My system (hardened amd64) runs firefox without having to pax-mark the binary or any other component of www-client/firefox. Even the gnash plugin works (though I did not try other plugins). I achieved that favourable behaviour by preventing the compilation of both methodjit and tracejit. Therefore I propose a modification to the ebuild which makes that behaviour available to all hardened user. A patch for firefox-11.0.ebuild is included. I have tested the same modification successfully for the latest versions of www-client/icecat and www-client/seamonkey. Reproducible: Always
Created attachment 305723 [details, diff] Patch introducing USE-flag jit
Created attachment 305753 [details, diff] Patch introducing USE-flag jit Sorry, personally used an ebuild with pax lines completely deleted and made an logical error when devising a more general ebuild. What was meant was of course to enable pax-marking only when jit present
plugin container would need to be pax-marked no matter what, plugins like adobe-flash would fail if it was not pax-marked.
Is in mozilla overlay for a week of testing, it is enabled by default user will have to disable in order to prevent the paxmark
-r1 of tb/.fx-12 are in the tree now :)