QupZilla 1.6.0 was released 2014-01-01.
*** Bug 497204 has been marked as a duplicate of this bug. ***
Created attachment 367374 [details] An ebuild for 1.6.0 This ebuild added kwallet and gnome-keyring support. Also it will pax-mark the executable file.
Created attachment 367384 [details] A better ebuild for 1.6.0 Removed unexpected dependency of qtsingleapplication. This ebuild also installs qupzilla-plugins, which is so small that I see no need to write a seperate ebuild.
+ 20 Jan 2014; Ben de Groot <yngwin@gentoo.org> +qupzilla-1.6.0.ebuild: + Version bump, including some improvements from bug #496908
Zhang, why you added 'pax-mark m "${ED}"/usr/bin/qupzilla'? What are your video drivers?
(In reply to Nikoli from comment #5) > Zhang, why you added 'pax-mark m "${ED}"/usr/bin/qupzilla'? What are your > video drivers? intel. This is necessary if you are going to use Flash in the hardened system. PaX here will kill qupzilla if it is not set that way. If you are asking why we would compromise system security for Flash, this is just the convention that Chromium and Firefox's ebuilds all follow.
I do not have flash or any other netscape plugins in my systems, so i would like to avoid pax marking qupzilla.
(In reply to Nikoli from comment #7) > I do not have flash or any other netscape plugins in my systems, so i would > like to avoid pax marking qupzilla. Well, I think a /etc/portage/bashrc hook can help you. #### Post pkg_postinst phase ########################################## post_pkg_postinst() { ## Disable pax-mark for qupzilla if [ ${CATEGORY}/${PN} = "www-apps/qupzilla" ]; then paxctl-ng -z /usr/bin/qupzilla fi } Or you can write it in post_src_install() which operates the image before the files are actually installed. Similarly, you can do this for any packages that pax-marked undesired binary files, if you know what you are doing.
Oops, should be www-client/qupzilla.
> If you are asking why we would compromise system security for Flash, this is just the convention that Chromium and Firefox's ebuilds all follow. Is there a link where this convention is written, because I cannot find it. As far as I know, the MPROTECT PaX flag was enabled in Firefox up to the 24.1.1 version. The reason why it was disabled was because Firefox didn't start and MPROTECT was disabled due to ion jit. See these links: http://forums.gentoo.org/viewtopic-t-974658-start-0.html http://hardenedgentoo.blogspot.ru/2012/06/default-mprotect-restriction-for.html It was not disabled because of flash.
(In reply to fssirc from comment #10) > > If you are asking why we would compromise system security for Flash, this is just the convention that Chromium and Firefox's ebuilds all follow. > > Is there a link where this convention is written, because I cannot find it. > As far as I know, the MPROTECT PaX flag was enabled in Firefox up to the > 24.1.1 version. The reason why it was disabled was because Firefox didn't > start and MPROTECT was disabled due to ion jit. See these links: > > http://forums.gentoo.org/viewtopic-t-974658-start-0.html > http://hardenedgentoo.blogspot.ru/2012/06/default-mprotect-restriction-for. > html > > It was not disabled because of flash. http://git.overlays.gentoo.org/gitweb/?p=proj/mozilla.git;a=commitdiff;h=90fdaec48345fc4dc6065fdf4537b5b3f6606b03 I am not sure whether there are any further old discussions. From what I see, they were taking that into account. I think what you showed is not the same issue. Marking Qupzilla for Flash is because Qupzilla doesn't isolated their plugin module. Firefox has its plugin-container isolated (I think back to the days of 2.x it was not). I am not sure of the very beginning state of plugin-container marking. (I wish I didn't report something wrong. I remember I also reported similar issues for Konqueror's nsplugins. If I were destroying the security of you guys, I am doomed...)
Not all people use flash, most people who use hardened care about security and avoid flash. Even if you have flash installed, you may not want to use it in all browsers. I think pax marking qupzilla by default does not make sense, pkg_postint message is enough, something like this: pkg_postinst(){ if has_version www-plugins/adobe-flash; then ewarn "For using adobe flash plugin you most likely need to run \"paxctl-ng -m /usr/bin/qupzilla\"" fi }
I think it would be a good solution. Personally, I have never used flash since I started using Hardened Gentoo.
