icecat developer(s). What do you think? I have no fixed
> plan in mind for this.
>
Hmm, maybe I will give my (rough) idea here. In my opinion, icecat has 2
important features, librejs (gpl3+) and the lack of non-free addons
suggestion.

For librejs, TBB already have noscripts, although they serve different
purposes (librejs intends to block non-free js only), I doubt devs would
want to include 2 js blocker addons. But I think html5 everyhere will be
a good addon for TBB since most html5 player requires js. Currently,
enabling noscript breaks most video-playing sites.

For the lack of non-free addons suggestion, TBB recommends not to
install addon, but the addon page is still there, which suggest non-free
addons. I don't really know what should we do here. Perhaps we could
turn off the suggestion by default and warned user about the existence
of non-free addons? We could also provide a replacement page (like
icecat).

For other addons, I think https everywhere is already in TBB and
spyblock looks like haven't been update for long time, so they don't
need to be add to TBB.

Finally, do you know what is the current state of the firefox trademark
issue? Some say it is fixed. (Debian switched back to firefox next
release)

What is your idea?

> [0]:
> https://lists.gnu.org/archive/cgi-bin/namazu.cgi?query=torbrowser&submit=Search&idxname=guix-devel
>>
>> [1]: https://en.wikipedia.org/wiki/Sybase_Open_Watcom_Public_License
>> [2]: https://wiki.debian.org/VirtualBox

Cheers,
Alex
  
Mark H Weaver Aug. 10, 2016, 8:01 p.m. UTC | #15
Alex Vong <alexvong1995@gmail.com> writes:

> ng0 <ng0@we.make.ritual.n0.is> writes:
>
>> Alex Vong <alexvong1995@gmail.com> writes:
>>
>>> Finally, I agree that icecat could switch to tor browser as its upstream.
>>
>> Maybe you want to help me out with writing the email / post to
>> torproject:
>> https://lists.gnu.org/archive/html/guix-devel/2016-08/msg00326.html
>>
>> On second note, maybe this is message should be addressed to both
>> torproject and icecat developer(s). What do you think? I have no fixed
>> plan in mind for this.
>>
> Hmm, maybe I will give my (rough) idea here. In my opinion, icecat has 2
> important features, librejs (gpl3+) and the lack of non-free addons
> suggestion.

We would also need to remove Firefox support for DRM (e.g. EME), avoid
steering users to non-free media codecs, and maybe some other things to
meet the requirements of the GNU FSDG.

I suspect that these changes are substantial enough that we'll need to
change the branding, and avoid using the Firefox trademark, but I'm not
sure.

> For librejs, TBB already have noscripts, although they serve different
> purposes (librejs intends to block non-free js only), I doubt devs would
> want to include 2 js blocker addons. But I think html5 everyhere will be
> a good addon for TBB since most html5 player requires js. Currently,
> enabling noscript breaks most video-playing sites.
>
> For the lack of non-free addons suggestion, TBB recommends not to
> install addon, but the addon page is still there, which suggest non-free
> addons. I don't really know what should we do here.

The IceCat project maintains a page of free addons.  I guess we should
use that.

I agree that the best outcome would be for IceCat to switch to Tor
Browser as its upstream, or at least to borrow heavily from their patch
set.

     Thanks,
       Mark
  
non such Aug. 11, 2016, 8:51 a.m. UTC | #16
Hi,

Mark H Weaver <mhw@netris.org> writes:

> Alex Vong <alexvong1995@gmail.com> writes:
>
>> ng0 <ng0@we.make.ritual.n0.is> writes:
>>
>>> Alex Vong <alexvong1995@gmail.com> writes:
>>>
>>>> Finally, I agree that icecat could switch to tor browser as its upstream.
>>>
>>> Maybe you want to help me out with writing the email / post to
>>> torproject:
>>> https://lists.gnu.org/archive/html/guix-devel/2016-08/msg00326.html
>>>
>>> On second note, maybe this is message should be addressed to both
>>> torproject and icecat developer(s). What do you think? I have no fixed
>>> plan in mind for this.
>>>
>> Hmm, maybe I will give my (rough) idea here. In my opinion, icecat has 2
>> important features, librejs (gpl3+) and the lack of non-free addons
>> suggestion.
>
> We would also need to remove Firefox support for DRM (e.g. EME), avoid
> steering users to non-free media codecs, and maybe some other things to
> meet the requirements of the GNU FSDG.
>
> I suspect that these changes are substantial enough that we'll need to
> change the branding, and avoid using the Firefox trademark, but I'm not
> sure.

I think there's a need to change the branding. Gentoo ships a firefox
with a huge patchset applied and uses a branding with some changes
(Aurora). I'd like to get the icecat developer involved in the
discussion at some point, to get additional input and find out where
help is needed.
I think the same idea like for many projects applies for Icecat: when
you get involved, bugfixing is faster. Icecat has the bug of being based
on an insecure firefox version - let's help to move it somewhere safe.

>> For librejs, TBB already have noscripts, although they serve different
>> purposes (librejs intends to block non-free js only), I doubt devs would
>> want to include 2 js blocker addons. But I think html5 everyhere will be
>> a good addon for TBB since most html5 player requires js. Currently,
>> enabling noscript breaks most video-playing sites.
>>
>> For the lack of non-free addons suggestion, TBB recommends not to
>> install addon, but the addon page is still there, which suggest non-free
>> addons. I don't really know what should we do here.
>
> The IceCat project maintains a page of free addons.  I guess we should
> use that.

With our gentoo overlay, we started to include addons to be installed
from outside the mozilla addon store, as the gentoo firefox is
configured to have a system controlled addon location.
Now starting with FF 48, addons will only be able to be installed from
the official FF store, but I think this setting can be turned off
hopefully.
We (ybti overlay) discussed a similar approach for Guix, to configure
firefox based browsers (and others) to additionally use addons from
Guix, to allow more control of what's included etc.

> I agree that the best outcome would be for IceCat to switch to Tor
> Browser as its upstream,

Agreed, but...

> or at least to borrow heavily from their patch
> set.
>

...maybe that is not completely necessary, the bugtracker link of firefox
which I was passed recently shows that firefox and torbrowser want to
upstream the patchset of torbrowser.

>      Thanks,
>        Mark
  

Patch

diff --git a/config/Makefile.in b/config/Makefile.in
--- a/config/Makefile.in
+++ b/config/Makefile.in
@@ -44,16 +44,18 @@  export:: $(export-preqs)
 		-DMOZ_NATIVE_HUNSPELL=$(MOZ_NATIVE_HUNSPELL) \
 		-DMOZ_NATIVE_BZ2=$(MOZ_NATIVE_BZ2) \
 		-DMOZ_NATIVE_ZLIB=$(MOZ_NATIVE_ZLIB) \
 		-DMOZ_NATIVE_PNG=$(MOZ_NATIVE_PNG) \
 		-DMOZ_NATIVE_JPEG=$(MOZ_NATIVE_JPEG) \
 		-DMOZ_NATIVE_LIBEVENT=$(MOZ_NATIVE_LIBEVENT) \
 		-DMOZ_NATIVE_LIBVPX=$(MOZ_NATIVE_LIBVPX) \
 		-DMOZ_NATIVE_ICU=$(MOZ_NATIVE_ICU) \
+		-DMOZ_NATIVE_GRAPHITE2=$(MOZ_NATIVE_GRAPHITE2) \
+		-DMOZ_NATIVE_HARFBUZZ=$(MOZ_NATIVE_HARFBUZZ) \
 		$(srcdir)/system-headers | $(PERL) $(topsrcdir)/nsprpub/config/make-system-wrappers.pl system_wrappers
 	$(INSTALL) system_wrappers $(DIST)

 GARBAGE_DIRS += system_wrappers
 endif

 ifdef WRAP_STL_INCLUDES
 ifdef GNU_CXX
diff --git a/config/system-headers b/config/system-headers
--- a/config/system-headers
+++ b/config/system-headers
@@ -1340,8 +1340,16 @@  unicode/udatpg.h
 unicode/uenum.h
 unicode/unorm.h
 unicode/unum.h
 unicode/ustring.h
 unicode/utypes.h
 #endif
 libutil.h
 unwind.h
+#if MOZ_NATIVE_GRAPHITE2==1
+graphite2/Font.h
+graphite2/Segment.h
+#endif
+#if MOZ_NATIVE_HARFBUZZ==1
+harfbuzz/hb-ot.h
+harfbuzz/hb.h
+#endif
diff --git a/dom/base/moz.build b/dom/base/moz.build
--- a/dom/base/moz.build
+++ b/dom/base/moz.build
@@ -477,16 +477,19 @@  for var in ('MOZ_B2G_RIL', 'MOZ_B2G_FM')
         DEFINES[var] = True

 if CONFIG['MOZ_BUILD_APP'] in ['browser', 'mobile/android', 'xulrunner']:
     DEFINES['HAVE_SIDEBAR'] = True

 if CONFIG['MOZ_X11']:
     CXXFLAGS += CONFIG['TK_CFLAGS']

+if CONFIG['MOZ_NATIVE_HARFBUZZ']:
+    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
+
 GENERATED_FILES += [
     'PropertyUseCounterMap.inc',
     'UseCounterList.h',
 ]

 countermap = GENERATED_FILES['PropertyUseCounterMap.inc']
 countermap.script = 'gen-usecounters.py:property_map'
 countermap.inputs = ['UseCounters.conf']
diff --git a/gfx/graphite2/moz-gr-update.sh b/gfx/graphite2/moz-gr-update.sh
--- a/gfx/graphite2/moz-gr-update.sh
+++ b/gfx/graphite2/moz-gr-update.sh
@@ -1,11 +1,12 @@ 
 #!/bin/bash

 # Script used to update the Graphite2 library in the mozilla source tree
+# and bump version for --with-system-graphite2

 # This script lives in gfx/graphite2, along with the library source,
 # but must be run from the top level of the mozilla-central tree.

 # Run as
 #
 #    ./gfx/graphite2/moz-gr-update.sh RELEASE
 #
@@ -32,22 +33,26 @@  echo "This directory contains the Graphi
 echo "$TARBALL" >> gfx/graphite2/README.mozilla
 echo ""
 echo "See" $0 "for update procedure." >> gfx/graphite2/README.mozilla

 # fix up includes because of bug 721839 (cstdio) and bug 803066 (Windows.h)
 #find gfx/graphite2/ -name "*.cpp" -exec perl -p -i -e "s/<cstdio>/<stdio.h>/;s/Windows.h/windows.h/;" {} \;
 #find gfx/graphite2/ -name "*.h" -exec perl -p -i -e "s/<cstdio>/<stdio.h>/;s/Windows.h/windows.h/;" {} \;

+# chase version for --with-system-graphite2
+perl -p -i -e "s/[0-9]+\,[0-9]+\,[0-9]+/$RELEASE/ and tr/./,/ \
+  if /GR2_VERSION_REQUIRE/" configure.in
+
 # summarize what's been touched
 echo Updated to $RELEASE.
 echo Here is what changed in the gfx/graphite2 directory:
 echo

-hg stat gfx/graphite2
+hg stat configure.in gfx/graphite2

 echo
 echo If gfx/graphite2/src/files.mk has changed, please make corresponding
 echo changes to gfx/graphite2/src/moz.build
 echo

 echo
 echo Now use hg commands to create a patch for the mozilla tree.
diff --git a/gfx/moz.build b/gfx/moz.build
--- a/gfx/moz.build
+++ b/gfx/moz.build
@@ -2,26 +2,30 @@ 
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

 if CONFIG['MOZ_TREE_CAIRO']:
     DIRS += ['cairo']

+if not CONFIG['MOZ_NATIVE_GRAPHITE2']:
+    DIRS += ['graphite2/src' ]
+
+if not CONFIG['MOZ_NATIVE_HARFBUZZ']:
+    DIRS += ['harfbuzz/src']
+
 DIRS += [
     '2d',
     'ycbcr',
     'angle',
     'src',
     'qcms',
     'gl',
     'layers',
-    'graphite2/src',
-    'harfbuzz/src',
     'ots/src',
     'thebes',
     'ipc',
     'vr',
 ]

 if CONFIG['MOZ_ENABLE_SKIA']:
     DIRS += ['skia']
diff --git a/intl/unicharutil/util/moz.build b/intl/unicharutil/util/moz.build
--- a/intl/unicharutil/util/moz.build
+++ b/intl/unicharutil/util/moz.build
@@ -39,9 +39,12 @@  if CONFIG['_MSC_VER']:
     CFLAGS += ['-Zl']
     CXXFLAGS += ['-Zl']

 if CONFIG['ENABLE_INTL_API']:
     CXXFLAGS += CONFIG['MOZ_ICU_CFLAGS']
     LOCAL_INCLUDES += CONFIG['MOZ_ICU_INCLUDES']
     USE_LIBS += ['icu']

+if CONFIG['MOZ_NATIVE_HARFBUZZ']:
+    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
+
 DIST_INSTALL = True
diff --git a/netwerk/dns/moz.build b/netwerk/dns/moz.build
--- a/netwerk/dns/moz.build
+++ b/netwerk/dns/moz.build
@@ -61,16 +61,19 @@  etld_data = GENERATED_FILES['etld_data.i
 etld_data.script = 'prepare_tlds.py'
 etld_data.inputs = ['effective_tld_names.dat']

 # need to include etld_data.inc
 LOCAL_INCLUDES += [
     '/netwerk/base',
 ]

+if CONFIG['MOZ_NATIVE_HARFBUZZ']:
+    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
+
 if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'gonk' and CONFIG['ANDROID_VERSION'] > '19':
     LOCAL_INCLUDES += ['%' + '%s/bionic/libc/dns/include' % CONFIG['ANDROID_SOURCE']]

 if CONFIG['ENABLE_INTL_API']:
     DEFINES['IDNA2008'] = True
     CXXFLAGS += CONFIG['MOZ_ICU_CFLAGS']
     CFLAGS += CONFIG['MOZ_ICU_CFLAGS']
     LOCAL_INCLUDES += CONFIG['MOZ_ICU_INCLUDES']
diff --git a/configure.in b/configure.in
--- a/configure.in
+++ b/configure.in
@@ -6425,16 +6425,59 @@  if test "$USE_FC_FREETYPE"; then
         else
             FT2_CFLAGS="$FT2_CFLAGS $_FONTCONFIG_CFLAGS"
             FT2_LIBS="$FT2_LIBS $_FONTCONFIG_LIBS"
         fi
     ])
 fi

 dnl ========================================================
+dnl Check for harfbuzz
+dnl ========================================================
+
+MOZ_ARG_WITH_BOOL(system-harfbuzz,
+[  --with-system-harfbuzz  Use system harfbuzz (located with pkgconfig)],
+MOZ_NATIVE_HARFBUZZ=1,
+MOZ_NATIVE_HARFBUZZ=)
+
+if test -n "$MOZ_NATIVE_HARFBUZZ"; then
+    PKG_CHECK_MODULES(MOZ_HARFBUZZ, harfbuzz >= 1.1.3)
+fi
+
+AC_SUBST(MOZ_NATIVE_HARFBUZZ)
+
+dnl ========================================================
+dnl Check for graphite2
+dnl ========================================================
+
+MOZ_ARG_WITH_BOOL(system-graphite2,
+[  --with-system-graphite2 Use system graphite2 (located with pkgconfig)],
+MOZ_NATIVE_GRAPHITE2=1,
+MOZ_NATIVE_GRAPHITE2=)
+
+if test -n "$MOZ_NATIVE_GRAPHITE2"; then
+    PKG_CHECK_MODULES(MOZ_GRAPHITE2, graphite2)
+
+    dnl graphite2.pc has bogus version, check manually
+    AC_TRY_COMPILE([ #include <graphite2/Font.h>
+                     #define GR2_VERSION_REQUIRE(major,minor,bugfix)  \
+                             ( GR2_VERSION_MAJOR * 10000 + GR2_VERSION_MINOR \
+                               * 100 + GR2_VERSION_BUGFIX >= \
+                               (major) * 10000 + (minor) * 100 + (bugfix) )
+                   ], [
+                     #if !GR2_VERSION_REQUIRE(1,3,8)
+                     #error "Insufficient graphite2 version."
+                     #endif
+                   ], [],
+                   [AC_MSG_ERROR([--with-system-graphite2 requested but no working libgraphite2 found])])
+fi
+
+AC_SUBST(MOZ_NATIVE_GRAPHITE2)
+
+dnl ========================================================
 dnl Check for pixman and cairo
 dnl ========================================================

 MOZ_TREE_CAIRO=1
 MOZ_ARG_ENABLE_BOOL(system-cairo,
 [  --enable-system-cairo   Use system cairo (located with pkgconfig)],
 MOZ_TREE_CAIRO=,
 MOZ_TREE_CAIRO=1 )
diff --git a/toolkit/library/moz.build b/toolkit/library/moz.build
--- a/toolkit/library/moz.build
+++ b/toolkit/library/moz.build
@@ -230,16 +230,22 @@  if CONFIG['MOZ_NATIVE_LIBVPX']:
     OS_LIBS += CONFIG['MOZ_LIBVPX_LIBS']

 if not CONFIG['MOZ_TREE_PIXMAN']:
     OS_LIBS += CONFIG['MOZ_PIXMAN_LIBS']

 if CONFIG['MOZ_ALSA']:
     OS_LIBS += CONFIG['MOZ_ALSA_LIBS']

+if CONFIG['MOZ_NATIVE_GRAPHITE2']:
+    OS_LIBS += CONFIG['MOZ_GRAPHITE2_LIBS']
+
+if CONFIG['MOZ_NATIVE_HARFBUZZ']:
+    OS_LIBS += CONFIG['MOZ_HARFBUZZ_LIBS']
+
 if CONFIG['HAVE_CLOCK_MONOTONIC']:
     OS_LIBS += CONFIG['REALTIME_LIBS']

 if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'android':
     OS_LIBS += [
         'GLESv2',
     ]


--- a/gfx/thebes/moz.build	2016-04-22 16:55:14.249871300 -0400
+++ b/gfx/thebes/moz.build	2016-04-22 16:56:34.149595582 -0400
@@ -306,7 +306,14 @@ 

 LOCAL_INCLUDES += CONFIG['SKIA_INCLUDES']

-DEFINES['GRAPHITE2_STATIC'] = True
+if CONFIG['MOZ_NATIVE_HARFBUZZ']:
+    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
+
+if CONFIG['MOZ_NATIVE_GRAPHITE2']:
+    CXXFLAGS += CONFIG['MOZ_GRAPHITE2_CFLAGS']
+else:
+    DEFINES['GRAPHITE2_STATIC'] = True
+

 if CONFIG['CLANG_CXX']:
     # Suppress warnings from Skia header files.
--- a/gfx/skia/generate_mozbuild.py	2016-03-15 18:37:29.000000000 -0400
+++ b/gfx/skia/generate_mozbuild.py	2016-04-22 20:29:06.972228378 -0400
@@ -155,6 +155,9 @@ 
     if CONFIG['CPU_ARCH'] == 'arm':
         SOURCES['skia/src/opts/SkBlitRow_opts_arm.cpp'].flags += ['-fomit-frame-pointer']

+if CONFIG['MOZ_NATIVE_HARFBUZZ']:
+    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
+
 if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('gtk2', 'gtk3', 'android', 'gonk', 'qt'):
     CXXFLAGS += CONFIG['MOZ_CAIRO_CFLAGS']
     CXXFLAGS += CONFIG['CAIRO_FT_CFLAGS']
--- a/gfx/skia/moz.build	2016-03-15 18:37:29.000000000 -0400
+++ b/gfx/skia/moz.build	2016-04-22 20:28:18.202338752 -0400
@@ -684,6 +684,9 @@ 
     if CONFIG['CPU_ARCH'] == 'arm':
         SOURCES['skia/src/opts/SkBlitRow_opts_arm.cpp'].flags += ['-fomit-frame-pointer']

+if CONFIG['MOZ_NATIVE_HARFBUZZ']:
+    CXXFLAGS += CONFIG['MOZ_HARFBUZZ_CFLAGS']
+
 if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('gtk2', 'gtk3', 'android', 'gonk', 'qt'):
     CXXFLAGS += CONFIG['MOZ_CAIRO_CFLAGS']
     CXXFLAGS += CONFIG['CAIRO_FT_CFLAGS']