Feature Freeze Exception: Seeding the official Firefox snap in Ubuntu Desktop

Desktop
61

@kenvandine I am working with Belgian government, we have been supporting Ubuntu as platform for our national identity card.

I would like to point to https://forum.snapcraft.io/t/confined-browser-snaps-cant-use-system-libraries-pkcs11-and-native-host-messaging-what-do-we-do/11828 and reiterate my questions then:

Will the snap version support:

  • connecting to system libraries to enable PKCS11-based security devices
  • native messaging with a native host application that handles smartcard functions

Krgds

2 Likes
62

I do maintain a snap the Firefox snap might be able to easily utilize for smart card reading:

I know some Belgian customers use it on Ubuntu Core based IoT Health Kiosks with the Belgian ID. There is also an example snap that shows how to utilize it, Firefox would just need to copy the plugs definition and the libpcsclite blocks into its snapcraft.yaml from

https://github.com/ogra1/gscriptor-snap/blob/master/snap/snapcraft.yaml

(youā€™d have to install the pcscd-daemon snap alongside on your machines and manually connect the interfaces, but it should give you the desired functionality)

3 Likes
63

When chromium packaged as snap I donā€™t care because is not the default browser,
but now it Firefox the default browser I use most

snap has issue with Arabic support we discuses it year ago without fix
it is the snap package donā€™t use the host fontconfig and it render ugly font for Arabic that make it hard to read in HDPI screens

from Ubuntu 19.10 and above Ubuntu use Noto Sans Arabic for render arabic character and it great but snaps still use DejaVu

I found solution (thanks for @oSoMoN and @ogra) : https://github.com/ubuntu/snapcraft-desktop-helpers/pull/213 but it not merge

3 Likes
64

Firefox does not use these desktop launchers but instead uses the gnome-3-38 extension.

Have you tried if it is probably already fixed there ? (you can install/remove the Firefox snap alongside the deb, it wont affect the deb install (just run it with snap run firefox while the deb version is not running)). If it does not, you should make sure it gets fixed in the extension.

65

I did a test of the Firefox snap on Kubuntu Impish and was positively suprised that the theming integration worked, at least under X11.

What currently does not work is the Plasma Integration extension, which seems to be tracked under #1741074 (@paulw2u already pointed to this bug). This worries me a bit, since this is a feature I really like and e.g. using the Firefox flatpak is currently no alternative since it seems to suffer from the same problem.

And then there is https://github.com/ubuntu/snapcraft-desktop-helpers/issues/205 which made me cautious to use snaps.

Btw. is the same thing also planned for Thunderbird?

Kind regards, Jan

66

I tried it before I post
I try it again now and the issue is here
https://www.youtube.com/watch?v=F_7aSXJy2_g

67

When chatting with this with @oSoMoN, he pointed me at this document:

https://chromium.googlesource.com/chromium/src.git/+/HEAD/docs/linux/sandboxing.md

Reading over that, it sounds like at this point the setuid helper is a fallback for cases where using unprivileged namespaces to set up the sandbox fails. Itā€™s also possible to build without the helper, in which case Chromium will fail to start if the unprivileged namespace option fails.

So itā€™d definitely be worth checking whether the Chrome based browsers actually ever use their setuid helper. If they do, it probably means we are blocking something that would let them use the less privileged alternative.

There are only seven snap names with automated review policy overrides allowing them to ship a binary that looks like the Chrome sandbox helper:

https://git.launchpad.net/review-tools/tree/reviewtools/overrides.py#n152

Outside of Canonical managed snaps, it looks to just be Opera and Skype. So it isnā€™t out of the question that the CAP_SYS_ADMIN bits could be removed at some point. That might be preferable to having Firefox and Chrome specific policy variants in browser-support.

2 Likes
68

I hope that in the new Firefox you will fix that horrible big line spacing in the bookmarks!
I already see a Firefox snap 92.0.3 in the repository. Will the new be the same?

69

it might still change (i.e. build against a core22 base and use newer desktop launchers) before 22.04 but you should definitely be able to test and use it today already from the stable channel to report any rough edges you find ā€¦

1 Like
70

It looks no worse
[code]corrado@corrado-n3-ii-0919:~$ time snap run firefox

real 0m8,013s
user 0m6,477s
sys 0m1,932s
corrado@corrado-n3-ii-0919:~$ time firefox

real 0m5,132s
user 0m6,504s
sys 0m1,263s
corrado@corrado-n3-ii-0919:~$[/code]

1 Like
71

@ogra
I did set refresh-app-awareness=true with snap manager extension. I checked just now the value and thatā€™s ā€œtrueā€.
Well, gnome 3.38 snap updated while Firefox was running aaaaaand FF crashed.

So does this snap option avoid updates of dependencies of running snaps too?

3 Likes
72

i dont think it does ā€¦ and this sounds like one of these bugs we want to see fixed before release ! please report it :slight_smile:

73

Donā€™t know if my manual gnome 3.38 update (through GNOME Software, this timeā€¦) is concerned?

3 Likes
74

i got an automatic update of the 3-38 extension here with a bunch of electron apps open that use it and i donā€™t see crashes or any other ill effects with these apps ā€¦

looks like firefox could be more fragile to this ā€¦

i am pretty sure it does not make any difference whether you update manually or if it is automatic, the process is the same on a technical level, only the trigger for it differs ā€¦

75

Trying to run google earth: https://earth.google.com/web/ i have the messages:
Unfortunately your computer does not support WebGL graphics acceleration; Google Earth cannot be loaded

Hmm. While your browser seems to support WebGL, it is disabled or unavailable. If possible, please ensure that you are running the latest drivers for your video card.

On the same installation of Ubuntu Impish with Firefox .deb google earth works fine

corrado@corrado-n3-ii-0919:~$ inxi -SCGx

System:
Host: corrado-n3-ii-0919 Kernel: 5.13.0-16-generic x86_64 bits: 64
compiler: gcc v: 11.2.0 Desktop: GNOME 40.2
Distro: Ubuntu 21.10 (Impish Indri)
CPU:
Info: Quad Core model: Intel Core i5-1035G1 bits: 64 type: MT MCP
arch: Ice Lake rev: 5 cache: L2: 6 MiB
flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
bogomips: 19046
Speed: 945 MHz min/max: 400/1000 MHz Core speeds (MHz): 1: 945 2: 762
3: 731 4: 716 5: 970 6: 750 7: 709 8: 968
Graphics:
Device-1: Intel Iris Plus Graphics G1 vendor: Dell driver: i915 v: kernel
bus-ID: 00:02.0
Device-2: Realtek Integrated_Webcam_HD type: USB driver: uvcvideo
bus-ID: 1-6:3
Display: wayland server: X.Org 1.21.1.2 compositor: gnome-shell driver:
loaded: i915 note: n/a (using device driver) resolution: 1920x1080~60Hz
OpenGL: renderer: Mesa Intel UHD Graphics (ICL GT1) v: 4.6 Mesa 21.2.1
direct render: Yes
corrado@corrado-n3-ii-0919:~$

3 Likes
76

Somewhat happy to see Iā€™m not alone, running very different hardware. What are the keys we have to change to make GE to work?

System:    Host: p14s Kernel: 5.13.0-16-generic x86_64 bits: 64 compiler: gcc v: 11.2.0 Desktop: GNOME 40.2 
           Distro: Ubuntu 21.10 (Impish Indri) 
CPU:       Info: 8-Core model: AMD Ryzen 7 PRO 5850U with Radeon Graphics bits: 64 type: MT MCP arch: Zen 3 rev: 0 cache: 
           L2: 4 MiB 
           flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 60685 
           Speed: 1583 MHz min/max: 1600/1900 MHz boost: enabled Core speeds (MHz): 1: 1583 2: 3110 3: 1380 4: 1387 5: 1397 
           6: 1397 7: 2176 8: 1523 9: 1451 10: 1396 11: 1397 12: 1396 13: 1397 14: 1397 15: 2705 16: 1397 
Graphics:  Device-1: Advanced Micro Devices [AMD/ATI] Cezanne vendor: Lenovo driver: amdgpu v: kernel bus-ID: 04:00.0 
           Device-2: Chicony Integrated Camera type: USB driver: uvcvideo bus-ID: 1-2:2 
           Display: wayland server: X.Org 1.21.1.2 compositor: gnome-shell driver: loaded: amdgpu,ati 
           unloaded: fbdev,modesetting,vesa resolution: 1920x1080~60Hz 
           OpenGL: renderer: AMD RENOIR (DRM 3.41.0 5.13.0-16-generic LLVM 12.0.1) v: 4.6 Mesa 21.2.1 direct render: Yes
1 Like
77

That would be a great addition for the browser snaps!
I was guessing though, how could OpenSC fit in there? Would it have to be in the form of another snap?

78

I want to make this a bit more clear:

Every single Belgian needs this functionality in order to do basic stuff like:

  • File their taxes
  • Read communication from the government
  • Check their medical history
  • Register for a (covid) vaccine
  • Rent stuff from the government

etc.

It is vital that this issue is fixed before phasing out the Firefox deb package. With the Chromium apt package gone, there will be no alternative in the Ubuntu repositories to do these basic things in Belgium.

Itā€™s really nice that our government is supporting Ubuntu using open-source software using common standards and APIs. Breaking this vital functionality looks like a big middle-finger to them.

9 Likes
79

Thatā€™s a known issue that is being actively investigated.

1 Like
80

Tried running the firefox snap on impish. It started a brand new profile and couldnā€™t see the existing profile to import bookmarks/settings/etc. I can manually copy files over from ~/.mozilla to ~/snap/firefox/common/.mozilla but are these supposed to seamlessly transition?

Additionally, screen sharing through pipewire (tested on google meet) appears not to do anything.

1 Like