From 729087821785cfc4923a14a7aed633850119b723 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:24 +0100 Subject: feat(browser): migrate librewolf to flatpak for host-isolation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move LibreWolf from native librewolf-bin to Flathub io.gitlab.librewolf-community. Bubblewrap isolates the browser from $HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost of namespace chroot + IPC/network namespace isolation between content processes (mozilla bug 1756236, P3, considered defense-in-depth). seccomp-bpf — the dominant sandbox layer — is preserved. - meta/flatpak.txt: + io.gitlab.librewolf-community - meta/browser.txt: - librewolf-bin - run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to ~/.var/app/io.gitlab.librewolf-community/.librewolf - dot_config/mimeapps.list: librewolf.desktop -> flatpak app id - dot_local/bin/executable_linkhandler: flatpak run wrapper - README.md: blurb + new profile path arkenfox-user.js + chezmoi user-overrides.js deploy keep working unchanged because the flatpak profile is still on the host fs. --- run_onchange_after_deploy-firefox.sh.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'run_onchange_after_deploy-firefox.sh.tmpl') diff --git a/run_onchange_after_deploy-firefox.sh.tmpl b/run_onchange_after_deploy-firefox.sh.tmpl index f5a5083..a917026 100755 --- a/run_onchange_after_deploy-firefox.sh.tmpl +++ b/run_onchange_after_deploy-firefox.sh.tmpl @@ -4,7 +4,7 @@ # firefox/ content hash: {{ output "sh" "-c" (printf "cd %q && find firefox -type f -exec sha256sum {} + | LC_ALL=C sort" .chezmoi.sourceDir) | sha256sum }} set -eu -PROFILES_DIR="$HOME/.librewolf" +PROFILES_DIR="$HOME/.var/app/io.gitlab.librewolf-community/.librewolf" [ -d "$PROFILES_DIR" ] || exit 0 PROFILE=$(find "$PROFILES_DIR" -maxdepth 1 -mindepth 1 -type d -name '*.default-default' | head -1) -- cgit v1.3.1