abslibre/libre/iceweasel/PKGBUILD

# Maintainer (arch:firefox): Jan Alexander Steffens (heftig) <heftig@archlinux.org>
# Contributor: Ionut Biru <ibiru@archlinux.org>
# Contributor: Jakub Schmidtke <sjakub@gmail.com>
# Contributor: Henry Jensen <hjensen@connochaetos.org>
# Maintainer (archarm:firefox): Kevin Mihelich <kevin@archlinuxarm.org>
# Maintainer (arch32:firefox): Andreas Baumann <mail@andreasbaumann.cc>
# Contributor: Erich Eckner <git@eckner.net>
# Contributor: Andreas Grapentin <andreas@grapentin.org>
# Contributor: Luke Shumaker <lukeshu@parabola.nu>
# Contributor: André Silva <emulatorman@hyperbola.info>
# Contributor: Márcio Silva <coadde@hyperbola.info>
# Contributor: fauno <fauno@kiwwwi.com.ar>
# Contributor: vando <facundo@esdebian.org>
# Contributor: Figue <ffigue at gmail>
# Contributor: evr <evanroman at gmail>
# Contributor: Muhammad 'MJ' Jassim <UnbreakableMJ@gmail.com>
# Contributor: vando <facundo@esdebian.org>
# Contributor: taro-k <taro-k@movasense_com>
# Contributor: Michał Masłowski <mtjm@mtjm.eu>
# Contributor: Luke R. <g4jc@openmailbox.org>
# Contributor: Isaac David <isacdaavid@isacdaavid.info>
# Contributor: bill-auger <bill-auger@programmer.net>
# Contributor: grizzlyuser <grizzlyuser@protonmail.com>


# parabola changes and rationale
# libre:
#  - Modify the addons pages to use GNU IceCat plugins sources, rather
#    than addons.mozilla.org, which hosts non-free addons
#  - Disable EME, which is implemented via the non-free libWideVine CDM
#  - Disable Normandy that let Mozilla push messages with recommendations
#    of nonfree software
#  - Make Remote Settings work completely offline using local data
#  - Use system python libs. The arch package uses 'pip' to download
#    dependencies from the internet at build-time, despite that those needed
#    dependencies are already packaged in the arch repos. So strictly-speaking,
#    the package is not built from source, as some sources will be missing
#    from the published source package, and will not be required as makedepends.
#
# technical:
#  - build 32-bit arches with GCC instead of clang
#  - disable rust-SIMD, LTO, PGO, and skip profiling build for armv7h and i686
#  - allow skipping profiling build for x86_64 (_SHOULD_SKIP_PGO).
#    this is to avoid OOM problems, and occasional deadlocks in some versions,
#    which expect active netwokring or internet access at build time.
#  - prefer as many system libs as possible, over their vendored couterparts
#  - Rebrand to Iceweasel, per the mozilla trademark policy, due to the FSDG changes
#  - set user profile directory to ~/.mozilla/iceweasel
#
# privacy:
#  - Remove Google API keys and usage
#  - Disable Mozilla telemetry and crash reporting
#    (good manners because of all of the other patching we're doing)
#  - do not compile/upload remote debug symbols


# NOTE: This PKGBUILD is kept in-sync, as closely as possible,
#       with arch{,arm,32} (firefox), and parabola {iceweasel,icecat},
#       for the sake of documentation and cleaner diffs.
#       That also helps to identify which changes were made by Parabola vs upstream.
#       Therefore, this PKGBUILD may declare blacklisted dependencies, non-free sources,
#       or include code for anti-features; but those will be filtered-out subsequently.
#       Any code which implements an anti-feature should be commented-out;
#       and include an 'anti-feature' comment, for clarity.
#       Any blacklisted dependencies and non-free sources should be filtered,
#       and include a 'non-free' comment, for clarity.
#       Without those over-rides, the resulting program may not be FSDG-fit.
#       Do not circumvent those over-rides, if compiling for the Parabola repos.


pkgname=iceweasel
epoch=1
pkgver=110.0.1
pkgrel=1
pkgrel+=.parabola1
_brandingver=102.0-1
pkgdesc="Standalone web browser derived from Mozilla Firefox"
url=https://wiki.parabola.nu/Iceweasel
arch=(x86_64)
arch+=(
  armv7h
  i686)
license=(
  GPL
  LGPL
  MPL
)
depends=(
  dbus-glib
  ffmpeg
  gtk3
  libpulse
  libxt
  mime-types
  nss
  ttf-font
)
makedepends=(
  cbindgen
  clang
  diffutils
  dump_syms
  imake
  inetutils
  jack
  lld
  llvm
  mesa
  nasm
  nodejs
  python
  rust
  unzip
  wasi-compiler-rt
  wasi-libc
  wasi-libc++
  wasi-libc++abi
  xorg-server-xvfb
  yasm
  zip
)
makedepends+=(
  git
  imagemagick
  jq
  libxslt
  python-jsonschema
  python-setuptools
  python-typing-extensions
  python-zstandard
  quilt
)
optdepends=(
  'hunspell-en_US: Spell checking, American English'
  'libnotify: Notification integration'
  'networkmanager: Location detection via available WiFi networks'
  'pulseaudio: Audio support'
  'speech-dispatcher: Text-to-Speech'
  'xdg-desktop-portal: Screensharing with Wayland'
)
# install=${pkgname}.install # TODO: redmine #2164
# provides=('firefox')       # TODO: redmine #2164 - currently conflicts with 'your-freedom'
replaces=('firefox')
options=(
  !debug
  !emptydirs
  !lto
  !makeflags
  !strip
)
source=(
  https://archive.mozilla.org/pub/firefox/releases/$pkgver/source/firefox-$pkgver.source.tar.xz{,.asc}
  $pkgname.desktop
  identity-icons-brand.svg
  0001-libwebrtc-screen-cast-sync.patch
)
source=(${source[*]/identity-icons-brand.svg/}) # branding over-ride
source+=(
  https://repo.parabola.nu/other/iceweasel/${pkgname}_${_brandingver}.branding.tar.xz{,.sig}
  9001-FSDG-sync-remote-settings-with-local-dump.patch
  9002-FSDG-preference-defaults.patch
  9003-FSDG-urihandlers.patch
  9004-FSDG-misc.patch
  process-json-files.py
  vendor.js.in
)
source_armv7h=(build-arm-libopus.patch)
source_i686=(
  avoid-libxul-OOM-python-check.patch
  rust-static-disable-network-test-on-static-libraries.patch
  firefox-107.0-fdlibm.patch
  fix-i686-build-moz-1792159.patch
)
validpgpkeys=(
  '14F26682D0916CDD81E37B6D61B7B526D98F0353'  # Mozilla Software Releases <release@mozilla.com>
)
validpgpkeys+=(
  'BFA8008A8265677063B11BF47171986E4B745536' # Andreas Grapentin
  '3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40' # bill-auger
)
sha256sums=('f19bb74d684b992625abca68f5776198974cd2785eb5d02d51ba007fc998491f'
            'SKIP'
            '9cdc2602661717712092d28bb494e5b48e518cb930898aca85eaf21f91f7ef58'
            '43c83101b7ad7dba6f5fffeb89b70a661a547d506a031ea2beada42ccf04eec7')
sha256sums+=('d29c194ed7b3b4fa0f511866723118938c2be40077b4e9aadf8b3e6bfff91049'
             'SKIP'
             '58f6cdb31df0da4c8bf599d033ceb8f97c3e19b21c72b5b4cb70f13e1dfa5139'  # 9001-FSDG-sync-remote-settings-with-local-dump.patch
             '1e4d28bd87688334b20cce9213490111e004ea6bcf1654f550da8ebe6bdbf3ef'  # 9002-FSDG-preference-defaults.patch
             '13b701372b6fb35b96a1d58853db64643feb9be061ebc461b41ceca5de8eea62'  # 9003-FSDG-urihandlers.patch
             'b664e65ad916effcd4807f8dc11b2d74e28733118c4a189dd19da6663a99577b'  # 9004-FSDG-misc.patch
             '591b07d4a23bf978329420b7d7f53e16824dfbbf30ef0ffe8efd73a6cd836624'  # process-json-files.py
             '8e113fd2730be3fd11b2a24918dd62e8741513cf4dce9819d8eae358c5411adc') # vendor.js.in
sha256sums_armv7h=('2d4d91f7e35d0860225084e37ec320ca6cae669f6c9c8fe7735cdbd542e3a7c9')
sha256sums_i686=('2f0c81a38c4578f68f5456b618fe84a78974072821488173eb55e0e72287e353'
                 '10c5276eab2e87f400a6ec15d7ffbef3b0407ee888dea36f1128927ca55b9041'
                 '1c2015e9f59c2c3bc898e04c6c6d33523f835638fd314d24944a8063cbce79d8'
                 '2fb39374fd3d80eea9e346032a2a4b2bc2e357dee7380855b24bcf19b1335d06')
b2sums=('ff196016e0271f7828163b8f767f3321b5ee08ef6bd0b03b134e17a1e5b62666f10ae80a14569438f6ac1c995a7a8422265eaabbc505b6a86e95a66b5db07209'
        'SKIP'
        'f86353bbba05d8994db34c6abb66094aa61d2c37c8599930dbe9d215413f0f718a1ce55a8f2d07a65074c3947e28fc80d44c925bd9be239a870f82d2a1803635'
        '2bf65874c8c1f41c9273b68d74f4fe5c81dca5acbad0b9a5f917df1d46e1b2a1fb25d42a419eb885e76f4d193483cdeb6294e14ed4b2e241c34b84565b6ffd72')
b2sums+=('c2a2ead1b44c563583abb5cd3579e8f2724ea79e12aba1b315f201a09547d611b4a3c98de12f063b25826fd1520562d411ab917780bab4d78a1240fe56096b1b'
         'SKIP'
         '553f96ab709cfc60324829b7225f89081b0aae06fd6d52699e83ee8483dc23ff227caec68949cf62caaffad09a26e817287508000dae5df60d3062de2e6a8bce'  # 9001-FSDG-sync-remote-settings-with-local-dump.patch
         'bdb08d681f6f17ae9f8e0bb37e23087a0401d4be26c91ead3eda4654362ad37c3b1cddf69596e2b2278f77e0fd45714b7dbb7a97aca35aae5417e916079d24bf'  # 9002-FSDG-preference-defaults.patch
         '9e4ccfb8850d9f9a5222f5186b35f2ae7986b6c6d435de024b109a6fa01e65a1362664cfb6ea81621387cf33364cc8d3d466fae1bee24ab5fc7e23c4cb17bf2c'  # 9003-FSDG-urihandlers.patch
         '3c2041eac7230a2268cd2590bbccf2d3cf66f9164b6032c039e1d2656c0331301d39fb25623d27ee9cf701867f79f9e7fec6dbf68ff46f4fc5abb4ebeb3784cc'  # 9004-FSDG-misc.patch
         'f53c0bdd1b1e09f3e4e4e376f6ada654fc6f5a02a248c87daad1f644fc8cf9bdb1009802f352b59d76b17c6d6a81745da1e7c59a5e2421fd2b8475bb9ba34798'  # process-json-files.py
         '5302b6abcfec3155c578e0664e6a0ac921234c5912d74c4a9b0feb3a051ed4ef5f11b93ee37739a3a92fc6693683374f92ac9c3f560780f879c4249d0718157a') # vendor.js.in
b2sums_armv7h=('6e5980e56343a23bce4fcda58f6abc8f2debca0c278c87b09e53abb17ff15849c26e8df3bbff2388985f8fe5a4e9be9982c602ef7159546f0ae335fca1000a41')
b2sums_i686=('97035e44cd1deae7bb2422c81eec7294feb51f43f460b4d7ddba083e1d8a48d265a36ca43cf1d9dee49b01ee6df0c76e0f6916cc73cb7ad9caa1c235a59da0e4'
             '009789d3bb93ba418929019135804fc3de7de161e5be8efba7fc75646fbde395720be5b7a7d3f5d1671f459fdd2944dd14aca306bbf1c975436d4f7765d62d15'
             'e4851eaa9030d9b8811f505f8f1569a41f8dc7cf586269108ebe370ac91896f69d36fc6d2e1937f427656fe4fca63031ca5e11d39a3667205a4b0a6f935cd548'
             'd20ce3eff595f85df86eaa0dfb665fc356f8987117a771f76adc4ac12046a7e82b0af182fa99f87ea1362a5026c9d0216c7b714649fef0c7294c61c8e8f4d790')


# Google API keys (see http://www.chromium.org/developers/how-tos/api-keys)  # anti-feature
# Note: These are for Arch Linux use ONLY. For your own distribution, please # anti-feature
# get your own set of keys. Feel free to contact foutrelis@archlinux.org for # anti-feature
# more information.                                                          # anti-feature
# _google_api_key=AIzaSyDwr302FpOSkGRpLlUpPThNTDPbXcIn_FM                    # anti-feature

# Mozilla API keys (see https://location.services.mozilla.com/api)           # anti-feature
# Note: These are for Arch Linux use ONLY. For your own distribution, please # anti-feature
# get your own set of keys. Feel free to contact heftig@archlinux.org for    # anti-feature
# more information.                                                          # anti-feature
# _mozilla_api_key=e05d56db0a694edc8b5aaebda3f2db6a                          # anti-feature


## compiler and optimization tweaks ##

# disable PGO for 32-bit arches (always), x86_64 optionally
# normally enabled ('0') for x86_64 - try '1' if the build hangs indefinitely
readonly _SHOULD_SKIP_PGO=$(case "${CARCH}" in armv7h|i686) echo 1 ;; *) echo 0 ;; esac)

# use GCC vs LLVM for 32-bit arches
# normally not needed ('0') for x86_64
# for 32-bit arches, try one or the other, to resolve compiler/linker issues
readonly _SHOULD_USE_GCC==$(case "${CARCH}" in armv7h) echo 1 ;;
                                               i686  ) echo 1 ;;
                                               x86_64) echo 0 ;; esac)


## dependency tweaks ##

makedepends+=( python-pydantic=1.9.2   ) # dustbin - configure error: pydantic 1.10.4 has requirement typing-extensions>=4.2.0, but you have typing-extensions 3.10.0.0
makedepends+=( python-zstandard=0.19.0 ) # dustbin - configure error: zstandard<=0.19.0,>=0.11.1: Installed with unexpected version "0.20.0"

case "${CARCH}" in
armv7h)
  makedepends=( ${makedepends[*]/wasi-*/} ) # armv7h has no wasi compiler

  depends+=( icu=72.1 ) # --with-system-icu
  ;;
i686)
  makedepends+=( llvm14 ) # rustup: error while loading shared libraries: libLLVM-14.so:

  makedepends=( ${makedepends[*]/wasi-*/}                     ) # wasm-ld: error: cannot open /usr/lib/clang/15.0.7/lib/wasi/libclang_rt.builtins-wasm32.a: No such file or directory
  makedepends+=( 'wasi-libc++>=15'      'wasi-libc++<16'      ) # in [community-testing]
  makedepends+=( 'wasi-libc++abi>=15'   'wasi-libc++abi<16'   ) # in [community-testing]
  makedepends+=( 'wasi-compiler-rt>=15' 'wasi-compiler-rt<16' ) # in [community-testing]
  ;;
esac


## helpers ##

_check_build_config() {
  pushd "${srcdir}"/firefox-${pkgver} > /dev/null

  echo "Checking build configuration..."

  # Each of the [ARCH-SPECIFIC CONFIG] branches in prepare(), should have prepared a
  # $srcdir/mozconfig file with any arch-specific changes to the Arch x86_64 PKGBUILD.
  # Finally, that file should have been copied to $srcdir/firefox-$pkgver/.mozconfig
  grep '^ac_add_options --with-distribution-id=nu.parabola' .mozconfig &> /dev/null || \
  ! echo "cannot continue without a .mozconfig file"                                || return 1

  if ! [[ "${CARCH}" =~ ^(aarch64|armv7h)$ ]] # ARM has no --disable-eme option
  then grep '^ac_add_options --disable-eme' .mozconfig &> /dev/null   || \
       ! echo ".mozconfig file was not properly treated per the FSDG" || return 1
  fi

  # Configure produces mozinfo.json that reflects current configuration.
  # See build/docs/mozinfo.rst
  ./mach configure

  # In this test, jq collects values of the following keys of mozinfo.json into array,
  # and checks if any of them are not equal to false, in which case it returns "true".
  # E.g. if the value of any key is true or null (in case the key is missing from mozinfo.json),
  # that means the build configuration has to be reworked.
  local obj_directory=$(./mach environment | sed -En '/object directory:/{n;s/^\s+//;p;}')
  local antifeature_keys=(.crashreporter .datareporting .healthreport .normandy .telemetry .updater)
  local antifeatures=()
  echo "obj_directory is: ${obj_directory}"
  for key in ${antifeature_keys[@]}
  do  if   jq -e "${key} != false" "${obj_directory}"/mozinfo.json &> /dev/null
      then antifeatures+=(${key})
      fi
  done
  if   (( ${#antifeatures[@]} ))
  then echo "Some anti-features are not disabled in build configuration files, aborting:"
       for key in ${antifeatures[@]} ; do echo " - ${key} is enabled" ; done ;
       return 1
  fi

  popd > /dev/null
}

_check_patching() {
  pushd "${srcdir}"/firefox-${pkgver} > /dev/null

  echo "verifying libre patching"

  # URI protocol handlers
  local uri_handlers=uriloader/exthandler/HandlerList.sys.mjs
  local webmails='google|yahoo'
  grep   'name:'          $uri_handlers | grep    '"KiwiIRC",' &> /dev/null && \
  ! grep 'name:'          $uri_handlers | grep -v '"KiwiIRC",' &> /dev/null && \
  ! grep -E "($webmails)" $uri_handlers                        &> /dev/null || \
  ! echo "9003-FSDG-misc.patch needs reworking"                             || \
  return 1

  # services.addons.mozilla.org API endpoint
  local amo_api_endpoint='services.addons.mozilla.org'
  ! grep -qr $amo_api_endpoint &> /dev/null                                                                    || \
  ! echo '9002-FSDG-preference-defaults.patch needs reworking: AMO API endpoint hostname found in source tree' || \
  return 1

  # Remote Settings
  local settings_server='firefox.settings.services.mozilla.com'
  ! grep -qr $settings_server &> /dev/null                                      || \
  ! echo '9001-FSDG-sync-remote-settings-with-local-dump.patch needs reworking' || \
  return 1

  popd > /dev/null
}


## business ##

prepare() {
  mkdir mozbuild
  cd firefox-$pkgver

  ## technical patching ##

  # https://bugs.archlinux.org/task/76231
  # https://bugzilla.mozilla.org/show_bug.cgi?id=1790496
  # https://src.fedoraproject.org/rpms/firefox/blob/rawhide/f/libwebrtc-screen-cast-sync.patch
  patch -Np1 -i ../0001-libwebrtc-screen-cast-sync.patch

  # arch-specific technical patching
  case ${CARCH} in
  aarch64|armv7h)
    # Error: immediate expression requires a # prefix -- `pld [r0,1792]'
    #        mozilla #1787405 and #1791267
    sed -i "s|# 'LIBYUV_DISABLE_NEON',|'LIBYUV_DISABLE_NEON',|" media/libyuv/libyuv/libyuv.gyp
    ! grep "# 'LIBYUV_DISABLE_NEON'," media/libyuv/libyuv/libyuv.gyp || ! echo "error patching media/libyuv/libyuv/libyuv.gyp" || exit 1

    patch -p1 -i ../build-arm-libopus.patch
    ;;
  i686)
    # readelf: Error: Unable to seek to 0x801db328 for section headers
    echo "applying avoid-libxul-OOM-python-check.patch"
    patch -p1 -i ../avoid-libxul-OOM-python-check.patch

    # test failure in rust code (complaining about network functions) when PGO is used,
    # see https://bugzilla.mozilla.org/show_bug.cgi?id=1565757
    echo "applying rust-static-disable-network-test-on-static-libraries.patch"
    patch -p1 -i ../rust-static-disable-network-test-on-static-libraries.patch

    # FIXME: this patch is probably temporary - it comes from mozilla
    #          https://bugzilla.mozilla.org/show_bug.cgi?id=1729459
    #        /build/iceweasel/src/firefox-96.0.1/modules/fdlibm/src/math_private.h:34:21:
    #          error: conflicting declaration ‘typedef __double_t double_t’
    #        /usr/include/math.h:156:21: note: previous declaration as ‘typedef long double double_t’
    echo "applying firefox-107.0-fdlibm.patch"
    patch -p1 -i "$srcdir/firefox-107.0-fdlibm.patch"

    # js/src/jit/shared/AtomicOperations-shared-jit.cpp:88:9: error: ‘AtomicCopyByteUnsynchronized’ was not declared in this scope; did you mean ‘AtomicMemcpyUpUnsynchronized’?
    echo "applying fix-i686-build-moz-1792159.patch"
    patch -p1 -i "$srcdir/fix-i686-build-moz-1792159.patch"
    ;;
  x86_64)
    ;;
  esac


  ## general configuration ##

  # echo -n "$_google_api_key" >google-api-key   # anti-feature
  # echo -n "$_mozilla_api_key" >mozilla-api-key # anti-feature

  cat >../mozconfig <<END
ac_add_options --enable-application=browser
mk_add_options MOZ_OBJDIR=${PWD@Q}/obj

ac_add_options --prefix=/usr
ac_add_options --enable-release
ac_add_options --enable-hardening
ac_add_options --enable-optimize
ac_add_options --enable-rust-simd
ac_add_options --enable-linker=lld
ac_add_options --disable-elf-hack
ac_add_options --disable-bootstrap
ac_add_options --with-wasi-sysroot=/usr/share/wasi-sysroot

# Branding
ac_add_options --disable-official-branding                 # branding over-ride
ac_add_options --enable-update-channel=release
ac_add_options --with-distribution-id=nu.parabola          # branding over-ride
ac_add_options --with-branding=browser/branding/${pkgname} # branding over-ride
ac_add_options --with-app-name=${pkgname}                  # branding over-ride
ac_add_options --with-app-basename=${pkgname}              # branding over-ride
ac_add_options --with-unsigned-addon-scopes=app,system
ac_add_options --allow-addon-sideload
# export MOZILLA_OFFICIAL=1                                # branding over-ride
export MOZ_APP_REMOTINGNAME=${pkgname//-/}
export MOZ_TELEMETRY_REPORTING=
export MOZ_REQUIRE_SIGNING=

# Keys
# ac_add_options --with-google-location-service-api-keyfile=${PWD@Q}/google-api-key # anti-feature
# ac_add_options --with-google-safebrowsing-api-keyfile=${PWD@Q}/google-api-key     # anti-feature
# ac_add_options --with-mozilla-api-keyfile=${PWD@Q}/mozilla-api-key                # anti-feature

# System libraries
ac_add_options --with-system-nspr
ac_add_options --with-system-nss

# Features
ac_add_options --enable-alsa
ac_add_options --enable-jack
ac_add_options --disable-crashreporter # anti-feature
ac_add_options --disable-updater
ac_add_options --disable-tests
ac_add_options --disable-eme           # anti-feature
END


  ## [ARCH-SPECIFIC CONFIG] ##

  case ${CARCH} in
  aarch64|armv7h)
    # experimental/version-specific hacks #

    (( ! _SHOULD_USE_GCC )) ||
    cat >> ../mozconfig <<EOF
export CC=gcc
export CXX=g++
export AR=gcc-ar
export NM=gcc-nm
export RANLIB=gcc-ranlib
EOF

    # ld.lld: error: undefined hidden symbol: std::type_info::operator==(std::type_info const&) const
    echo 'ac_add_options --with-system-icu' >> ../mozconfig


    # archarm configuration #

    if [[ $CARCH == "armv7h" ]]; then
      echo "ac_add_options --disable-elf-hack" >> .mozconfig
      # https://bugzilla.redhat.com/show_bug.cgi?id=1641623
      echo "ac_add_options --disable-av1" >> .mozconfig
      # reduce jobs due to RAM constraints
      MAKEFLAGS="-j4"
      # disable hard-coded LTO
      sed -i '/cargo_rustc_flags += -Clto/d' config/makefiles/rust.mk
      sed -i '/RUSTFLAGS += -Cembed-bitcode=yes/d' config/makefiles/rust.mk
      # increase codegen-units due to RAM constraints
      sed -i 's/codegen-units=1/codegen-units=16/' config/makefiles/rust.mk
      # webrtc on ARMv7 implies android, so disable it
      echo "ac_add_options --disable-webrtc" >> .mozconfig
    elif [[ $CARCH == "aarch64" ]]; then
      echo 'ac_add_options --enable-rust-simd' >> .mozconfig
    fi
    echo 'ac_add_options --enable-optimize="-g0 -O2"' >> .mozconfig
    echo "mk_add_options MOZ_MAKE_FLAGS=\"${MAKEFLAGS}\"" >> .mozconfig

    # archarm `export` commands are under the '[ARCH-SPECIFIC BUILD ENV]' section

    # archarm patching is under the 'technical patching' section

    # archarm has these differences in ## general configuration ## above
    # NOTE: '--disable-eme' is currently an invalid option for armv7h.
    #       It must be deleted in order to compile.
    #       If ever it becomes valid, it should not be deleted below.
    sed -i '
      /--enable-hardening/d
      /--enable-optimize/d
      /--enable-rust-simd/d
      s| --with-wasi-sysroot=.*| --without-wasm-sandboxed-libraries|
      /--disable-eme/d
    ' ../mozconfig

    # At this point in the recipe (this `case` block), the arch, arch32, and parabola
    # PKGBUILDs have prepared a temporary ${srcdir}/mozconfig; but the archarm PKGBUILD
    # writes directly to the final firefox-$pkgver/.mozconfig.
    # We allowed .mozconfig to be written above, only to minimize the diff against archarm.
    # For consistency across arches, we append those changes to ${srcdir}/mozconfig now.
    # ${srcdir}/mozconfig will clobber firefox-$pkgver/.mozconfig later, during build().
    cat .mozconfig >> ../mozconfig
    ;;
  i686)
    # experimental/version-specific hacks #

    (( ! _SHOULD_USE_GCC )) ||
    cat >>../mozconfig <<END
export CC=gcc
export CXX=g++
export AR=gcc-ar
export NM=gcc-nm
export RANLIB=gcc-ranlib
END


    # arch32 configuration #

    # arch32 `export` commands are under the '[ARCH-SPECIFIC BUILD ENV]' section

    # NOTE: these diffs and the compiler flags above, were moved to mozconfig-i686.patch
    #       they are more handy to tweak in-line though
    # disable LTO as it has little benefit and uses too many resources
    # don't compile with clang, use gcc toolchain (clang has issues on IA32)
    # disable SIMD (SSE2 for i686)
    # set correct compiler and toochain tools
    cat >>../mozconfig <<END
#ac_add_options --disable-linker=lld
#ac_add_options --enable-linker=bfd
ac_add_options --disable-lto
ac_add_options --disable-rust-simd
ac_add_options --disable-debug
ac_add_options --disable-debug-symbols
END

    # FIXME GCC: /usr/lib/gcc/i686-pc-linux-gnu/12.1.0/include/xmmintrin.h:208:1: error: inlining failed in call to ‘always_inline’ ‘__m128 _mm_sqrt_ps(__m128)’: target specific option mismatch
    # FIXME LLVM: /build/iceweasel/src/firefox-106.0.1/third_party/libwebrtc/modules/audio_processing/aec3/adaptive_fir_filter.cc:110:27: error: always_inline function '_mm_loadu_ps' requires target feature 'sse', but would be inlined into function 'ComputeFrequencyResponse_Sse2' that is compiled without support for 'sse'
    echo "ac_add_options --disable-webrtc" >> ../mozconfig

    sed -i '/cargo_rustc_flags += -Clto/d' config/makefiles/rust.mk # FIXME: is this needed?

    # arch32 patching is under the 'technical patching' section
    ;;
  x86_64)
    ;;
  *) echo "no [ARCH-SPECIFIC CONFIG] for arch: ${CARCH}" ; return 1 ;
    ;;
  esac


  ## branding ##

  echo "applying parabola branding"
  local brandingsrcdir="${srcdir}"/${pkgname}-${_brandingver/-*}
  local brandingdestdir="${srcdir}"/firefox-${pkgver}/browser/branding/${pkgname}
  local tippytopdir="${srcdir}"/firefox-${pkgver}/browser/components/newtab/data/content/tippytop
  local blank_svg='<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"></svg>'
  rm -rf -- ${brandingdestdir}
  cp -aT -- ${brandingsrcdir}/branding ${brandingdestdir}

  pushd "${brandingdestdir}" > /dev/null

  # generate icons, logos, banners
  for size in 16 22 24 32 48 64 128 256
  do  rsvg-convert -w ${size} -h ${size}  iceweasel_icon.svg -o default${size}.png
  done
  cp                                      iceweasel_logo.svg        content/aboutlogins.svg
  cp                                      iceweasel_logo.svg        content/about-logo.svg
#  cp                                      iceweasel_logo.svg        content/about-logo.svg # RuntimeError: File "about-logo.svg" not found in browser/branding/iceweasel/content
  rsvg-convert -w 192 --keep-aspect-ratio iceweasel_logo.svg     -o content/about-logo.png
  rsvg-convert -w 384 --keep-aspect-ratio iceweasel_logo.svg     -o content/about-logo@2x.png
  cp                                      content/about-logo.png    content/about-logo-private.png
  cp                                      content/about-logo@2x.png content/about-logo-private@2x.png
  echo ${blank_svg}                                           > content/blank.svg

  popd > /dev/null

  # custom new tab page
  # FIXME: the newtab page (aka "Start Page") has changed significantly
  #        the new upstream start page ('activity-streams') is an add-on now
  #        it must be forked and customized externally, then copied into the browser tree
  #        see: the branding-dev-build/ dir on the '68.0' branch of the branding git repo
  #        some of the branding components above and commented out below may no longer be used
  #        the following section aims to restore something similar
  #          to the previous parabola-branded "start page"
  #        once it is working well, all of these comments should be removed
  #          and any unused branding components may be deleted from the branding package
  # Put "Start Page" branding images in the source code
  # install -m644 -t browser/base/content/abouthome -- \
  #   "${brandingsrcdir}/branding"/{drm-free,gnu_headshadow,parabola-banner}.png
  # install -m644 -t browser/extensions/onboarding/content/img -- \
  #   "${brandingsrcdir}/branding/watermark.svg"

  # process default Top Sites and their icons
  find ${tippytopdir} -type f      \
       -not -name 'wikipedia-org*' \
       -not -name 'top_sites.json' \
       -exec rm -v {} \;
  for image in "${brandingsrcdir}"/tippytop/*.svg; do
    local outname=$(basename -s .svg "${image}")
    local size=$(identify -format '%wx%h' ${tippytopdir}/images/wikipedia-org@2x.png)
    local background=$( [[ "${outname}" == 'gnu' ]] && echo 'white' || echo 'none' )
    magick -density 300 ${image}                           \
           -gravity center -resize ${size} -extent ${size} \
           "${tippytopdir}/images/${outname}@2x.png"

    size=256x256
    magick -density 300 -background ${background} ${image} \
           -gravity center -resize ${size} -extent ${size} \
           -define icon:auto-resize=64,48,32,16            \
           "${tippytopdir}/favicons/${outname}.ico"
  done

  # apply branding patches
  export QUILT_PATCHES="${brandingsrcdir}"/patches
  export QUILT_REFRESH_ARGS='-p ab --no-timestamps --no-index'
  export QUILT_DIFF_ARGS='--no-timestamps'
  export QUILT_PC="${srcdir}"/.pc
  quilt push -av

  # misc branding
  sed -i "s|({ \$bits }-bit)|($CARCH)|" browser/locales/en-US/browser/aboutDialog.ftl


  ## searchengines ##

  pushd browser/components/search/extensions > /dev/null

  # Patch search-engines configs
  sed -i 's|https://duckduckgo.com/|https://html.duckduckgo.com/html/|' ddg/manifest.json

  # Removing URL parameters that let DuckDuckGo know the place in UI
  # the search was ran from (like address bar, context menu, etc.)
  local jq_cmd='del(.chrome_settings_overrides.search_provider.params)'
  jq "${jq_cmd}"           ddg/manifest.json > manifest.json.tmp
  ! diff manifest.json.tmp ddg/manifest.json > /dev/null
  mv manifest.json.tmp     ddg/manifest.json

  # Delete unused search engine configs
  find -mindepth 1 -maxdepth 1 \
       -not -name ddg          \
       -not -name wikipedia    \
       -exec rm -frv {} \;

  popd > /dev/null


  ## libre patching ##

  # Upstream tarball can contain some ignored cruft,
  # including binaries (for example, python3).
  echo 'Removing files specified in .gitignore...'
  git init && git clean -dfX                                                \
    --exclude='!ipc/chromium/src/third_party/libevent/evconfig-private.h'   \
    --exclude='!toolkit/crashreporter/google-breakpad/src/third_party/lss/' \
    --exclude='!third_party/python/**/*.egg-info/'
  rm -rf .git

  # Remove test-related networking dumps, because they contain code from
  # some Amazon webpage with no clear licensing, thus nonfree.
  # Also they interfere with checking of Remote Settings patching done later,
  # because communication with RS server has been captured in them too.
  rm python/mozperftest/mozperftest/system/example.zip
  rm testing/mozbase/mozproxy/tests/files/mitm5-linux-firefox-amazon.zip

  # Disable/neutralize Remote Settings (as best we can)
  echo "applying 9001-FSDG-sync-remote-settings-with-local-dump.patch"
  git apply ../9001-FSDG-sync-remote-settings-with-local-dump.patch

  # Disable various components at the source level
  sed -i 's/;1/;0/' toolkit/components/telemetry/components.conf
  sed -Ei 's/((MOZ_SERVICES_HEALTHREPORT|MOZ_NORMANDY).+)True/\1False/' browser/moz.configure
  #sed -i 's/;1/;0/' browser/experiments/Experiments.manifest
  #sed -i '/pocket/d'          browser/extensions/moz.build
  #sed -i '/activity-stream/d' browser/extensions/moz.build

  python ../process-json-files.py "${srcdir}"/firefox-${pkgver} "${brandingsrcdir}"

  # disable various phone-home/goelocation anti-featires
  echo "applying 9002-FSDG-preference-defaults.patch"
  patch -Np1 --no-backup-if-mismatch -i "${srcdir}"/9002-FSDG-preference-defaults.patch

  # over-ride/install default URI protocol handlers
  echo "applying 9003-FSDG-urihandlers.patch"
  patch -Np1 --no-backup-if-mismatch -i "${srcdir}"/9003-FSDG-urihandlers.patch

  # Remove remaining non-free bits
  echo "applying 9004-FSDG-misc.patch"
  patch -Np1 --no-backup-if-mismatch -i "${srcdir}"/9004-FSDG-misc.patch

  echo "removing remaining non-free bits"
  rm -v toolkit/crashreporter/tools/upload_symbols.py
  rm -frv third_party/rust/winapi-{i686,x86_64}-pc-windows-gnu/**/*.a

  ## patching sanity checks ##
  _check_patching
}

build() {
  cd firefox-$pkgver

  ## build env ##

  export MOZ_NOSPAM=1
  export MOZBUILD_STATE_PATH="$srcdir/mozbuild"
  # export MOZ_ENABLE_FULL_SYMBOLS=1                    # anti-feature
  export MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE=system # parabola policy

  # LTO needs more open files
  ulimit -n 4096


  ## [ARCH-SPECIFIC BUILD ENV] ##

  case ${CARCH} in
  aarch64|armv7h)
    export MOZ_DEBUG_FLAGS=" "
    export CFLAGS+=" -g0"
    export CXXFLAGS+=" -g0"
    export LDFLAGS+=" -Wl,--no-keep-memory"
    export RUSTFLAGS="-Cdebuginfo=0"
    ;;
  i686)
    # -fno-plt with cross-LTO -> LLVM ERROR: Function Import: link error
    CFLAGS="${CFLAGS/-fno-plt/}"
    CXXFLAGS="${CXXFLAGS/-fno-plt/}"

    # try hard to tell ld and rust not to use too much memory (no lto, no debug info, etc.)
    export RUSTFLAGS+=" -Cdebuginfo=0 -Clto=off"
    export LDFLAGS+=" -Wl,--no-keep-memory " # -Wl,--reduce-memory-overheads -Wl,--max-cache-size=16384000 "
    export MOZ_SOURCE_CHANGESET="DEVEDITION_${pkgver//./_}_RELEASE"

#     export MOZ_MAKE_FLAGS=-j2

    # libvpx has some hard-coded compiler flags for MMX, SSE, SSE2, use the correct one
    # per CARCH (75.0 uses an intrisic _mm_empty now, which required the corresponding
    # architecture flag to be preset - before it was merely embedding some assembly
    # code with EMMS
    export CFLAGS+=" -mmmx"
    export CXXFLAGS+=" -mmmx"
    ;;
  x86_64)
    ;;
  *) echo "no [ARCH-SPECIFIC BUILD ENV] for arch: ${CARCH}" ; return 1 ;
    ;;
  esac
  export CFLAGS
  export CXXFLAGS


  ## [ARCH-SPECIFIC BUILD CONFIG] ##

  case ${CARCH} in
  aarch64|armv7h)
    ;;
  i686)
    # avoid excessive debug symbols in rust leading to out-of-memory situations
    sed -i "s/debug_info = '\''2'\''/debug_info = '\''0'\''/" build/moz.configure/toolchain.configure
    ;;
  x86_64)
    ;;
  *) echo "no [ARCH-SPECIFIC BUILD CONFIG] for arch: ${CARCH}" ; return 1 ;
    ;;
  esac


  ## PGO build ##

  if (( _SHOULD_SKIP_PGO ))
  then
    # skipping "3-tier PGO" "instrumented browser"; so the final .mozconfig is ready now
    cp ../mozconfig .mozconfig
  else
    # Do 3-tier PGO
    echo "Building instrumented browser..."
    cat >.mozconfig ../mozconfig - <<END
ac_add_options --enable-profile-generate=cross
END
    _check_build_config
    ./mach build

    echo "Profiling instrumented browser..."
    ./mach package
    LLVM_PROFDATA=llvm-profdata \
      JARLOG_FILE="$PWD/jarlog" \
      xvfb-run -s "-screen 0 1920x1080x24 -nolisten local" \
      ./mach python build/pgo/profileserver.py

    stat -c "Profile data found (%s bytes)" merged.profdata
    test -s merged.profdata

    stat -c "Jar log found (%s bytes)" jarlog
    test -s jarlog

    echo "Removing instrumented browser..."
    ./mach clobber

    echo "Building optimized browser..."
    cat >.mozconfig ../mozconfig - <<END
ac_add_options --enable-lto=cross
ac_add_options --enable-profile-use=cross
ac_add_options --with-pgo-profile-path=${PWD@Q}/merged.profdata
ac_add_options --with-pgo-jarlog=${PWD@Q}/jarlog
END
  fi # _SHOULD_SKIP_PGO


  ## sanity checks ##

  _check_build_config


  ## main build ##

  (( ! _SHOULD_SKIP_PGO )) || echo "Building optimized browser..."
  ./mach build

  # echo "Building symbol archive..." # anti-feature
  # ./mach buildsymbols               # anti-feature
}

package() {
  export MOZBUILD_STATE_PATH="$srcdir/mozbuild"         # needed for `libremakepkg -R`
  export MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE=system # needed for `libremakepkg -R`

  cd firefox-$pkgver
  DESTDIR="$pkgdir" ./mach install

  local vendorjs="$pkgdir/usr/lib/$pkgname/browser/defaults/preferences/vendor.js"
  install -Dvm644 /dev/stdin "$vendorjs" <<END
// Use LANG environment variable to choose locale
pref("intl.locale.requested", "");

// Use system-provided dictionaries
pref("spellchecker.dictionary_path", "/usr/share/hunspell");

// Disable default browser checking.
pref("browser.shell.checkDefaultBrowser", false);

// Don't disable extensions in the application directory
pref("extensions.autoDisableScopes", 11);
END

  # Parabola additions to vendor.js
  cat "${srcdir}"/vendor.js.in >> "${vendorjs}"

  local distini="$pkgdir/usr/lib/$pkgname/distribution/distribution.ini"
  install -Dvm644 /dev/stdin "$distini" <<END
[Global]
id=parabola
version=(${_brandingver} branding)
about=${pkgname^} for Parabola GNU/Linux-libre
about.en-US=${pkgname^} for Parabola GNU/Linux-libre
about.eo=${pkgname^} por Parabola GNU/Linux-libre
about.es-ES=${pkgname^} para Parabola GNU/Linux-libre
about.gl=${pkgname^} para Parabola GNU/Linux-libre
about.pt-BR=${pkgname^} para Parabola GNU/Linux-libre

[Preferences]
app.distributor=parabola
app.distributor.channel=$pkgname
app.partner.parabola=parabola
END

  # NOTE: browser/branding/$theme is $brandingdestdir in prepare()
  local i theme=$pkgname
  for i in 16 22 24 32 48 64 128 256; do
    install -Dvm644 browser/branding/$theme/default$i.png \
      "$pkgdir/usr/share/icons/hicolor/${i}x${i}/apps/$pkgname.png"
  done
  install -Dvm644 browser/branding/$theme/content/about-logo.png \
    "$pkgdir/usr/share/icons/hicolor/192x192/apps/$pkgname.png"
  install -Dvm644 browser/branding/$theme/content/about-logo@2x.png \
    "$pkgdir/usr/share/icons/hicolor/384x384/apps/$pkgname.png"
  install -Dvm644 browser/branding/$theme/content/about-logo.svg \
    "$pkgdir/usr/share/icons/hicolor/scalable/apps/$pkgname.svg"
  install -Dvm644 browser/branding/$theme/content/blank.svg \
    "$pkgdir/usr/share/icons/hicolor/symbolic/apps/$pkgname-symbolic.svg"

  install -Dvm644 ../$pkgname.desktop \
    "$pkgdir/usr/share/applications/$pkgname.desktop"

  # Install a wrapper to avoid confusion about binary path
  install -Dvm755 /dev/stdin "$pkgdir/usr/bin/$pkgname" <<END
#!/bin/sh
exec /usr/lib/$pkgname/$pkgname "\$@"
END


  ## [ARCH-SPECIFIC INSTALL] ##

  case ${CARCH} in
  aarch64|armv7h)
    ;;
  i686)
    # libxul.so cannot find it's libraries
    install -dm 755 "${pkgdir}/etc/ld.so.conf.d"
    echo "/usr/lib/${pkgname}" > "${pkgdir}"/etc/ld.so.conf.d/${pkgname}.conf
    ;;
  x86_64)
    ;;
  *) echo "no [ARCH-SPECIFIC INSTALL] for arch: ${CARCH}" ; return 1 ;
    ;;
  esac

  # Replace duplicate binary with wrapper
  # https://bugzilla.mozilla.org/show_bug.cgi?id=658850
  ln -srfv "$pkgdir/usr/bin/$pkgname" "$pkgdir/usr/lib/$pkgname/$pkgname-bin"

  # Use system certificates
  local nssckbi="$pkgdir/usr/lib/$pkgname/libnssckbi.so"
  if [[ -e $nssckbi ]]; then
    ln -srfv "$pkgdir/usr/lib/libnssckbi.so" "$nssckbi"
  fi

  # export SOCORRO_SYMBOL_UPLOAD_TOKEN_FILE="$startdir/.crash-stats-api.token" # anti-feature
  # if [[ -f $SOCORRO_SYMBOL_UPLOAD_TOKEN_FILE ]]; then                        # anti-feature
  #   make -C obj uploadsymbols                                                # anti-feature
  # else                                                                       # anti-feature
  #   cp -fvt "$startdir" obj/dist/*crashreporter-symbols-full.tar.zst         # anti-feature
  # fi
}