Small introduction: I am currently using Secureblue, a Distro Ecosystem consuming ublue (and thus Fedora) and adding tons of security features to it.
Its basically everything that exists on regular Desktop Linux (not QubesOS, real Linux) but in one place, immutable, based on a great Distro.
Secureblue uses GrapheneOS’ hardened_malloc. Everything works very well, apart from Firefox.
As far as I understood it, Firefox uses its own memory allocator jemalloc which seems to cause problems in this combination.
- The RPM is poorly removed, because upstream still includes it instead of letting users overlay, and you cannot reinstall it again due to an rpm-ostree issue.
- The Binary doesn’t launch and gives strange errors that smell like memory issues.
- The Flatpak works but is slow and I would prefer not to use it for security reasons (per-tab-process-isolation) and missing portals
- The same then goes for Torbrowser
- Thunderbird Flatpak works fine and doesn’t need process isolation
I did some digging and compiled Firefox myself, in a F39 Distrobox:
# dependencies
sudo dnf install -y rust cargo gcc python3 m4 git
cd ~
mkdir Firefox-Build && cd Firefox-Build
# clone with Git
curl https://hg.mozilla.org/mozilla-central/raw-file/default/python/mozboot/bin/bootstrap.py -O
python3 ./bootstrap.py --vcs=git
cd mozilla-unified
cat > mozconfig <<EOF
# run this to include this config
# export MOZCONFIG=./mozconfig
# include the common mozconfig (not existing?)
# . ./mozconfig-common
# set it to build Firefox
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-firefox
mk_add_options MOZ_PARALLEL_BUILD=6
# put all arguments here
ac_add_options --enable-optimize --disable-jemalloc --enable-project=browser
# --enable-default-toolkit=cairo-gtk3-wayland-only # this may compile with Wayland only
# thunderbird
# mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-thunderbird
# ac_add_options --enable-project=comm/mail
EOF
# build Firefox
export MOZCONFIG=./mozconfig
./mach build
So, this builds the slimmed down Firefox (if there are more flags that are useful, I would be happy about ideas!).
It uses Nightly, so I guess somewhere in the bootstrap you could define to use Standard release and ESR.
I tested the build and it runs great, did the Thorium WebGL renders and the Web Basemark without any issues, and I confirmed that this Firefox uses /usr/lib64/libhardened_malloc.so !
Now to the idea:
- compile Firefox and Firefox ESR (maybe Nightly for fun) on COPR
- use the binary to create a Torbrowser RPM
- use the binary to create a Thunderbird Flatpak for Flathub
I am very new to this, but I think this should be possible and I would really like to do this the efficient way. Of course I could also just compile Torbrowser and Thunderbird seperately and flatpak-ify the Thunderbird RPM, but that seems inelegant and would suck resources.
Another idea would be to ask Librewolf to package this version, using their nice build pipelines and addressing their community
