config: actualizar nombre del desarrollador

Prueba de emacs 30.1 en Aramo

Co-authored-by: Ark74 <ark@switnet.org>
Reviewed-on: #1

.gitlab/issue_templates/Default.md

@@ -0,0 +1,52 @@
+## Bug Report Template
+
+> **If you have a question or are not sure about what you are about to post, please use the forums instead.**
+> **Also, check for possible duplicate reports here or in the forum before submitting this issue.**
+
+---
+
+### 1. Affected Package revision / version
+
+<!-- Example: v1.3.2, v1.2.3trisquel1, etc -->
+
+---
+
+### 2. Steps to Reproduce
+
+<!-- List the minimal steps to reproduce the issue -->
+
+1. ...
+2. ...
+3. ...
+
+---
+
+### 3. Current Behavior
+
+<!-- Describe what is happening -->
+
+---
+
+### 4. Expected Behavior *(optional)*
+
+<!-- Describe what you expected to happen instead -->
+
+---
+
+### 5. Workaround *(optional)*
+
+<!-- Is there a known workaround? -->
+
+---
+
+### 6. Suggestions, Investigation and Possible Causes *(optional)*
+
+<!-- Share any insights, code references, or debugging steps you've taken -->
+
+---
+
+### 7. Other Tests *(optional)*
+
+<!-- Any other environments or tests tried? -->
+
+---

helpers/DATA/anarchism/patch_changes/000-replace_adobe_promotion_on_earlier_release.patch

@@ -0,0 +1,32 @@
+diff --git a/html/pdf.html b/html/pdf.html
+index 2e4143fa..9f58faa9 100644
+--- a/html/pdf.html
++++ b/html/pdf.html
+@@ -7,7 +7,7 @@
+   <body>
+   <div class="content clear-block">
+     <h1>"An Anarchist FAQ" in pdf format</h1>
+-<p>To view and print out the file you will need to have  Adobe Document Reader on your computer. This is free  software that now comes on many computers and with  many CD's. If you do not already have it you can  <a href="http://www.adobe.com/products/acrobat/readstep.html"> download it from the Adobe site.</a>  [or  <a href="http://www.adobe.com/products/acrobat/alternate.html"> click here for a faster text only page</a>]</p>
++<p>To view or print this file, you will need a PDF reader installed on your computer. Many PDF readers are free software and are available on most systems. If you don't already have one, you can browse a list of options at <a href="https://pdfreaders.org">pdfreaders.org</a>, or install a PDF reader from your operating system's software repository.</p>
+ <h2><u>An Anarchist FAQ<br>
+ </u></h2>
+ <ul>
+diff --git a/markdown/pdf.md b/markdown/pdf.md
+index 0375b395..5994bd6f 100644
+--- a/markdown/pdf.md
++++ b/markdown/pdf.md
+@@ -1,9 +1,10 @@
+ # "An Anarchist FAQ" in pdf format
+ 
+-To view and print out the file you will need to have Adobe Document Reader on
+-your computer. This is free software that now comes on many computers and with
+-many CD's. If you do not already have it you can [ download it from the Adobe
+-for a faster text only
++To view or print this file, you will need a PDF reader installed on your
++computer. Many PDF readers are free software and are available on most
++systems. If you don't already have one, you can browse a list of options at
++pdfreaders.org, or install a PDF reader from your operating system's software
++repository
+ 
+ ## _An Anarchist FAQ  
+ _

helpers/DATA/apparmor-profiles-extra/70aed868a4ed76d74eecf3b210ce7bf3098ffab4.patch

@@ -0,0 +1,38 @@
+From 70aed868a4ed76d74eecf3b210ce7bf3098ffab4 Mon Sep 17 00:00:00 2001
+From: Jacob K <jacobk@disroot.org>
+Date: Wed, 12 Feb 2025 12:19:24 -0600
+Subject: [PATCH] Add some lines from Atril's profile to fix the screen reader
+
+---
+ profiles/usr.bin.pidgin | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/profiles/usr.bin.pidgin b/profiles/usr.bin.pidgin
+index 5e18702..085301c 100644
+--- a/profiles/usr.bin.pidgin
++++ b/profiles/usr.bin.pidgin
+@@ -8,6 +8,7 @@
+   #include <abstractions/bash>
+   #include <abstractions/dbus-session>
+   #include <abstractions/dbus-strict>
++  #include <abstractions/dbus-accessibility>
+   #include <abstractions/dconf>
+   #include <abstractions/enchant>
+   #include <abstractions/gnome>
+@@ -82,6 +83,13 @@
+   owner @{PROC}/@{pid}/auxv r,
+   owner @{PROC}/@{pid}/fd/ r,
+ 
++  # These lines were copied from Atril's profile to make the screen reader functional
++  owner /{,var/}run/user/*/at-spi2-*/   rw,
++  owner /{,var/}run/user/*/at-spi2-*/** rw,
++  # Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
++  #   https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43
++  owner /{,var/}run/user/*/at-spi/bus* rw,
++
+   # Site-specific additions and overrides. See local/README for details.
+   #include <local/usr.bin.pidgin>
+ }
+-- 
+2.25.1
+

helpers/DATA/apparmor/b5a7641dd3502fcfb897d3b96e197628b674ce3c.patch

@@ -17,7 +17,7 @@ index 01493260d..dd783992d 100644
  /etc/wildmidi/wildmidi.cfg r,
  
 +# pipewire
-+/usr/share/pipewire/client.conf r,
++/usr/share/pipewire/client{,-rt}.conf r,
 +
    # Include additions to the abstraction
    include if exists <abstractions/audio.d>

helpers/DATA/atril/apparmor-profile

@@ -0,0 +1,350 @@
+# vim:syntax=apparmor
+
+# evince is not written with application confinement in mind and is designed to
+# operate within a trusted desktop session where anything running within the
+# user's session is trusted. That said, evince will often process untrusted
+# input (PDFs, images, etc). Ideally evince would be written in such a way that
+# image processing is separate from the main process and that processing
+# happens in a restrictive sandbox, but unfortunately that is not currently the
+# case. Because evince will process untrusted input, this profile aims to
+# provide some hardening, but considering evince's design and other factors such
+# as X, gsettings, accessibility, translations, DBus session and system
+# services, etc, complete confinement is not possible.
+
+#include <tunables/global>
+
+/usr/bin/atril {
+  #include <abstractions/audio>
+  #include <abstractions/bash>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus-accessibility>
+  #include <abstractions/atril>
+  #include <abstractions/ibus>
+  #include <abstractions/nameservice>
+
+  #include <abstractions/ubuntu-browsers>
+  #include <abstractions/ubuntu-console-browsers>
+  #include <abstractions/ubuntu-email>
+  #include <abstractions/ubuntu-console-email>
+  #include <abstractions/ubuntu-media-players>
+
+  # allow atril to spawn browsers distributed as snaps (LP: #1794064)
+  #include <abstractions/snap_browsers>
+
+  # For now, let atril talk to any session services over dbus. We can
+  # blacklist any problematic ones (but note, evince uses libsecret :\)
+  #include <abstractions/dbus-session>
+
+  #include <abstractions/dbus-strict>
+  dbus (receive) bus=system,
+  # Allow getting information from various system services
+  dbus (send)
+      bus=system
+      member="Get*"
+      peer=(label=unconfined),
+  # Allow talking to avahi with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.Avahi{,.*}",
+  # Allow talking to colord with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.ColorManager{,.*}",
+
+  # Terminals for using console applications. These abstractions should ideally
+  # have 'ix' to restrict access to what only atril is allowed to do
+  #include <abstractions/ubuntu-gnome-terminal>
+
+  # By default, we won't support launching a terminal program in Xterm or
+  # KDE's konsole. It opens up too many unnecessary files for most users.
+  # People who need this functionality can uncomment the following:
+  ##include <abstractions/ubuntu-xterm>
+  ##include <abstractions/ubuntu-konsole>
+
+  /usr/bin/atril rmPx,
+  /usr/bin/atril-previewer Px,
+  /usr/bin/yelp Cx -> sanitized_helper,
+  /usr/bin/bug-buddy px,
+  # 'Show Containing Folder' (LP: #1022962)
+  /usr/bin/nautilus Cx -> sanitized_helper, # Gnome
+  /usr/bin/pcmanfm Cx -> sanitized_helper,  # LXDE
+  /usr/bin/krusader Cx -> sanitized_helper, # KDE
+  /usr/bin/thunar Cx -> sanitized_helper,   # XFCE
+
+  # Print Dialog
+  /usr/lib/@{multiarch}/libproxy/*/pxgsettings Cx -> sanitized_helper,
+
+  # For Xubuntu to launch the browser
+  #include <abstractions/exo-open>
+
+  # For text attachments
+  /usr/bin/gedit ixr,
+
+  # For Send to
+  /usr/bin/nautilus-sendto Cx -> sanitized_helper,
+
+  # GLib desktop launch helper (used under the hood by g_app_info_launch)
+  /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
+  /usr/bin/env ixr,
+
+  # allow directory listings (ie 'r' on directories) so browsing via the file
+  # dialog works
+  / r,
+  /**/ r,
+
+  # This is need for saving files in your home directory without an extension.
+  # Changing this to '@{HOME}/** r' makes it require an extension and more
+  # secure (but with 'rw', we still have abstractions/private-files-strict in
+  # effect).
+  owner @{HOME}/** rw,
+  owner /media/**  rw,
+  owner @{HOME}/.local/share/gvfs-metadata/** l,
+  owner /{,var/}run/user/*/gvfs-metadata/** l,
+
+  # Maybe add to an abstraction?
+  /etc/dconf/**                                       r,
+  owner @{HOME}/.cache/dconf/user                     rw,
+  owner @{HOME}/.config/dconf/user                    r,
+  owner @{HOME}/.config/enchant/*                     rk,
+  owner /{,var/}run/user/*/dconf/                     w,
+  owner /{,var/}run/user/*/dconf/user                 rw,
+  owner /{,var/}run/user/*/dconf-service/keyfile/     w,
+  owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
+
+  owner /{,var/}run/user/*/at-spi2-*/   rw,
+  owner /{,var/}run/user/*/at-spi2-*/** rw,
+
+  # Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
+  #   https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43
+  owner /{,var/}run/user/*/at-spi/bus* rw,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read and write for all supported file formats
+  /**.[aA][iI]         rw,
+  /**.[bB][mM][pP]     rw,
+  /**.[dD][jJ][vV][uU] rw,
+  /**.[dD][vV][iI]     rw,
+  /**.[gG][iI][fF]     rw,
+  /**.[jJ][pP][gG]     rw,
+  /**.[jJ][pP][eE][gG] rw,
+  /**.[oO][dD][pP]     rw,
+  /**.[fFpP][dD][fF]   rw,
+  /**.[pP][nN][mM]     rw,
+  /**.[pP][nN][gG]     rw,
+  /**.[pP][sS]         rw,
+  /**.[eE][pP][sS]     rw,
+  /**.[tT][iI][fF]     rw,
+  /**.[tT][iI][fF][fF] rw,
+  /**.[xX][pP][mM]     rw,
+  /**.[gG][zZ]         rw,
+  /**.[bB][zZ]2        rw,
+  /**.[cC][bB][rRzZ7]  rw,
+  /**.[xX][zZ]         rw,
+
+  # atril creates a temporary stream file like '.goutputstream-XXXXXX' in the
+  # directory a file is saved. This allows that behavior.
+  owner /**/.goutputstream-* w,
+
+  # allow atril to spawn browsers distributed as snaps (LP: #1794064)
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers,
+}
+
+/usr/bin/atril-previewer {
+  #include <abstractions/audio>
+  #include <abstractions/bash>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus-accessibility>
+  #include <abstractions/atril>
+  #include <abstractions/ibus>
+  #include <abstractions/nameservice>
+
+  #include <abstractions/ubuntu-browsers>
+  #include <abstractions/ubuntu-console-browsers>
+  #include <abstractions/ubuntu-email>
+  #include <abstractions/ubuntu-console-email>
+  #include <abstractions/ubuntu-media-players>
+
+  # For now, let atril talk to any session services over dbus. We can
+  # blacklist any problematic ones (but note, evince uses libsecret :\)
+  #include <abstractions/dbus-session>
+
+  #include <abstractions/dbus-strict>
+  dbus (receive) bus=system,
+  # Allow getting information from various system services
+  dbus (send)
+      bus=system
+      member="Get*"
+      peer=(label=unconfined),
+  # Allow talking to avahi with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.Avahi{,.*}",
+  # Allow talking to colord with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.ColorManager{,.*}",
+
+
+  # Terminals for using console applications. These abstractions should ideally
+  # have 'ix' to restrict access to what only atril is allowed to do
+  #include <abstractions/ubuntu-gnome-terminal>
+
+  # By default, we won't support launching a terminal program in Xterm or
+  # KDE's konsole. It opens up too many unnecessary files for most users.
+  # People who need this functionality can uncomment the following:
+  ##include <abstractions/ubuntu-xterm>
+
+  /usr/bin/atril-previewer mr,
+  /usr/bin/yelp Cx -> sanitized_helper,
+  /usr/bin/bug-buddy px,
+
+  # Lenient, but remember we still have abstractions/private-files-strict in
+  # effect). Write is needed for 'print to file' from the previewer.
+  @{HOME}/ r,
+  @{HOME}/** rw,
+
+  # Maybe add to an abstraction?
+  owner /{,var/}run/user/*/dconf/          w,
+  owner /{,var/}run/user/*/dconf/user      rw,
+}
+
+/usr/bin/atril-thumbnailer {
+  #include <abstractions/base>
+  #include <abstractions/private-files-strict>
+
+  #include <abstractions/fonts>
+  deny @{HOME}/.{,cache/}fontconfig/** wl,
+  deny @{HOME}/missfont.log wl,
+
+  #include <abstractions/dbus-session-strict>
+  dbus (receive) bus=session,
+  dbus (send)
+    bus=session
+    path="/org/gtk/vfs/mounttracker"
+    interface="org.gtk.vfs.MountTracker"
+    member="ListMountableInfo"
+    peer=(label=unconfined),
+
+  # updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it
+  deny dbus (send)
+    bus=session
+    path="/org/gtk/vfs/metadata"
+    interface="org.gtk.vfs.Metadata"
+    member="GetTreeFromDevice"
+    peer=(label=unconfined),
+  deny @{HOME}/.local/share/gvfs-metadata/* r,
+
+  dbus (send)
+    bus=session
+    path="/org/gtk/vfs/Daemon"
+    interface="org.gtk.vfs.Daemon"
+    member="List*"
+    peer=(label=unconfined),
+
+  # The thumbnailer doesn't need access to everything in the nameservice
+  # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
+  # logging denial of nsswitch.conf.
+  /etc/passwd r,
+  /etc/group r,
+  deny /etc/nsswitch.conf r,
+
+  # TCP/UDP network access for NFS
+  network inet  stream,
+  network inet6 stream,
+  network inet  dgram,
+  network inet6 dgram,
+
+  /etc/papersize r,
+
+  /usr/bin/atril-thumbnailer mr,
+
+  /etc/texmf/ r,
+  /etc/texmf/** r,
+  /etc/xpdf/* r,
+
+  /usr/bin/gs-esp ixr,
+  # Silence these denials since 'no new privs' drops transitions to
+  # sanitized_helper, we don't want all those perms in the thumbnailer
+  # and the thumbnailer generates thumbnails without these just fine.
+  deny /usr/bin/mktexpk x,
+  deny /usr/bin/mktextfm x,
+  deny /usr/bin/dvipdfm x,
+  deny /usr/bin/dvipdfmx x,
+  deny /usr/bin/mkofm x,
+
+  # supported archivers
+  /{usr/,}bin/gzip ixr,
+  /{usr/,}bin/bzip2 ixr,
+  /usr/bin/unrar* ixr,
+  /usr/bin/unzip ixr,
+  /usr/bin/7zr ixr,
+  /usr/lib/p7zip/7zr ixr,
+  /usr/bin/7za ixr,
+  /usr/lib/p7zip/7za ixr,
+  /usr/bin/zipnote ixr,
+  /{usr/,}bin/tar ixr,
+  /usr/bin/xz ixr,
+
+  # miscellaneous access for the above
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  /sys/devices/system/cpu/ r,
+
+  # allow read access to anything in /usr/share, for plugins and input methods
+  /usr/local/share/** r,
+  /usr/share/** r,
+  /usr/lib/ghostscript/** mr,
+  /var/lib/ghostscript/** r,
+  /var/lib/texmf/** r,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read for all supported file formats
+  /**.[bB][mM][pP]     r,
+  /**.[dD][jJ][vV][uU] r,
+  /**.[dD][vV][iI]     r,
+  /**.[gG][iI][fF]     r,
+  /**.[jJ][pP][gG]     r,
+  /**.[jJ][pP][eE][gG] r,
+  /**.[oO][dD][pP]     r,
+  /**.[fFpP][dD][fF]   r,
+  /**.[pP][nN][mM]     r,
+  /**.[pP][nN][gG]     r,
+  /**.[pP][sS]         r,
+  /**.[eE][pP][sS]     r,
+  /**.[eE][pP][sS][fFiI23] r,
+  /**.[tT][iI][fF]     r,
+  /**.[tT][iI][fF][fF] r,
+  /**.[xX][pP][mM]     r,
+  /**.[gG][zZ]         r,
+  /**.[bB][zZ]2        r,
+  /**.[cC][bB][rRzZ7]  r,
+  /**.[xX][zZ]         r,
+
+  owner @{HOME}/.texlive*/** r,
+  owner @{HOME}/.texmf*/** r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+
+  # With the network rules above, this allows data exfiltration for files
+  # not covered by private-files-strict.
+  @{HOME}/ r,
+  owner @{HOME}/[^.]** r,
+  owner /media/**  r,
+
+  owner /tmp/.gnome_desktop_thumbnail* w,
+  owner /tmp/gnome-desktop-* rw,
+  owner /tmp/atril-thumbnailer*/{,**} rw,
+  
+  # these happen post pivot_root
+  / r,
+  deny /missfont.log w,
+
+  # Add apparmor rule for mate's caja - LP#1798091
+  owner /tmp/.mate_desktop_thumbnail* w,
+  owner /tmp/mate-desktop-thumbnailer* w,
+
+  # Fix thumbnail issue #915024
+  owner @{HOME}/.cache/thumbnails/** rw,
+  owner /tmp/atril-thumbnailer* rw,
+
+}

helpers/DATA/atril/apparmor-profile.abstraction

@@ -0,0 +1,127 @@
+# vim:syntax=apparmor
+#
+# abstraction used by atril binaries
+#
+
+  #include <abstractions/gnome>
+  #include <abstractions/p11-kit>
+  #include <abstractions/ubuntu-helpers>
+
+  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/[0-9]*/mountinfo r,
+  owner @{PROC}/[0-9]*/auxv r,
+  owner @{PROC}/[0-9]*/status r,
+
+  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+  # Possibly move to an abstraction if anything else needs it.
+  deny /run/udev/data/** r,
+
+  # move out to the gnome abstraction if anyone else needs these
+  /etc/udev/udev.conf r,
+  /sys/devices/**/block/**/uevent r,
+
+  # apport
+  /etc/default/apport r,
+
+  # XFCE
+  /etc/xfce4/defaults.list r,
+
+  # Lubuntu
+  /etc/xdg/lubuntu/applications/defaults.list r,
+
+  # atril specific
+  /etc/ r,
+  /etc/fstab r,
+  /etc/texmf/ r,
+  /etc/texmf/** r,
+  /etc/xpdf/* r,
+  owner @{HOME}/.config/atril/   rw,
+  owner @{HOME}/.config/atril/** rwkl,
+
+  /usr/bin/gs-esp ixr,
+  /usr/bin/mktexpk Cx -> sanitized_helper,
+  /usr/bin/mktextfm Cx -> sanitized_helper,
+  /usr/bin/dvipdfm Cx -> sanitized_helper,
+  /usr/bin/dvipdfmx Cx -> sanitized_helper,
+
+  # gio-launch-desktop was replaced by a very small shell script
+  /{usr/,}bin/{dash,bash} ixr,
+ 
+  # supported archivers
+  /{usr/,}bin/gzip ixr,
+  /{usr/,}bin/bzip2 ixr,
+  /usr/bin/unrar* ixr,
+  /usr/bin/unzip ixr,
+  /usr/bin/7zr ixr,
+  /usr/lib/p7zip/7zr ixr,
+  /usr/bin/7za ixr,
+  /usr/lib/p7zip/7za ixr,
+  /usr/bin/zipnote ixr,
+  /{usr/,}bin/tar ixr,
+  /usr/bin/xz ixr,
+
+  # allow read access to anything in /usr/share, for plugins and input methods
+  /usr/local/share/** r,
+  /usr/share/** r,
+  /usr/lib/ghostscript/** mr,
+  /var/lib/ghostscript/** r,
+  /var/lib/texmf/{,**} r,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read for all supported file formats
+  /**.[aA][iI]         r,
+  /**.[bB][mM][pP]     r,
+  /**.[dD][jJ][vV][uU] r,
+  /**.[dD][vV][iI]     r,
+  /**.[gG][iI][fF]     r,
+  /**.[jJ][pP][gG]     r,
+  /**.[jJ][pP][eE][gG] r,
+  /**.[oO][dD][pP]     r,
+  /**.[fFpP][dD][fF]   r,
+  /**.[pP][nN][mM]     r,
+  /**.[pP][nN][gG]     r,
+  /**.[pP][sS]         r,
+  /**.[eE][pP][sS]     r,
+  /**.[eE][pP][sS][fFiI23] r,
+  /**.[tT][iI][fF]     r,
+  /**.[tT][iI][fF][fF] r,
+  /**.[xX][pP][mM]     r,
+  /**.[gG][zZ]         r,
+  /**.[bB][zZ]2        r,
+  /**.[cC][bB][rRzZ7]  r,
+  /**.[xX][zZ]         r,
+
+  # Use abstractions/private-files instead of abstractions/private-files-strict
+  # and add the sensitive files manually to work around LP: #451422. The goal
+  # is to disallow access to the .mozilla folder in general, but to allow
+  # access to the Cache directory, which the browser may tell atril to open
+  # from directly.
+
+  #include <abstractions/private-files>
+  audit deny @{HOME}/.gnupg/{,**} mrwkl,
+  audit deny @{HOME}/.ssh/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2/ w,
+  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
+  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl,
+  audit deny @{HOME}/.pki/{,nssdb/} w,
+  audit deny @{HOME}/.pki/nssdb/{,**} wl,
+
+  audit deny @{HOME}/.mozilla/{,**/} w,
+  audit deny @{HOME}/.mozilla/*/*/* mrwkl,
+  audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl,
+
+  audit deny @{HOME}/.config/ w,
+  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+  audit deny @{HOME}/.evolution/{,**} mrwkl,
+  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde/share/config/{,**} mrwkl,
+  audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl,

helpers/DATA/atril/atril.apport

@@ -0,0 +1,21 @@
+'''apport package hook for atril
+
+(c) 2024 Luis Guzmán
+Author:
+Luis Guzmán <ark@switnet.org>
+based on evince's hook
+
+'''
+
+from apport.hookutils import *
+from os import path
+import re
+
+def add_info(report):
+    attach_conffiles(report, 'atril')
+    attach_related_packages(report, ['apparmor', 'libapparmor1',
+        'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit1'])
+
+    attach_mac_events(report, ['/usr/bin/atril',
+                               '/usr/bin/atril-previewer',
+                               '/usr/bin/atril-thumbnailer'])

helpers/DATA/atril/patches/add_install_profiles_rules.patch

@@ -0,0 +1,29 @@
+diff --git a/debian/rules b/debian/rules
+old mode 100755
+new mode 100644
+index 8a7ff87..655c574
+--- a/debian/rules
++++ b/debian/rules
+@@ -52,3 +52,9 @@ override_dh_auto_configure:
+ 
+ get-orig-source:
+ 	uscan --noconf --force-download --rename --download-current-version --destdir=..
++
++execute_after_dh_install:
++	install -m 0644 -D debian/apparmor-profile debian/atril/etc/apparmor.d/usr.bin.atril
++	install -m 0644 -D debian/apparmor-profile.abstraction debian/atril/etc/apparmor.d/abstractions/atril
++	install -m 0644 -D debian/atril.apport debian/atril/usr/share/apport/package-hooks/source_atril.py
++	dh_apparmor --profile-name=usr.bin.atril -patril
+
+diff --git a/debian/control b/debian/control
+index f5bda53..6d72cc9 100644
+--- a/debian/control
++++ b/debian/control
+@@ -9,6 +9,7 @@ Uploaders: Mike Gabriel <sunweaver@debian.org>,
+            Vangelis Mouhtsis <vangelis@gnugr.org>,
+            Martin Wimpress <code@flexion.org>,
+ Build-Depends: debhelper-compat (= 13),
++               dh-apparmor,
+                dpkg-dev (>= 1.16.1.1),
+                gobject-introspection,
+                intltool,

helpers/DATA/choose-mirror/rev_Makefile.patch

@@ -5,7 +5,7 @@ diff -ru choose-mirror-2.78ubuntu7+10.0trisquel3/Makefile choose-mirror-2.111/Ma
  STRIP=strip
  
  # Derivative distributions may want to change these.
--#MIRRORLISTURL=https://anonscm.debian.org/git/mirror/mirror-masterlist.git/plain/Mirrors.masterlist
+-#MIRRORLISTURL=https://gitlab.trisquel.org/trisquel/trisquel-packages/-/raw/master/extra/mirrors/Mirrors.masterlist
 -MASTERLIST=Mirrors.masterlist.trisquel
 +MIRRORLISTURL=https://salsa.debian.org/mirror-team/masterlist/raw/master/Mirrors.masterlist
 +MASTERLIST=Mirrors.masterlist

helpers/DATA/cron/license-info-fix.patch

@@ -0,0 +1,37 @@
+diff --git a/debian/copyright b/debian/copyright
+index 3c8824f..c6ec81a 100644
+--- a/debian/copyright
++++ b/debian/copyright
+@@ -38,7 +38,7 @@ License: GPL-2+
+ 
+ Files: debian/examples/crontab2english.pl
+ Copyright: 2001, Sean M. Burke
+-License: Artistic
++License: GPL-1+ or Artistic
+ 
+ License: Paul-Vixie's-license
+  Distribute freely, except: don't remove my name from the source or
+@@ -67,6 +67,23 @@ License: GPL-2+
+  On Debian systems, the complete text of the GNU General
+  Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
+ 
++License: GPL-1+
++ This package is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 1 of the License, or
++ (at your option) any later version.
++ .
++ This package is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ GNU General Public License for more details.
++ .
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>
++ .
++ On Debian systems, the complete text of the GNU General
++ Public License version 1 can be found in "/usr/share/common-licenses/GPL-1".
++
+ License: Artistic
+  This program is free software; you can redistribute it and/or modify it
+  under the terms of the "Artistic License" which comes with Debian.

helpers/DATA/debconf-kde/patch_changes/000-fix_TPH_212_LP_1851573.patch

@@ -0,0 +1,33 @@
+diff --git a/tools/main.cpp b/tools/main.cpp
+index 813aba5a..5f91e057 100644
+--- a/tools/main.cpp
++++ b/tools/main.cpp
+@@ -37,6 +37,8 @@
+ 
+ #include <DebconfGui.h>
+ 
++#include <pwd.h>
++
+ using namespace DebconfKde;
+ 
+ // Handle SIGQUIT. Clients (e.g. packagekit) may use QUIT which would otherwise
+@@ -73,6 +76,19 @@ static void setupQuitHandler() {
+ 
+ int main(int argc, char **argv)
+ {
++    /* TPH: #212 | LP: #1851573 — When the helper is started through pkexec/aptdaemon
++     * the environment may arrive without $HOME.  Without HOME, KConfig writes
++     * to "//.config/..." and shows a "not writable" dialog for every debconf
++     * question.  Substitute the passwd entry’s home directory.
++     */
++    const char *homeEnv = getenv("HOME");
++    if (!homeEnv || homeEnv[0] == '\0') {
++        struct passwd *pw = getpwuid(getuid());
++        if (pw && pw->pw_dir) {
++            setenv("HOME", pw->pw_dir, /* overwrite = */ 1);
++        }
++    }
++
+     QApplication app(argc, argv);
+     setupQuitHandler();
+ 

helpers/DATA/debootstrap/ecne

@@ -0,0 +1 @@
+trisquel

helpers/DATA/dino-im/cve/01_ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec.patch

@@ -0,0 +1,37 @@
+From ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec Mon Sep 17 00:00:00 2001
+From: Marvin W <git@larma.de>
+Date: Thu, 23 Mar 2023 10:13:30 -0600
+Subject: [PATCH] Check sender of bookmark:1 updates
+
+---
+ xmpp-vala/src/module/xep/0402_bookmarks2.vala | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/xmpp-vala/src/module/xep/0402_bookmarks2.vala b/xmpp-vala/src/module/xep/0402_bookmarks2.vala
+index 406f37f43..d1e53e6e3 100644
+--- a/xmpp-vala/src/module/xep/0402_bookmarks2.vala
++++ b/xmpp-vala/src/module/xep/0402_bookmarks2.vala
+@@ -68,6 +68,11 @@ public class Module : BookmarksProvider, XmppStreamModule {
+     }
+ 
+     private void on_pupsub_item(XmppStream stream, Jid jid, string id, StanzaNode? node) {
++        if (!jid.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) {
++            warning("Received alleged bookmarks:1 item from %s, ignoring", jid.to_string());
++            return;
++        }
++
+         Conference conference = parse_item_node(node, id);
+         Flag? flag = stream.get_flag(Flag.IDENTITY);
+         if (flag != null) {
+@@ -77,6 +82,11 @@ public class Module : BookmarksProvider, XmppStreamModule {
+     }
+ 
+     private void on_pupsub_retract(XmppStream stream, Jid jid, string id) {
++        if (!jid.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) {
++            warning("Received alleged bookmarks:1 retract from %s, ignoring", jid.to_string());
++            return;
++        }
++
+         try {
+             Jid jid_parsed = new Jid(id);
+             Flag? flag = stream.get_flag(Flag.IDENTITY);

helpers/DATA/distro-info-data/README.Debian.patch

@@ -1,5 +1,5 @@
---- debian/README.Debian	2019-10-17 15:10:30.000000000 -0500
-+++ debian/README.Debian_trisquel	2021-11-26 13:26:20.362971709 -0600
+--- a/debian/README.Debian	2019-10-17 15:10:30.000000000 -0500
++++ b/debian/README.Debian	2021-11-26 13:26:20.362971709 -0600
 @@ -2,7 +2,7 @@
  ===========
  

helpers/DATA/distro-info-data/add_trisquel_tools_py.patch

@@ -1,5 +1,5 @@
---- lib/tools.py	2021-10-15 08:01:00.000000000 -0500
-+++ lib/tools.py	2022-04-06 12:27:07.672427372 -0500
+--- a/lib/tools.py	2021-10-15 08:01:00.000000000 -0500
++++ a/lib/tools.py	2022-04-06 12:27:07.672427372 -0500
 @@ -37,7 +37,7 @@
  def main(validation_function):
      """Main function with command line parameter parsing."""

helpers/DATA/distro-info-data/add_trisquel_validate.patch

@@ -1,5 +1,5 @@
---- validate-csv-data	2021-10-15 08:01:00.000000000 -0500
-+++ validate-csv-data	2022-04-06 12:27:29.004706669 -0500
+--- a/validate-csv-data	2021-10-15 08:01:00.000000000 -0500
++++ b/validate-csv-data	2022-04-06 12:27:29.004706669 -0500
 @@ -27,6 +27,13 @@
  
  

helpers/DATA/distro-info-data/trisquel.csv

@@ -12,3 +12,4 @@ version,codename,series,created,release,eol,upstream
 9.0 LTS,Etiona,etiona,2017-10-19,2020-10-16,2023-05-31,bionic
 10.0 LTS,Nabia,nabia,2019-10-17,2021-12-16,2025-05-29,focal
 11.0 LTS,Aramo,aramo,2021-10-14,2023-03-19,2027-06-01,jammy
+12.0 LTS,Ecne,ecne,2023-10-12,2029-05-31,2029-05-31,noble

helpers/DATA/emacs/patch_changes/000-add_custom_libs_imagemagic_tree-sitter_json.patch

@@ -0,0 +1,41 @@
+diff --git a/debian/rules b/debian/rules
+index 2aaaef13..db5d184f 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -297,6 +297,9 @@ confflags_gtk := $(confflags)
+ confflags_gtk += --with-cairo
+ confflags_gtk += --with-x=yes
+ confflags_gtk += --with-x-toolkit=gtk3
++confflags_gtk += --with-imagemagick
++#confflags_gtk += --with-tree-sitter
++confflags_gtk += --with-json
+ # For those who prefer the old-style non-toolkit scrollbars, just
+ # change the assignment below to --without-toolkit-scroll-bars.  The
+ # resulting emacs-gtk package will have the old scrollbars.
+@@ -317,6 +320,9 @@ confflags_lucid += --with-x=yes
+ confflags_lucid += --with-x-toolkit=lucid
+ confflags_lucid += --with-toolkit-scroll-bars
+ confflags_lucid += --without-gsettings
++confflags_gtk += --with-imagemagick
++#confflags_gtk += --with-tree-sitter
++confflags_gtk += --with-json
+ 
+ define cfg_tree
+   cd $(1) && \
+diff --git a/debian/control b/debian/control
+index 005b695..169abfc 100644
+--- a/debian/control
++++ b/debian/control
+@@ -26,10 +26,12 @@ Build-Depends:
+  libgpm-dev [linux-any],
+  libgtk-3-dev,
+  libharfbuzz-dev,
++ libjansson-dev,
+  libjpeg-dev,
+  liblcms2-dev,
+  liblockfile-dev,
+  libm17n-dev,
++ libmagickwand-dev,
+  libncurses-dev,
+  liboss4-salsa-dev [hurd-i386 kfreebsd-i386 kfreebsd-amd64],
+  libotf-dev,

helpers/DATA/firefox/branding/content/aboutDialog.css

@@ -40,8 +40,9 @@
 }
 
 #rightBox {
-  margin-left: 30px;
-  margin-right: 30px;
+  background-size: auto 64px;
+  margin-inline: 30px;
+  padding-top: 64px;
 }
 
 #bottomBox {

helpers/DATA/firefox/default-strict.patch

@@ -1,7 +1,8 @@
-diff -ru firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs_fix
---- firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs	2023-02-07 01:52:32.000000000 -0600
-+++ firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs_fix	2023-02-07 14:52:59.465762604 -0600
-@@ -1637,6 +1637,19 @@
+diff --git a/browser/components/BrowserGlue.sys.mjs b/browser/components/BrowserGlue.sys.mjs
+index 8fa6f7a..a34ab8b 100644
+--- a/browser/components/BrowserGlue.sys.mjs
++++ b/browser/components/BrowserGlue.sys.mjs
+@@ -1860,6 +1860,19 @@ BrowserGlue.prototype = {
        }
      });
  
@@ -18,6 +19,6 @@ diff -ru firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs firefox-110
 +      Services.prefs.setStringPref("browser.contentblocking.category", "strict"); this._updateCBCategory;
 +    }
 +
-     // Offer to reset a user's profile if it hasn't been used for 60 days.
-     const OFFER_PROFILE_RESET_INTERVAL_MS = 60 * 24 * 60 * 60 * 1000;
-     let lastUse = Services.appinfo.replacedLockTime;
+     this._maybeOfferProfileReset();
+ 
+     this._checkForOldBuildUpdates();

helpers/DATA/firefox/patch_changes/001-Remove_Android_and_iOS_promotion.patch

@@ -1,13 +1,14 @@
 diff --git a/browser/components/preferences/sync.inc.xhtml b/browser/components/preferences/sync.inc.xhtml
-index 7d37d26..4ebbc06 100644
+index 492491a3..0c8c462a 100644
 --- a/browser/components/preferences/sync.inc.xhtml
 +++ b/browser/components/preferences/sync.inc.xhtml
-@@ -35,22 +35,6 @@
+@@ -35,24 +35,6 @@
          </hbox>
        </vbox>
      </hbox>
 -    <label class="fxaMobilePromo" data-l10n-id="sync-mobile-promo">
 -      <html:img
+-        role="none"
 -        src="chrome://browser/skin/logo-android.svg"
 -        data-l10n-name="android-icon"
 -        class="androidIcon"/>
@@ -15,6 +16,7 @@ index 7d37d26..4ebbc06 100644
 -        data-l10n-name="android-link"
 -        class="fxaMobilePromo-android text-link" target="_blank"/>
 -      <html:img
+-        role="none"
 -        src="chrome://browser/skin/logo-ios.svg"
 -        data-l10n-name="ios-icon"
 -        class="iOSIcon"/>
@@ -49,12 +51,12 @@ index 1b29e8d..6f7566c 100644
  sync-profile-picture =
      .tooltiptext = Change profile picture
 diff --git a/browser/components/protections/content/vpn-card.mjs b/browser/components/protections/content/vpn-card.mjs
-index 2417f1a641..698c48ccc3 100644
+index d9fe35c0..1b166048 100644
 --- a/browser/components/protections/content/vpn-card.mjs
 +++ b/browser/components/protections/content/vpn-card.mjs
-@@ -23,22 +23,6 @@ export default class VPNCard {
+@@ -24,22 +24,6 @@ export default class VPNCard {
      vpnLink.addEventListener("click", () => {
-       this.doc.sendTelemetryEvent("click", "vpn_card_link");
+       this.doc.sendTelemetryEvent("clickVpnCardLink");
      });
 -    let androidVPNAppLink = document.getElementById(
 -      "vpn-google-playstore-link"
@@ -63,14 +65,14 @@ index 2417f1a641..698c48ccc3 100644
 -      "browser.contentblocking.report.vpn-android.url"
 -    );
 -    androidVPNAppLink.addEventListener("click", () => {
--      document.sendTelemetryEvent("click", "vpn_app_link_android");
+-      document.sendTelemetryEvent("clickVpnAppLinkAndroid");
 -    });
 -    let iosVPNAppLink = document.getElementById("vpn-app-store-link");
 -    iosVPNAppLink.href = RPMGetStringPref(
 -      "browser.contentblocking.report.vpn-ios.url"
 -    );
 -    iosVPNAppLink.addEventListener("click", () => {
--      document.sendTelemetryEvent("click", "vpn_app_link_ios");
+-      document.sendTelemetryEvent("clickVpnAppLinkIos");
 -    });
  
      const vpnBanner = this.doc.querySelector(".vpn-banner");

helpers/DATA/firefox/patch_changes/003-disable_sponsored_topsites_and_keep_weather_widget_static.patch

@@ -0,0 +1,57 @@
+diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js
+index 217ed280..d91cde94 100644
+--- a/browser/app/profile/firefox.js
++++ b/browser/app/profile/firefox.js
+@@ -1806,16 +1806,16 @@ pref("browser.topsites.component.enabled", false);
+ 
+ pref("browser.topsites.useRemoteSetting", true);
+ // Fetch sponsored Top Sites from Mozilla Tiles Service (Contile)
+-pref("browser.topsites.contile.enabled", true);
+-pref("browser.topsites.contile.endpoint", "https://contile.services.mozilla.com/v1/tiles");
++pref("browser.topsites.contile.enabled", false);
++pref("browser.topsites.contile.endpoint", "");
+ 
+ // The base URL for the Quick Suggest anonymizing proxy. To make a request to
+ // the proxy, include a campaign ID in the path.
+-pref("browser.partnerlink.attributionURL", "https://topsites.services.mozilla.com/cid/");
+-pref("browser.partnerlink.campaign.topsites", "amzn_2020_a1");
++pref("browser.partnerlink.attributionURL", "");
++pref("browser.partnerlink.campaign.topsites", "");
+ 
+ // Activates preloading of the new tab url.
+-pref("browser.newtab.preload", true);
++pref("browser.newtab.preload", false);
+ 
+ // Do not enable the preonboarding experience on Linux
+ #ifdef XP_LINUX
+@@ -1856,24 +1856,24 @@ pref("browser.newtabpage.activity-stream.mobileDownloadModal.variant-c", false);
+ pref("browser.newtabpage.activity-stream.discoverystream.refinedCardsLayout.enabled", true);
+ 
+ // Mozilla Ad Routing Service (MARS) unified ads service
+-pref("browser.newtabpage.activity-stream.unifiedAds.tiles.enabled", true);
+-pref("browser.newtabpage.activity-stream.unifiedAds.spocs.enabled", true);
+-pref("browser.newtabpage.activity-stream.unifiedAds.endpoint", "https://ads.mozilla.org/");
++pref("browser.newtabpage.activity-stream.unifiedAds.tiles.enabled", false);
++pref("browser.newtabpage.activity-stream.unifiedAds.spocs.enabled", false);
++pref("browser.newtabpage.activity-stream.unifiedAds.endpoint", "");
+ pref("browser.newtabpage.activity-stream.unifiedAds.adsFeed.enabled", false);
+ pref("browser.newtabpage.activity-stream.unifiedAds.ohttp.enabled", false);
+ 
+ // Weather widget for newtab
+-pref("browser.newtabpage.activity-stream.showWeather", true);
++pref("browser.newtabpage.activity-stream.showWeather", false);
+ pref("browser.newtabpage.activity-stream.weather.query", "");
+ pref("browser.newtabpage.activity-stream.weather.display", "simple");
+ 
+ pref("browser.newtabpage.activity-stream.images.smart", true);
+ 
+ // enable location search for newtab weather widget
+-pref("browser.newtabpage.activity-stream.weather.locationSearchEnabled", true);
++pref("browser.newtabpage.activity-stream.weather.locationSearchEnabled", false);
+ 
+ // List of regions that get weather by default.
+-pref("browser.newtabpage.activity-stream.discoverystream.region-weather-config", "US,CA");
++pref("browser.newtabpage.activity-stream.discoverystream.region-weather-config", "");
+ 
+ // List of locales that weather widget supports.
+ pref("browser.newtabpage.activity-stream.discoverystream.locale-weather-config", "en-US,en-GB,en-CA");

helpers/DATA/firefox/patch_changes/005-apply_custom_urls.patch

@@ -0,0 +1,77 @@
+# WIP - Help needed
+
+URL customizations requires to comprehend the scope to handle the documentation for this
+and other projects heavily customizing and rebranding Firefox like Abrowser does.
+
+This patch documents how to handle custom URLs to point to a desired page (initially).
+
+It replaces,
+
+* is="moz-support-link"
+* support-page="..."
+
+to customize the default URL, making sure there is an id for l10n field,
+
+* data-l10n-id="..."
+
+so the corresponding message is displayed as it seems to be linked on some cases
+with is="" and support-page="..."
+
+Cheers!
+
+diff --git a/browser/components/preferences/privacy.inc.xhtml b/browser/components/preferences/privacy.inc.xhtml
+index a9e8501a..02328371 100644
+--- a/browser/components/preferences/privacy.inc.xhtml
++++ b/browser/components/preferences/privacy.inc.xhtml
+@@ -21,13 +21,13 @@
+     <hbox align="start">
+       <image id="trackingProtectionShield"/>
+       <description class="description-with-side-element" flex="1">
+-        <html:span id="contentBlockingDescription" data-l10n-id="content-blocking-section-top-level-description"></html:span>
+-        <html:a is="moz-support-link"
+-                id="contentBlockingLearnMore"
+-                class="learnMore"
+-                data-l10n-id="content-blocking-learn-more"
+-                support-page="enhanced-tracking-protection"
+-        />
++          <html:span id="contentBlockingDescription" data-l10n-id="content-blocking-section-top-level-description"></html:span>
++          <html:a id="contentBlockingLearnMore"
++             class="learnMore"
++             data-l10n-id="content-blocking-learn-more"
++             href="https://trisquel.info/en/wiki/abrowser-help"
++             target="_blank"
++          />
+       </description>
+       <button id="trackingProtectionExceptions"
+               is="highlightable-button"
+#@@ -389,9 +386,10 @@
+#               class="tail-with-learn-more"
+#               preference="privacy.donottrackheader.enabled"
+#               data-l10n-id="do-not-track-description2" />
+#-      <html:a is="moz-support-link"
+#-          id="doNotTrackLearnMoreLink"
+#-          support-page="how-do-i-turn-do-not-track-feature" />
+#+      <html:a id="doNotTrackLearnMoreLink"
+#+          href="https://trisquel.info/en/wiki/abrowser-help"
+#+          data-l10n-id="do-not-track-learn-more"
+#+          target="_blank"/>
+#     </hbox>
+#   </vbox>
+# </groupbox>
+# dropped 144
+#diff --git a/browser/components/preferences/privacy.inc.xhtml b/browser/components/preferences/privacy.inc.xhtml
+#index 205c0e01..029b9925 100644
+#--- a/browser/components/preferences/privacy.inc.xhtml
+#+++ b/browser/components/preferences/privacy.inc.xhtml
+#@@ -372,10 +372,7 @@
+#           support-page="global-privacy-control" />
+#     </hbox>
+#     <hbox id="doNotTrackBox" flex="1" align="center" hidden="true">
+#-      <html:a is="moz-support-link"
+#-          id="doNotTrackRemoval"
+#-          support-page="how-do-i-turn-do-not-track-feature"
+#-          data-l10n-id="do-not-track-removal" />
+#+      <html:a class="learnMore" href="https://trisquel.info/en/wiki/abrowser-help" target="_blank"/>
+#     </hbox>
+#   </vbox>
+# </groupbox>

helpers/DATA/firefox/patch_changes/006-remova_mailto_handlers_correctly.patch

@@ -0,0 +1,204 @@
+diff --git a/uriloader/exthandler/HandlerList.sys.mjs b/uriloader/exthandler/HandlerList.sys.mjs
+index e95d627..beef04d 100644
+--- a/uriloader/exthandler/HandlerList.sys.mjs
++++ b/uriloader/exthandler/HandlerList.sys.mjs
+@@ -8,198 +8,7 @@ export const kHandlerList = {
+   default: {
+     schemes: {
+       mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  cs: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Seznam",
+-            uriTemplate: "https://email.seznam.cz/newMessageScreen?mailto=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  "es-CL": {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "Outlook",
+-            uriTemplate:
+-              "https://outlook.live.com/default.aspx?rru=compose&to=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  "ja-JP-mac": {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Yahoo!メール",
+-            uriTemplate: "https://mail.yahoo.co.jp/compose/?To=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  ja: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Yahoo!メール",
+-            uriTemplate: "https://mail.yahoo.co.jp/compose/?To=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  kk: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Яндекс.Почта",
+-            uriTemplate: "https://mail.yandex.ru/compose?mailto=%s",
+-          },
+-          {
+-            name: "Mail.Ru",
+-            uriTemplate: "https://e.mail.ru/cgi-bin/sentmsg?mailto=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  ltg: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "inbox.lv mail",
+-            uriTemplate: "https://mail.inbox.lv/compose?to=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  lv: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "inbox.lv mail",
+-            uriTemplate: "https://mail.inbox.lv/compose?to=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  pl: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Poczta Interia.pl",
+-            uriTemplate: "https://poczta.interia.pl/mh/?mailto=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  ru: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Яндекс.Почту",
+-            uriTemplate: "https://mail.yandex.ru/compose?mailto=%s",
+-          },
+-          {
+-            name: "Mail.Ru",
+-            uriTemplate: "https://e.mail.ru/cgi-bin/sentmsg?mailto=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  uk: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "Outlook",
+-            uriTemplate:
+-              "https://outlook.live.com/default.aspx?rru=compose&to=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  uz: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "Mail.Ru",
+-            uriTemplate: "https://e.mail.ru/cgi-bin/sentmsg?mailto=%s",
+-          },
+-        ],
++        handlers: [],
+       },
+     },
+   },

helpers/DATA/firefox/patch_changes/007-disable_remote_settings_antifeature.patch

@@ -0,0 +1,96 @@
+diff --git a/services/settings/RemoteSettingsClient.sys.mjs b/services/settings/RemoteSettingsClient.sys.mjs
+index 7e98e6d..7716e41 100644
+--- a/services/settings/RemoteSettingsClient.sys.mjs
++++ b/services/settings/RemoteSettingsClient.sys.mjs
+@@ -229,13 +229,8 @@ class AttachmentDownloader extends Downloader {
+    * @see Downloader.download
+    */
+   async download(record, options) {
+-    await lazy.UptakeTelemetry.report(
+-      TELEMETRY_COMPONENT,
+-      lazy.UptakeTelemetry.STATUS.DOWNLOAD_START,
+-      {
+-        source: this._client.identifier,
+-      }
+-    );
++    console.warn("Function 'download' disabled in Abrowser due privacy concerns.");
++    return null;
+     try {
+       // Explicitly await here to ensure we catch a network error.
+       return await super.download(record, options);
+diff --git a/services/settings/Utils.sys.mjs b/services/settings/Utils.sys.mjs
+index 12fef6c..c52b65e 100644
+--- a/services/settings/Utils.sys.mjs
++++ b/services/settings/Utils.sys.mjs
+@@ -409,6 +409,8 @@ export var Utils = {
+    * @param {Object} filters
+    */
+   async fetchLatestChanges(serverUrl, options = {}) {
++    console.warn("Function 'fetchLatestChanges' disabled in Abrowser due privacy concerns.");
++    return null;
+     const { expectedTimestamp, lastEtag = "", filters = {} } = options;
+ 
+     let url = serverUrl + Utils.CHANGES_PATH;
+diff --git a/toolkit/components/telemetry/app/TelemetryUtils.sys.mjs b/toolkit/components/telemetry/app/TelemetryUtils.sys.mjs
+index 803d52a1..1a3ef5ba 100644
+--- a/toolkit/components/telemetry/app/TelemetryUtils.sys.mjs
++++ b/toolkit/components/telemetry/app/TelemetryUtils.sys.mjs
+@@ -124,6 +124,11 @@ export var TelemetryUtils = {
+    * Takes a date and returns it truncated to a date with daily precision.
+    */
+   truncateToDays(date) {
++  console.warn("Function 'truncateToDays' called with:", date);
++  if (!date || !(date instanceof Date)) {
++    console.warn("Function 'truncateToDays' disabled in Abrowser due to privacy concerns. Received invalid or undefined date.");
++    return null; // Retorna null para evitar errores posteriores
++  }
+     return new Date(
+       date.getFullYear(),
+       date.getMonth(),
+@@ -172,6 +172,10 @@ export var TelemetryUtils = {
+    * @return {Object} The Date object representing the next midnight.
+    */
+   getNextMidnight(date) {
++  if (!date || !(date instanceof Date)) {
++    console.warn("Function 'getNextMidnight' disabled in Abrowser due to privacy concerns.");
++    return null;
++  }
+     let nextMidnight = new Date(this.truncateToDays(date));
+     nextMidnight.setDate(nextMidnight.getDate() + 1);
+     return nextMidnight;
+@@ -185,6 +189,10 @@ export var TelemetryUtils = {
+    *                  is not within the midnight tolerance.
+    */
+   getNearestMidnight(date, tolerance) {
++  if (!date || !(date instanceof Date)) {
++    console.warn("Function 'getNearestMidnight' disabled in Abrowser due to privacy concerns.");
++    return null;
++  }
+     let lastMidnight = this.truncateToDays(date);
+     if (this.areTimesClose(date.getTime(), lastMidnight.getTime(), tolerance)) {
+       return lastMidnight;
+diff --git a/toolkit/components/telemetry/app/TelemetryScheduler.sys.mjs b/toolkit/components/telemetry/app/TelemetryScheduler.sys.mjs
+index 539447a..43d846b 100644
+--- a/toolkit/components/telemetry/app/TelemetryScheduler.sys.mjs
++++ b/toolkit/components/telemetry/app/TelemetryScheduler.sys.mjs
+@@ -183,8 +183,20 @@ export var TelemetryScheduler = {
+   },
+
+   _sentPingToday(pingTime, nowDate) {
++    // Validar 'nowDate' antes de usarlo
++    if (!nowDate || !(nowDate instanceof Date)) {
++      console.warn("Invalid 'nowDate' passed to _sentPingToday. Function disabled in Abrowser due to privacy concerns.");
++      return false; // Devolvemos 'false' para evitar errores
++    }
++
+     // This is today's date and also the previous midnight (0:00).
+     const todayDate = TelemetryUtils.truncateToDays(nowDate);
++
++    if (!todayDate) {
++      console.warn("TelemetryUtils.truncateToDays returned null. Skipping _sentPingToday.");
++      return false;
++    }
++
+     // We consider a ping sent for today if it occured after or at 00:00 today.
+     return pingTime >= todayDate.getTime();
+   },

helpers/DATA/firefox/patch_changes/008-aboutRights_removal_fix.patch

@@ -0,0 +1,26 @@
+diff --git a/browser/base/content/aboutDialog.xhtml b/browser/base/content/aboutDialog.xhtml
+index c6498081..a8db34ad 100644
+--- a/browser/base/content/aboutDialog.xhtml
++++ b/browser/base/content/aboutDialog.xhtml
+@@ -138,7 +138,7 @@
+     <vbox id="bottomBox">
+       <hbox pack="center">
+         <label is="text-link" class="bottom-link" useoriginprincipal="true" href="about:license" data-l10n-id="bottomLinks-license"/>
+-        <label is="text-link" class="bottom-link" href="https://www.mozilla.org/about/legal/terms/firefox/" data-l10n-id="bottom-links-terms"/>
++        <label is="text-link" class="bottom-link" href="https://trisquel.info/legal" data-l10n-id="bottom-links-terms"/>
+         <label is="text-link" class="bottom-link" href="https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&#38;utm_medium=firefox-desktop&#38;utm_campaign=about-dialog" data-l10n-id="bottom-links-privacy"/>
+       </hbox>
+       <description id="trademark" data-l10n-id="trademarkInfo"></description>
+diff --git a/browser/components/about/AboutRedirector.cpp b/browser/components/about/AboutRedirector.cpp
+index d1fe0148..ce5d1f42 100644
+--- a/browser/components/about/AboutRedirector.cpp
++++ b/browser/components/about/AboutRedirector.cpp
+@@ -90,7 +90,7 @@ static const RedirEntry kRedirMap[] = {
+     {"profiling",
+      "chrome://devtools/content/performance-new/aboutprofiling/index.xhtml",
+      nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::IS_SECURE_CHROME_UI},
+-    {"rights", "https://www.mozilla.org/about/legal/terms/firefox/",
++    {"rights", "https://trisquel.info/legal",
+      nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
+          nsIAboutModule::URI_MUST_LOAD_IN_CHILD},
+     {"robots", "chrome://browser/content/aboutRobots.xhtml",

helpers/DATA/firefox/patch_changes/009-remove_ubunfox_suggest_webext-ublock-origin.patch

@@ -0,0 +1,24 @@
+diff --git a/debian/control.in b/debian/control.in
+index dd3c8daa..911d9667 100644
+--- a/debian/control.in
++++ b/debian/control.in
+@@ -52,8 +52,7 @@ Architecture: any
+ Depends: lsb-release,
+ 	${misc:Depends},
+ 	${shlibs:Depends}
+-Recommends: xul-ext-ubufox,
+-	${support:Recommends},
++Recommends: ${support:Recommends},
+ 	libcanberra0,
+ 	libdbusmenu-glib4,
+ 	libdbusmenu-gtk3-4
+@@ -61,7 +60,8 @@ Provides: www-browser,
+ 	iceweasel, firefox,
+ 	gnome-www-browser,
+ 	${app:Provides}
+-Suggests: fonts-lyx,
++Suggests: webext-ublock-origin,
++	fonts-lyx,
+ 	${support:Suggests}
+ Breaks: ${transitional:Breaks}
+ Replaces: ${transitional:Replaces}

helpers/DATA/firefox/patch_changes/010-remove_theme_recommendation_and_saas_forge.patch

@@ -0,0 +1,23 @@
+diff --git a/toolkit/mozapps/extensions/content/aboutaddons.html b/toolkit/mozapps/extensions/content/aboutaddons.html
+index 77702576..35cf6593 100644
+--- a/toolkit/mozapps/extensions/content/aboutaddons.html
++++ b/toolkit/mozapps/extensions/content/aboutaddons.html
+@@ -799,18 +799,6 @@
+       <footer is="recommended-footer" class="view-footer"></footer>
+     </template>
+ 
+-    <template name="recommended-themes-footer">
+-      <p data-l10n-id="recommended-theme-1" class="theme-recommendation">
+-        <a data-l10n-name="link" target="_blank"></a>
+-      </p>
+-      <div class="amo-link-container view-footer-item">
+-        <button
+-          class="primary"
+-          action="open-amo"
+-          data-l10n-id="find-more-themes"
+-        ></button>
+-      </div>
+-    </template>
+ 
+    <template name="recommended-themes-section">
+      <h2

helpers/DATA/firefox/patch_changes/012-fix_wrong_directory_on_home_dir_for_abrowser.patch

@@ -0,0 +1,14 @@
+diff --git a/toolkit/xre/nsXREDirProvider.cpp b/toolkit/xre/nsXREDirProvider.cpp
+index 9c94cb88..0c19fad9 100644
+--- a/toolkit/xre/nsXREDirProvider.cpp
++++ b/toolkit/xre/nsXREDirProvider.cpp
+@@ -1232,7 +1232,8 @@ nsresult nsXREDirProvider::AppendProfilePath(nsIFile* aFile, bool aLocal) {
+   if (gAppData->profile) {
+     profile = gAppData->profile;
+   } else {
+-    appName = gAppData->name;
++    // For Abrowser compatibility: force use of ~/.mozilla/abrowser
++    appName.AssignLiteral("abrowser");
+     vendor = gAppData->vendor;
+   }
+ 

helpers/DATA/firefox/patch_changes/013-remove_finish_setup_third_party_services.patch

@@ -0,0 +1,98 @@
+diff --git a/browser/components/aboutwelcome/modules/AboutWelcomeDefaults.sys.mjs b/browser/components/aboutwelcome/modules/AboutWelcomeDefaults.sys.mjs
+index ba47adb6..c4b29ec4 100644
+--- a/browser/components/aboutwelcome/modules/AboutWelcomeDefaults.sys.mjs
++++ b/browser/components/aboutwelcome/modules/AboutWelcomeDefaults.sys.mjs
+@@ -704,7 +704,7 @@ const MR_ABOUT_WELCOME_DEFAULT = {
+           action: {
+             type: "OPEN_URL",
+             data: {
+-              args: "https://addons.mozilla.org/en-US/firefox/collections/4757633/b4d5649fb087446aa05add5f0258c3/?page=1&collection_sort=-popularity",
++              args: "https://gnuzilla.gnu.org/",
+               where: "tabshifted",
+             },
+             navigate: true,
+@@ -750,49 +750,6 @@ const MR_ABOUT_WELCOME_DEFAULT = {
+       },
+       targeting: "isFxASignedIn",
+     },
+-    {
+-      id: "AW_ACCOUNT_LOGIN",
+-      content: {
+-        fullscreen: true,
+-        position: "split",
+-        split_narrow_bkg_position: "-228px",
+-        image_alt_text: {
+-          string_id: "mr2022-onboarding-gratitude-image-alt",
+-        },
+-        background:
+-          "url('chrome://activity-stream/content/data/content/assets/fox-doodle-waving-laptop.svg') center center / 80% no-repeat var(--mr-screen-background-color)",
+-        progress_bar: true,
+-        logo: {},
+-        title: {
+-          string_id: "onboarding-sign-up-title",
+-        },
+-        subtitle: {
+-          string_id: "onboarding-sign-up-description",
+-        },
+-        secondary_button: {
+-          label: {
+-            string_id: "mr2-onboarding-start-browsing-button-label",
+-          },
+-          style: "secondary",
+-          action: {
+-            navigate: true,
+-          },
+-        },
+-        primary_button: {
+-          label: {
+-            string_id: "onboarding-sign-up-button",
+-          },
+-          action: {
+-            data: {
+-              entrypoint: "newuser-onboarding-desktop",
+-            },
+-            type: "FXA_SIGNIN_FLOW",
+-            navigate: true,
+-          },
+-        },
+-      },
+-      targeting: "!isFxASignedIn",
+-    },
+   ],
+ };
+ 
+diff --git a/browser/components/asrouter/modules/FeatureCalloutMessages.sys.mjs b/browser/components/asrouter/modules/FeatureCalloutMessages.sys.mjs
+index 29d2ca46..41b65ac4 100644
+--- a/browser/components/asrouter/modules/FeatureCalloutMessages.sys.mjs
++++ b/browser/components/asrouter/modules/FeatureCalloutMessages.sys.mjs
+@@ -885,7 +885,7 @@ const MESSAGES = () => {
+                   dismiss: true,
+                   type: "OPEN_URL",
+                   data: {
+-                    args: "https://addons.mozilla.org/en-US/firefox/collections/4757633/36d285535db74c6986abbeeed3e214/?page=1&collection_sort=added",
++                    args: "https://gnuzilla.gnu.org/",
+                     where: "tabshifted",
+                   },
+                 },
+diff --git a/browser/components/asrouter/modules/OnboardingMessageProvider.sys.mjs b/browser/components/asrouter/modules/OnboardingMessageProvider.sys.mjs
+index abc6db68..0c86955f 100644
+--- a/browser/components/asrouter/modules/OnboardingMessageProvider.sys.mjs
++++ b/browser/components/asrouter/modules/OnboardingMessageProvider.sys.mjs
+@@ -1226,7 +1226,7 @@ const BASE_MESSAGES = () => [
+                         {
+                           type: "OPEN_URL",
+                           data: {
+-                            args: "https://addons.mozilla.org/en-US/firefox/collections/4757633/b4d5649fb087446aa05add5f0258c3/?page=1&collection_sort=-popularity",
++                            args: "https://gnuzilla.gnu.org/",
+                             where: "current",
+                           },
+                         },
+@@ -1430,7 +1430,7 @@ const BASE_MESSAGES = () => [
+                         {
+                           type: "OPEN_URL",
+                           data: {
+-                            args: "https://addons.mozilla.org/en-US/firefox/collections/4757633/b4d5649fb087446aa05add5f0258c3/?page=1&collection_sort=-popularity",
++                            args: "https://gnuzilla.gnu.org/",
+                             where: "current",
+                           },
+                         },

helpers/DATA/firefox/patch_changes/014-remove_support_firefox_mission_on_abrowser.patch

@@ -0,0 +1,137 @@
+diff --git a/browser/components/preferences/home.inc.xhtml b/browser/components/preferences/home.inc.xhtml
+index c0094fe0..08856c78 100644
+--- a/browser/components/preferences/home.inc.xhtml
++++ b/browser/components/preferences/home.inc.xhtml
+@@ -101,15 +101,6 @@
+   <vbox id="trending-searches" />
+   <vbox id="topsites" />
+   <vbox id="topstories" />
+-  <vbox id="support-firefox" />
+-
+-  <html:moz-box-item class="mission-message">
+-    <html:span data-l10n-id="home-prefs-mission-message" />
+-    <html:a is="moz-support-link"
+-            support-page="sponsor-privacy"
+-            data-l10n-id="home-prefs-mission-message-learn-more-link" />
+-  </html:moz-box-item>
+-
+   <vbox id="highlights" />
+ </groupbox>
+ </html:template>
+diff --git a/browser/extensions/newtab/lib/AboutPreferences.sys.mjs b/browser/extensions/newtab/lib/AboutPreferences.sys.mjs
+index 0d43919b..f2e0fbd0 100644
+--- a/browser/extensions/newtab/lib/AboutPreferences.sys.mjs
++++ b/browser/extensions/newtab/lib/AboutPreferences.sys.mjs
+@@ -88,33 +88,6 @@ const PREFS_FOR_SETTINGS = () => [
+     ),
+     eventSource: "TOP_STORIES",
+   },
+-  {
+-    id: "support-firefox",
+-    pref: {
+-      feed: "showSponsoredCheckboxes",
+-      titleString: "home-prefs-support-firefox-header",
+-      nestedPrefs: [
+-        {
+-          name: "showSponsoredTopSites",
+-          titleString: "home-prefs-shortcuts-by-option-sponsored",
+-          eventSource: "SPONSORED_TOP_SITES",
+-        },
+-        {
+-          name: "showSponsored",
+-          titleString: "home-prefs-recommended-by-option-sponsored-stories",
+-          eventSource: "POCKET_SPOCS",
+-          shouldHidePref: !Services.prefs.getBoolPref(
+-            "browser.newtabpage.activity-stream.feeds.system.topstories",
+-            true
+-          ),
+-          shouldDisablePref: !Services.prefs.getBoolPref(
+-            "browser.newtabpage.activity-stream.feeds.section.topstories",
+-            true
+-          ),
+-        },
+-      ],
+-    },
+-  },
+ ];
+ 
+ export class AboutPreferences {
+@@ -344,41 +317,9 @@ export class AboutPreferences {
+       }
+     });
+ 
+-    // Special cases to like the nested prefs with another pref,
+-    // so we can disable it real time.
+-    if (id === "support-firefox") {
+-      function setupSupportFirefoxSubCheck(triggerPref, subPref) {
+-        const subCheckFullName = `browser.newtabpage.activity-stream.${triggerPref}`;
+-        const subCheckPref = Preferences.get(subCheckFullName);
+-
+-        subCheckPref?.on("change", () => {
+-          const showSponsoredFullName = `browser.newtabpage.activity-stream.${subPref}`;
+-          const showSponsoredSubcheck = subChecks.find(
+-            subcheck =>
+-              subcheck.getAttribute("preference") === showSponsoredFullName
+-          );
+-          if (showSponsoredSubcheck) {
+-            showSponsoredSubcheck.disabled = !Services.prefs.getBoolPref(
+-              subCheckFullName,
+-              true
+-            );
+-          }
+-        });
+-      }
+-
+-      setupSupportFirefoxSubCheck("feeds.section.topstories", "showSponsored");
+-      setupSupportFirefoxSubCheck("feeds.topsites", "showSponsoredTopSites");
+-    }
+ 
+     pref.on("change", () => {
+       subChecks.forEach(subcheck => {
+-        // Update child preferences for the "Support Firefox" checkbox group
+-        // so that they're turned on and off at the same time.
+-        if (id === "support-firefox") {
+-          const subPref = Preferences.get(subcheck.getAttribute("preference"));
+-          subPref.value = pref.value;
+-        }
+-
+         // Disable any nested checkboxes if the parent pref is not enabled.
+         subcheck.disabled = !pref._value;
+       });
+diff --git a/browser/locales/en-US/browser/preferences/preferences.ftl b/browser/locales/en-US/browser/preferences/preferences.ftl
+index 269eca10..4c35b53f 100644
+--- a/browser/locales/en-US/browser/preferences/preferences.ftl
++++ b/browser/locales/en-US/browser/preferences/preferences.ftl
+@@ -749,11 +749,7 @@ home-prefs-trending-search-header =
+ home-prefs-trending-search-description = Popular and frequently searched topics
+ 
+ # "Support" here means to help sustain or contribute to something, especially through funding or sponsorship.
+-home-prefs-support-firefox-header =
+-    .label = Support { -brand-product-name }
+-
+-home-prefs-mission-message = Our sponsors support our mission to build a better web
+-home-prefs-mission-message-learn-more-link = Find out how
++## Removed by Abrowser customization process.
+ 
+ # Variables:
+ #   $num (number) - Number of rows displayed
+diff --git a/browser/themes/shared/preferences/preferences.css b/browser/themes/shared/preferences/preferences.css
+index 701d29be..769791d7 100644
+--- a/browser/themes/shared/preferences/preferences.css
++++ b/browser/themes/shared/preferences/preferences.css
+@@ -1478,15 +1478,6 @@ setting-group[groupid="home"] {
+   margin: 0;
+ }
+ 
+-/* Styles for the "sponsors support our mission" message and link on the Home tab */
+-.mission-message {
+-  margin-block-start: var(--space-large);
+-
+-  > a {
+-    font-size: var(--font-size-small);
+-  }
+-}
+-
+ #dohProviderSelect {
+   --select-max-width: 235px;
+ }

helpers/DATA/firefox/patch_changes/015-set_higher_priority_than_chromium_based_ones.patch

@@ -0,0 +1,17 @@
+diff --git a/debian/firefox.postinst.in b/debian/firefox.postinst.in
+index 4cb73f02..44e9261a 100644
+--- a/debian/firefox.postinst.in
++++ b/debian/firefox.postinst.in
+@@ -36,10 +36,10 @@ finish_rm_conffile() {
+ 
+ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-remove" ] ; then
+     update-alternatives --install /usr/bin/gnome-www-browser \
+-        gnome-www-browser /usr/bin/$MOZ_APP_NAME 40
++        gnome-www-browser /usr/bin/$MOZ_APP_NAME 240
+ 
+     update-alternatives --install /usr/bin/x-www-browser \
+-        x-www-browser /usr/bin/$MOZ_APP_NAME 40
++        x-www-browser /usr/bin/$MOZ_APP_NAME 240
+ fi
+ 
+ if [ "$1" = "configure" ] ; then

helpers/DATA/firefox/process-json-files.py

@@ -1,6 +1,9 @@
 #! /usr/bin/python3
-
-#    Copyright (C) 2020, 2021  grizzlyuser <grizzlyuser@protonmail.com>
+#    Copyright (C) 2024  Luis Guzmán <ark@switnet.org>
+#    Copyright (C) 2020, 2021, 2022, 2023, 2024 grizzlyuser <grizzlyuser@protonmail.com>
+#    Based on: https://gitlab.trisquel.org/trisquel/wrapage-helpers/-/blob/81881d89b2bf7d502dd14fcccdb471fec6f6b206/helpers/DATA/firefox/reprocess-search-config.py
+#    Below is the notice from the original author:
+#
 #    Copyright (C) 2020, 2021  Ruben Rodriguez <ruben@trisquel.info>
 #
 #    This program is free software; you can redistribute it and/or modify
@@ -23,6 +26,7 @@ import time
 import copy
 import argparse
 import pathlib
+import logging
 from collections import namedtuple
 from jsonschema import validate
 
@@ -41,12 +45,42 @@ parser.add_argument(
     type=int,
     default=2,
     help='indent for pretty printing of output files')
+parser.add_argument(
+    '-l',
+    '--loglevel',
+    choices=logging._nameToLevel.keys(),
+    default=logging.INFO,
+    help='logging level')
 arguments = parser.parse_args()
 
+logging.basicConfig(level=arguments.loglevel)
+logger = logging.getLogger(str(pathlib.Path(__file__).name))
+
 File = namedtuple('File', ['path', 'content'])
 
 
-class RemoteSettings:
+class JsonProcessor:
+    @classmethod
+    def process(cls):
+        parsed_jsons = []
+        for json_path in cls.JSON_PATHS:
+            logger.info('Reading input: ' + str(json_path) + '...')
+            with json_path.open(encoding='utf-8') as file:
+                parsed_jsons.append(File(json_path, json.load(file)))
+
+        parsed_schema = None
+        if hasattr(cls, "SCHEMA_PATH"):
+            logger.info('Reading schema: ' + str(json_path) + '...')
+            with cls.SCHEMA_PATH.open() as file:
+                parsed_schema = json.load(file)
+
+        processed = cls.process_parsed(parsed_jsons, parsed_schema)
+        with processed.path.open('w') as file:
+            json.dump(processed.content, file, indent=arguments.indent)
+            logger.info('Wrote: ' + str(processed.path))
+
+
+class RemoteSettings(JsonProcessor):
     DUMPS_PATH_RELATIVE = 'services/settings/dumps'
     DUMPS_PATH_ABSOLUTE = arguments.MAIN_PATH / DUMPS_PATH_RELATIVE
 
@@ -75,11 +109,12 @@ class RemoteSettings:
 
     @classmethod
     def now(cls):
-        return int(round(time.time() / 10 ** 6))
+        return int(round(time.time() * 1000))
 
     @classmethod
     def process_raw(cls, unwrapped_jsons, parsed_schema):
         timestamps, result = [], []
+
         for collection in unwrapped_jsons:
             should_modify_collection = cls.should_modify_collection(collection)
             for record in collection.content:
@@ -110,13 +145,23 @@ class RemoteSettings:
         return File(cls.OUTPUT_PATH, result)
 
     @classmethod
-    def process(cls, parsed_jsons, parsed_schema):
+    def process_parsed(cls, parsed_jsons, parsed_schema):
         return cls.wrap(
             cls.process_raw(
                 cls.unwrap(parsed_jsons),
                 parsed_schema))
 
 
+class EmptyRemoteSettings(RemoteSettings):
+    @classmethod
+    def should_drop_record(cls, search_engine):
+        return True
+
+    @classmethod
+    def process_record(cls, record):
+        return record
+
+
 class Changes(RemoteSettings):
     JSON_PATHS = tuple(RemoteSettings.DUMPS_PATH_ABSOLUTE.glob('*/*.json'))
     OUTPUT_PATH = RemoteSettings.DUMPS_PATH_ABSOLUTE / 'monitor/changes'
@@ -132,7 +177,7 @@ class Changes(RemoteSettings):
         changes = []
 
         for collection in unwrapped_jsons:
-            if collection.path not in (RemoteSettings.DUMPS_PATH_ABSOLUTE / 'main/example.json', RemoteSettings.DUMPS_PATH_ABSOLUTE / 'main/search-config-v2.json'):
+            if collection.path != RemoteSettings.DUMPS_PATH_ABSOLUTE / 'main/example.json':
                 latest_change = {}
                 latest_change[cls._LAST_MODIFIED_KEY_NAME] = cls.get_collection_timestamp(
                     collection)
@@ -145,61 +190,116 @@ class Changes(RemoteSettings):
         return File(cls.OUTPUT_PATH, changes)
 
 
-class SearchConfig(RemoteSettings):
+class SearchConfigV2(RemoteSettings):
     JSON_PATHS = (
         RemoteSettings.DUMPS_PATH_ABSOLUTE /
-        'main/search-config.json',
+        'main/search-config-v2.json',
     )
     SCHEMA_PATH = arguments.MAIN_PATH / \
-        'toolkit/components/search/schema/search-config-schema.json'
+        'toolkit/components/search/schema/search-config-v2-schema.json'
     OUTPUT_PATH = JSON_PATHS[0]
 
-    _DUCKDUCKGO_SEARCH_ENGINE_ID = 'ddg@search.mozilla.org'
+    _DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER = 'ddg'
 
     @classmethod
-    def should_drop_record(cls, search_engine):
-        return search_engine['webExtension']['id'] not in (
-            cls._DUCKDUCKGO_SEARCH_ENGINE_ID, 'wikipedia@search.mozilla.org',
-            'trisquel@search.mozilla.org', 'trisquel-packages@@search.mozilla.org',
-            'qwant@search.mozilla.org', 'ecosia@search.mozilla.org')
+    def should_drop_record(cls, record):
+        if record['recordType'] != 'engine':
+            return False
+
+        identifier = record['identifier']
+        excluded_identifiers = ['ecosia', 'qwant', 'trisquel', 'trisquel-packages']
+
+        return (
+            identifier != cls._DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER and
+            not (identifier.startswith('wikipedia') or identifier in excluded_identifiers)
+        )
 
     @classmethod
-    def process_record(cls, search_engine):
-        [search_engine.pop(key, None)
-         for key in ['extraParams', 'telemetryId']]
+    def process_record(cls, record):
+        if record['recordType'] == 'defaultEngines':
+            return cls.process_default_engines(record)
+        elif record['recordType'] == 'engine':
+            return cls.process_engine(record)
+        elif record['recordType'] == 'engineOrders':
+            return cls.process_engine_orders(record)
+        else:
+            return record
 
-        general_specifier = {}
-        for specifier in search_engine['appliesTo'].copy():
-            if 'application' in specifier:
-                if 'distributions' in specifier['application']:
-                    search_engine['appliesTo'].remove(specifier)
-                    continue
-                specifier['application'].pop('extraParams', None)
+    @classmethod
+    def process_default_engines(cls, default_engines):
+        default_engines['globalDefault'] = cls._DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER
+        default_engines['specificDefaults'] = []
+        return default_engines
 
-            if 'included' in specifier and 'everywhere' in specifier[
-                    'included'] and specifier['included']['everywhere']:
-                if search_engine['webExtension']['id'] == cls._DUCKDUCKGO_SEARCH_ENGINE_ID:
-                    specifier['default'] = 'yes'
-                general_specifier = specifier
+    @classmethod
+    def process_engine(cls, engine):
+        engine['base'].pop('partnerCode', None)
+        engine['base']['urls']['search'].pop('params', None)
 
-        if not general_specifier:
-            general_specifier = {'included': {'everywhere': True}}
-            search_engine['appliesTo'].insert(0, general_specifier)
-        if search_engine['webExtension']['id'] == cls._DUCKDUCKGO_SEARCH_ENGINE_ID:
-            general_specifier['default'] = 'yes'
+        if engine['identifier'] == cls._DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER:
+            engine['base']['name'] += ' HTML'
+            engine['base']['urls']['search']['base'] = 'https://html.duckduckgo.com/html'
 
-        return search_engine
+        allRegions_prefixes = ['ecosia', 'qwant', 'trisquel']
+
+        if any(engine['identifier'].startswith(prefix) for prefix in allRegions_prefixes) or \
+           engine['identifier'] == cls._DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER:
+            engine['variants'] = [{'environment': {'allRegionsAndLocales': True}}]
+
+        return engine
+
+    @classmethod
+    def process_engine_orders(cls, engine_orders):
+        engine_orders['orders'] = []
+        return engine_orders
+
+class SearchConfigOverridesV2(EmptyRemoteSettings):
+    JSON_PATHS = (
+        RemoteSettings.DUMPS_PATH_ABSOLUTE /
+        'main/search-config-overrides-v2.json',
+    )
+    SCHEMA_PATH = arguments.MAIN_PATH / \
+        'toolkit/components/search/schema/search-config-overrides-v2-schema.json'
+    OUTPUT_PATH = JSON_PATHS[0]
 
 
-class TippyTopSites:
+class SearchDefaultOverrideAllowlist(EmptyRemoteSettings):
+    JSON_PATHS = (
+        RemoteSettings.DUMPS_PATH_ABSOLUTE /
+        'main/search-default-override-allowlist.json',
+    )
+    SCHEMA_PATH = arguments.MAIN_PATH / \
+        'toolkit/components/search/schema/search-default-override-allowlist-schema.json'
+    OUTPUT_PATH = JSON_PATHS[0]
+
+
+class SearchTelemetryV2(EmptyRemoteSettings):
+    JSON_PATHS = (
+        RemoteSettings.DUMPS_PATH_ABSOLUTE /
+        'main/search-telemetry-v2.json',
+    )
+    SCHEMA_PATH = arguments.MAIN_PATH / \
+        'browser/components/search/schema/search-telemetry-v2-schema.json'
+    OUTPUT_PATH = JSON_PATHS[0]
+
+
+class UrlClassifierSkipUrls(EmptyRemoteSettings):
+    JSON_PATHS = (
+        RemoteSettings.DUMPS_PATH_ABSOLUTE /
+        'main/url-classifier-skip-urls.json',
+    )
+    OUTPUT_PATH = JSON_PATHS[0]
+
+
+class TippyTopSites(JsonProcessor):
     JSON_PATHS = (
         arguments.MAIN_PATH /
-        'browser/components/newtab/data/content/tippytop/top_sites.json',
+        'browser/components/topsites/content/tippytop/top_sites.json',
         arguments.BRANDING_PATH /
         'tippytop/top_sites.json')
 
     @classmethod
-    def process(cls, parsed_jsons, parsed_schema):
+    def process_parsed(cls, parsed_jsons, parsed_schema):
         tippy_top_sites_main = parsed_jsons[0]
         tippy_top_sites_branding = parsed_jsons[1]
         result = tippy_top_sites_branding.content + \
@@ -224,7 +324,7 @@ class TopSites(RemoteSettings):
 
     @classmethod
     def should_drop_record(cls, site):
-        return site['url'] != 'https://www.wikipedia.org/'
+        return True
 
     @classmethod
     def process_record(cls, site):
@@ -234,19 +334,15 @@ class TopSites(RemoteSettings):
 
 # To reflect the latest timestamps, Changes class should always come after
 # all other RemoteSettings subclasses
-processors = (SearchConfig, Changes)
+processors = (
+    SearchConfigV2,
+    SearchConfigOverridesV2,
+    SearchDefaultOverrideAllowlist,
+    SearchTelemetryV2,
+    UrlClassifierSkipUrls,
+    TopSites,
+    Changes,
+    TippyTopSites)
 
 for processor in processors:
-    parsed_jsons = []
-    for json_path in processor.JSON_PATHS:
-        with json_path.open(encoding='utf-8') as file:
-            parsed_jsons.append(File(json_path, json.load(file)))
-
-    parsed_schema = None
-    if hasattr(processor, "SCHEMA_PATH"):
-        with processor.SCHEMA_PATH.open() as file:
-            parsed_schema = json.load(file)
-
-    processed = processor.process(parsed_jsons, parsed_schema)
-    with processed.path.open('w') as file:
-        json.dump(processed.content, file, indent=arguments.indent)
+    processor.process()

helpers/DATA/firefox/rollback_ddg_firefox_partnership_codes.patch

@@ -1,24 +0,0 @@
-More info related to the change: https://hg.mozilla.org/mozilla-central/rev/5079bb7577182734823d6e4a3c468115d45a9dd9
-
---- a/browser/components/search/extensions/ddg/manifest.json	2023-04-06 23:48:16.983734806 -0600
-+++ b/browser/components/search/extensions/ddg/manifest.json	2023-04-06 23:54:27.848103496 -0600
-@@ -21,7 +21,7 @@
-       "name": "DuckDuckGo",
-       "search_url": "https://duckduckgo.com/",
-       "search_form": "https://duckduckgo.com/",
--      "search_url_get_params": "t=ffab&q={searchTerms}",
-+      "search_url_get_params": "q={searchTerms}",
-       "suggest_url": "https://ac.duckduckgo.com/ac/",
-       "suggest_url_get_params": "q={searchTerms}&type=list"
-     }
---- a/browser/components/search/extensions/ddg-html/manifest.json	2023-04-06 23:48:16.987734810 -0600
-+++ b/browser/components/search/extensions/ddg-html/manifest.json	2023-04-06 23:55:19.080158907 -0600
-@@ -21,7 +21,7 @@
-       "name": "DuckDuckGo (HTML)",
-       "search_url": "https://html.duckduckgo.com/html/",
-       "search_form": "https://html.duckduckgo.com/html/",
--      "search_url_get_params": "t=ffab&q={searchTerms}",
-+      "search_url_get_params": "q={searchTerms}",
-       "suggest_url": "https://ac.duckduckgo.com/ac/",
-       "suggest_url_get_params": "q={searchTerms}&type=list"
-     }

helpers/DATA/firefox/search-custom/services/settings/dumps/main/top-sites.json

@@ -0,0 +1,61 @@
+{
+  "data": [
+    {
+      "url": "https://trisquel.info/",
+      "order": 0,
+      "title": "Trisquel",
+      "id": "ec7f4843-6be5-5e86-870a-1c8383500a4b",
+      "last_modified": 1715345084783
+    },
+    {
+      "url": "https://packages.trisquel.org/",
+      "order": 1,
+      "title": "Trisquel Packages",
+      "id": "27a9b035-0b8b-4472-97cb-b1866aba0740",
+      "last_modified": 1715345084786
+    },
+    {
+      "url": "https://www.gnu.org/",
+      "order": 2,
+      "title": "GNU",
+      "id": "1baee931-751c-5993-b6fe-d86fbf78f9b0",
+      "last_modified": 1715345084789
+    },
+    {
+      "url": "https://www.fsf.org/",
+      "order": 3,
+      "title": "FSF",
+      "id": "fcc60dd8-4d97-5aca-8e5d-784652c75818",
+      "last_modified": 1715345084792
+    },
+    {
+      "url": "https://directory.fsf.org/",
+      "order": 4,
+      "title": "FSF Directory",
+      "id": "abe5bfb2-9487-5697-9f27-e0b782dfe006",
+      "last_modified": 1715345084796
+    },
+    {
+      "url": "https://libreplanet.org/",
+      "order": 5,
+      "title": "LibrePlanet",
+      "id": "e3d2cf88-a4dc-5d2e-9f9a-f3ea241d17d8",
+      "last_modified": 1715345084800
+    },
+    {
+      "url": "https://www.wikipedia.org/",
+      "order": 6,
+      "title": "Wikipedia",
+      "id": "02c295f5-54a8-5d29-8d1f-b619216b20c0",
+      "last_modified": 1715345084803
+    },
+    {
+      "url": "https://h-node.org/",
+      "order": 7,
+      "title": "h-node",
+      "id": "c426481f-8c3f-53b8-b23a-431a91a1c7b4",
+      "last_modified": 1715345084807
+    }
+  ],
+  "timestamp": 1715345084810
+}

helpers/DATA/firefox/search-custom/tippytop/top_sites.json

@@ -0,0 +1,52 @@
+[
+  {
+    "domains": ["duckduckgo.com"],
+    "image_url": "images/duckduckgo-com@2x.svg",
+    "favicon_url": "favicons/duckduckgo-com.ico"
+  },
+  {
+    "domains": ["trisquel.info"],
+    "image_url": "images/trisquel.png",
+    "favicon_url": "favicons/trisquel.ico"
+  },
+  {
+    "domains": ["packages.trisquel.org"],
+    "image_url": "images/trisquel-packages.png",
+    "favicon_url": "favicons/trisquel-packages.ico"
+  },
+  {
+    "domains": ["gnu.org"],
+    "image_url": "images/gnu.png",
+    "favicon_url": "favicons/gnu.ico"
+  },
+  {
+    "domains": ["fsf.org"],
+    "image_url": "images/fsf.png",
+    "favicon_url": "favicons/fsf.ico"
+  },
+  {
+    "domains": ["directory.fsf.org"],
+    "image_url": "images/directory.png",
+    "favicon_url": "favicons/fsf.ico"
+  },
+  {
+    "domains": ["libreplanet.org"],
+    "image_url": "images/libreplanet.png",
+    "favicon_url": "favicons/libreplanet.ico"
+  },
+  {
+    "domains": ["fsfe.org"],
+    "image_url": "images/fsfe.png",
+    "favicon_url": "favicons/fsfe.ico"
+  },
+  {
+    "domains": ["wikipedia.org"],
+    "image_url": "images/wikipedia.png",
+    "favicon_url": "favicons/wikipedia.ico"
+  },
+  {
+    "domains": ["h-node.org"],
+    "image_url": "images/hnode.png",
+    "favicon_url": "favicons/hnode.ico"
+  }
+]

helpers/DATA/firefox/searchplugins/trisquel-packages-v2.json

@@ -0,0 +1,30 @@
+        {
+        "base": {
+            "aliases": [
+              "packages",
+              "p"
+            ],
+            "classification": "unknown",
+            "name": "Trisquel Packages",
+            "urls": {
+                "search": {
+                    "base": "https://packages.trisquel.org/search",
+                    "params": [],
+                    "searchTermParamName": "keywords"
+                }
+            }
+        },
+        "id": "b5fd21a8-e369-477f-a3f2-b47a370f9030",
+        "identifier": "trisquel-packages",
+        "last_modified": 1678,
+        "recordType": "engine",
+        "schema": "defaultEngines",
+        "variants": [
+            {
+                "environment": {
+                    "allRegionsAndLocales": true
+                },
+                "optional": false
+            }
+        ]
+    },

helpers/DATA/firefox/searchplugins/trisquel-packages.json

@@ -1,15 +0,0 @@
-    {
-      "schema": 1674147734592,
-      "appliesTo": [
-        {
-          "included": {
-            "everywhere": true
-          }
-        }
-      ],
-      "webExtension": {
-        "id": "trisquel-packages@search.mozilla.org"
-      },
-      "id": "b5fd21a8-e369-477f-a3f2-b47a370f9030",
-      "last_modified": 1678
-    },

helpers/DATA/firefox/searchplugins/trisquel-v2.json

@@ -0,0 +1,30 @@
+        {
+        "base": {
+            "aliases": [
+              "trisquel",
+              "t"
+            ],
+            "classification": "unknown",
+            "name": "Trisquel",
+            "urls": {
+                "search": {
+                    "base": "https://trisquel.info/search/node",
+                    "params": [],
+                    "searchTermParamName": "q"
+                }
+            }
+        },
+        "id": "b99ed276-9557-4492-8bbb-d59826381893",
+        "identifier": "trisquel",
+        "last_modified": 1678,
+        "recordType": "engine",
+        "schema": "defaultEngines",
+        "variants": [
+            {
+                "environment": {
+                    "allRegionsAndLocales": true
+                },
+                "optional": false
+            }
+        ]
+    },

helpers/DATA/firefox/searchplugins/trisquel.json

@@ -1,15 +0,0 @@
-    {
-      "schema": 1674147734535,
-      "appliesTo": [
-        {
-          "included": {
-            "everywhere": true
-          }
-        }
-      ],
-      "webExtension": {
-        "id": "trisquel@search.mozilla.org"
-      },
-      "id": "b99ed276-9557-4492-8bbb-d59826381893",
-      "last_modified": 1678
-    },

helpers/DATA/firefox/settings.js

@@ -1,4 +1,3 @@
-
 // Release notes and vendor URLs
 pref("app.releaseNotesURL", "https://trisquel.info/en/wiki/abrowser-help");
 pref("app.vendorURL", "https://trisquel.info/en/wiki/abrowser-help");
@@ -63,7 +62,7 @@ pref("general.useragent.compatMode.abrowser",true);
 pref ("browser.startup.homepage_override.mstone", "ignore");
 
 // Preferences for the Get Add-ons panel
-pref ("extensions.webservice.discoverURL", "https://gnuzilla.gnu.org/mozzarella/");
+pref ("extensions.webservice.discoverURL", "https://gnuzilla.gnu.org/");
 pref ("extensions.getAddons.search.url", "https://trisquel.info");
 
 // Help URL
@@ -75,8 +74,8 @@ pref ("plugins.update.url", "https://trisquel.info/en/wiki/abrowser-help");
 pref ("browser.customizemode.tip0.learnMoreUrl", "https://trisquel.info/en/wiki/abrowser-help");
 
 // Dictionary download preference
-pref("browser.dictionaries.download.url", "http://dictionaries.mozdev.org/");
-pref("browser.search.searchEnginesURL", "http://mycroft.mozdev.org/");
+pref("browser.dictionaries.download.url", "https://addons.mozilla.org/%LOCALE%/firefox/language-tools/");
+pref("browser.search.searchEnginesURL", "https://mycroftproject.com/");
 // Enable Spell Checking In All Text Fields
 pref("layout.spellcheckDefault", 2);
 
@@ -117,6 +116,7 @@ pref("network.http.sendRefererHeader", 2);
 pref("dom.event.clipboardevents.enabled",false);
 pref("network.prefetch-next", false);
 pref("network.dns.disablePrefetch", true);
+pref("network.dns.disablePrefetchFromHTTPS", true);
 pref("network.http.sendSecureXSiteReferrer", false);
 pref("toolkit.telemetry.enabled", false);
 // Do not tell what plugins do we have enabled: https://mail.mozilla.org/pipermail/firefox-dev/2013-November/001186.html
@@ -126,6 +126,7 @@ pref("plugin.state.flash", 1);
 pref("browser.newtabpage.directory.source", "");
 pref("browser.newtabpage.directory.ping", "");
 pref("browser.newtabpage.introShown", true);
+pref("browser.newtabpage.activity-stream.unifiedAds.endpoint","");
 // Disable home snippets
 pref("browser.aboutHomeSnippets.updateUrl", "");
 // Always ask before restoring the browsing session
@@ -152,6 +153,7 @@ pref("toolkit.telemetry.firstShutdownPing.enabled", false);
 pref("toolkit.telemetry.bhrPing.enabled", false);
 pref("browser.ping-centre.telemetry", false);
 pref("dom.security.unexpected_system_load_telemetry_enabled", false);
+pref("network.connectivity-service.enabled", false);
 
 // Canvas fingerprint protection
 // Disabled, as it breaks things and does little improvements to fingerprinting
@@ -202,6 +204,10 @@ pref("media.gmp-manager.url", "");
 pref("media.gmp-provider.enabled", false);
 // Don't install openh264 codec
 pref("media.gmp-gmpopenh264.enabled", false);
+// Disable Widevine
+pref("media.gmp-widevinecdm.enabled", false);
+// Disable eme codecs
+pref("media.eme.enabled", false);
 
 //Disable middle click content load
 //Avoid loading urls by mistake 
@@ -246,9 +252,13 @@ pref("browser.onboarding.enabled", false);
 pref("browser.newtabpage.activity-stream.default.sites", "https://trisquel.info/,https://packages.trisquel.org,https://www.gnu.org/,https://www.fsf.org/,https://directory.fsf.org,https://libreplanet.org/,https://fsfe.org,https://www.wikipedia.org/wiki/,https://www.h-node.org/");
 pref("browser.newtabpage.activity-stream.showTopSites",true);
 pref("browser.newtabpage.activity-stream.feeds.section.topstories",false);
+pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false);
+pref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
+pref("browser.newtabpage.activity-stream.discoverystream.endpoints", "");
 pref("browser.newtabpage.activity-stream.feeds.snippets",false);
 pref("browser.newtabpage.activity-stream.disableSnippets", true);
-user_pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "");
+pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "");
+pref("browser.newtabpage.activity-stream.showSponsoredCheckboxes", false);
 
 // Enable xrender
 //pref("gfx.xrender.enabled",true);
@@ -256,7 +266,6 @@ user_pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "");
 // Disable push notifications
 pref("dom.webnotifications.enabled",false);
 pref("dom.webnotifications.serviceworker.enabled",false);
-pref("dom.push.enabled",false);
 
 // Disable services server
 pref("services.settings.server", "");
@@ -268,14 +277,13 @@ pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
 pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
 pref("extensions.htmlaboutaddons.discover.enabled", false);
 pref("extensions.htmlaboutaddons.recommendations.enabled", false);
-//pref("browser.newtabpage.activity-stream.asrouterExperimentEnabled", false);
+pref("extensions.getAddons.cache.enabled", false);
 pref("extensions.getAddons.get.url", "");
-pref("extensions.getAddons.link.url", "https://gnuzilla.gnu.org/mozzarella/");
+pref("extensions.getAddons.link.url", "https://gnuzilla.gnu.org/");
 pref("extensions.getAddons.langpacks.url", "");
 pref("extensions.getAddons.discovery.api_url", "");
 pref("extensions.recommendations.privacyPolicyUrl", "https://trisquel.info/legal");
-pref("extensions.getAddons.search.browseURL", "https://gnuzilla.gnu.org/mozzarella/search.php?q=%TERMS%");
-
+pref("extensions.getAddons.search.browseURL", "https://gnuzilla.gnu.org/search.php?q=%TERMS%");
 
 // Disable pingback on first run
 pref("browser.newtabpage.activity-stream.fxaccounts.endpoint", "");
@@ -284,3 +292,35 @@ pref("browser.newtabpage.activity-stream.fxaccounts.endpoint", "");
 // Disable Normandy (remote settings changer for AB testing)
 pref("app.normandy.enabled", false);
 pref("app.normandy.api_url", "");
+
+// Disable Adwaita theme by default.
+pref("widget.gtk.libadwaita-colors.enabled", false);
+
+
+// High level search data collection
+pref("browser.search.serpEventTelemetry.enabled",false);
+
+// Disable Privacy-Preserving Attribution submition
+pref("dom.private-attribution.submission.enabled", false);
+
+// Disable Machine Learning
+pref("browser.ml.chat.enabled", false);
+pref("browser.tabs.groups.smart.enabled", false);
+
+// Hide from UI
+pref("browser.ml.chat.hideFromLabs", true);
+pref("browser.ml.chat.hideLabsShortcuts", true);
+pref("browser.tabs.groups.smart.userEnabled", false);
+
+// Disable tab hover preview
+pref("browser.tabs.hoverPreview.enabled", false);
+
+// Disable DAP telemetry servers & experiments
+pref("toolkit.telemetry.dap.leader.url", "");
+pref("toolkit.telemetry.dap.helper.url", "");
+pref("messaging-system.rsexperimentloader.enabled", false);
+
+// Disable DoH as third party service, users can restore it at will.
+pref("network.trr.mode", 5);
+pref("doh-rollout.enabled", false);
+pref("doh-rollout.provider-steering.enabled", false);

helpers/DATA/firefox/trisquel-search-icons/b5fd21a8-trisquel-packages.json

@@ -0,0 +1,17 @@
+{
+  "schema": 40960,
+  "imageSize": 48,
+  "attachment": {
+    "hash": "0b077376b224b66159130f587371d67f97454fd692296c449590a9123591c9f6",
+    "size": 3441,
+    "filename": "trisquel-packages-48-firefox.png",
+    "location": "main-workspace/search-config-icons/b5fd21a8-e369-477f-a3f2-b47a370f9030.png",
+    "mimetype": "image/png"
+  },
+  "engineIdentifiers": [
+    "trisquel-packages"
+  ],
+  "filter_expression": "env.appinfo.ID == \"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\"",
+  "id": "b5fd21a8-e369-477f-a3f2-b47a370f9030",
+  "last_modified": 1734316560
+}

helpers/DATA/firefox/trisquel-search-icons/b99ed276-trisquel.json

@@ -0,0 +1,17 @@
+{
+  "schema": 45056,
+  "imageSize": 48,
+  "attachment": {
+    "hash": "93bc9a505442520b44ae5ffb880979943826308bcc051b966e1cbd67dbc64125",
+    "size": 4493,
+    "filename": "trisquel-48-firefox.png",
+    "location": "main-workspace/search-config-icons/b99ed276-9557-4492-8bbb-d59826381893",
+    "mimetype": "image/png"
+  },
+  "engineIdentifiers": [
+    "trisquel"
+  ],
+  "filter_expression": "env.appinfo.ID == \"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\"",
+  "id": "b99ed276-9557-4492-8bbb-d59826381893",
+  "last_modified": 1734316560
+}

helpers/DATA/firefox/trisquel-search-icons/update_mozbuild.py

@@ -0,0 +1,64 @@
+#! /usr/bin/python3
+#
+# Script to add trisquel's icons on search engine options.
+#
+#    Copyright (C) 2024 Luis Guzmán <ark@switnet.org>
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 2 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+
+# File path
+moz_build_path = "services/settings/dumps/main/moz.build"
+
+# New entries to add
+new_entries = [
+    "search-config-icons/b99ed276-9557-4492-8bbb-d59826381893",
+    "search-config-icons/b99ed276-9557-4492-8bbb-d59826381893.meta.json",
+    "search-config-icons/b5fd21a8-e369-477f-a3f2-b47a370f9030",
+    "search-config-icons/b5fd21a8-e369-477f-a3f2-b47a370f9030.meta.json",
+]
+
+# Read the moz.build file
+with open(moz_build_path, "r") as file:
+    lines = file.readlines()
+
+# Locate the section for `search-config-icons`
+start_idx = None
+for idx, line in enumerate(lines):
+    if "FINAL_TARGET_FILES.defaults.settings.main[\"search-config-icons\"] += [" in line:
+        start_idx = idx
+        break
+
+if start_idx is None:
+    raise RuntimeError("Could not find the 'search-config-icons' section in moz.build")
+
+# Extract existing entries
+start_idx += 1
+end_idx = start_idx
+while end_idx < len(lines) and lines[end_idx].strip() != "]":
+    end_idx += 1
+
+current_entries = [line.strip().strip(",") for line in lines[start_idx:end_idx]]
+
+# Combine and sort all entries
+all_entries = sorted(set(current_entries + [f'"{entry}"' for entry in new_entries]))
+
+# Replace the section in moz.build
+lines[start_idx:end_idx] = [f"        {entry},\n" for entry in all_entries]
+
+# Write the updated content back to the file
+with open(moz_build_path, "w") as file:
+    file.writelines(lines)
+
+print("> Added trisquel's search engine icons to 'moz.build'")

helpers/DATA/gnome-boxes/patch_changes/001_add_trisquel_gnome-boxes_logo.patch

@@ -0,0 +1,29 @@
+diff --git a/data/osinfo/meson.build b/data/osinfo/meson.build
+index acf27962..158af16b 100644
+--- a/data/osinfo/meson.build
++++ b/data/osinfo/meson.build
+@@ -16,7 +16,8 @@ osinfo_db = [
+   ['popos-17.10.xml', 'gnome-boxes/osinfo/os/system76.com'],
+   ['rhel-8.0.xml', 'gnome-boxes/osinfo/os/redhat.com'],
+   ['rocky-8.4.xml', 'gnome-boxes/osinfo/os/rockylinux.org'],
+-  ['silverblue-28.xml', 'gnome-boxes/osinfo/os/fedoraproject.org']
++  ['silverblue-28.xml', 'gnome-boxes/osinfo/os/fedoraproject.org'],
++  ['trisquel-9.xml', 'gnome-boxes/osinfo/os/trisquel.info']
+ ]
+ 
+ foreach os: osinfo_db
+diff --git a/data/osinfo/trisquel-11.xml b/data/osinfo/trisquel-11.xml
+new file mode 100644
+index 00000000..ce9b4b36
+--- /dev/null
++++ b/data/osinfo/trisquel-9.xml
+@@ -0,0 +1,9 @@
++<libosinfo version="0.0.1">
++
++  <!-- Please read https://gitlab.gnome.org/GNOME/gnome-boxes-logos/-/raw/master/README.md for any questions about usage of product logos in Boxes. !-->
++
++  <os id="http://trisquel.info/trisquel/9">
++    <logo>https://gitlab.gnome.org/GNOME/gnome-boxes-logos/-/raw/master/logos/trisquel.svg</logo>
++  </os>
++
++</libosinfo>

helpers/DATA/gnome-boxes/patch_changes/002_allow_recommended-downloads_parsing_handle_empty.patch

@@ -0,0 +1,30 @@
+From 333dfad568ba77456ff3b00e6c2750d6a2cf0d73 Mon Sep 17 00:00:00 2001
+From: Felipe Borges <felipeborges@gnome.org>
+Date: Wed, 10 Aug 2022 09:54:41 +0200
+Subject: [PATCH] util-app: Make recommended-downloads parsing handle empty
+ media lists
+
+---
+ src/util-app.vala | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/util-app.vala b/src/util-app.vala
+index c0a42a94d..c5f47ae22 100644
+--- a/src/util-app.vala
++++ b/src/util-app.vala
+@@ -250,7 +250,11 @@ private async GLib.List<Osinfo.Media>? parse_recommended_downloads_file (string
+                 continue;
+             }
+ 
+-            var media = os.get_media_list ().get_nth (0) as Osinfo.Media;
++            var media_list = os.get_media_list ();
++            if (media_list == null || media_list.get_length () == 0)
++                continue;
++
++            var media = media_list.get_nth (0) as Osinfo.Media;
+             if (media.url != null || os_id.has_prefix ("http://redhat.com"))
+                 list.append (media);
+ 
+-- 
+GitLab
+

helpers/DATA/gnome-software/rm_snap_fwup_support.patch

@@ -0,0 +1,86 @@
+diff --git a/debian/control b/debian/control
+index 2ea9e66..91f61fc 100644
+--- a/debian/control
++++ b/debian/control
+@@ -62,9 +62,8 @@ Depends: appstream,
+          ${misc:Depends},
+          ${shlibs:Depends}
+ Conflicts: sessioninstaller
+-Recommends: fwupd [linux-any], ${plugin:Recommends}
++Recommends: ${plugin:Recommends}
+ Suggests: apt-config-icons-hidpi,
+-          gnome-software-plugin-flatpak [amd64 arm64 armel armhf i386 mips mipsel mips64el ppc64el s390x hppa powerpc powerpcspe ppc64],
+           ${plugin:Suggests}
+ Description: Software Center for GNOME
+  Software lets you install and update applications and system extensions.
+@@ -106,26 +106,6 @@ Description: Flatpak support for GNOME Software
+  .
+  This package contains the Flatpak plugin.
+ 
+-Package: gnome-software-plugin-snap
+-Architecture: amd64 arm64 armel armhf i386 ppc64el s390x
+-Depends: gnome-software (= ${binary:Version}),
+-         snapd [amd64 arm64 armel armhf i386 ppc64el],
+-         ${misc:Depends},
+-         ${shlibs:Depends}
+-Recommends: snapd [s390x]
+-Breaks: gnome-software (<< 3.22.3)
+-Replaces: gnome-software (<< 3.22.3)
+-Description: Snap support for GNOME Software
+- Software lets you install and update applications and system extensions.
+- .
+- Software uses a plugin architecture to separate the frontend from the
+- technologies that are used underneath. Currently, a PackageKit plugin provides
+- data from a number of traditional packaging systems, such as rpm or apt. An
+- appdata plugin provides additional metadata from locally installed data in the
+- appdata format.
+- .
+- This package contains the Snap plugin.
+-
+ Package: gnome-software-dev
+ Section: libdevel
+ Architecture: any
+diff --git a/debian/rules b/debian/rules
+index f0bb2394..58b4bc70 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -30,11 +30,11 @@ ifeq ($(DEB_HOST_ARCH_OS), linux)
+ 	GS_CONFIGURE_FLAGS += -Dgudev=true
+ 	
+ 	# Enable fwupd support on Linux
+-	GS_CONFIGURE_FLAGS += -Dfwupd=true
++	GS_CONFIGURE_FLAGS += -Dfwupd=false
+ 
+ 	# Enable snap support on supported architectures
+ 	ifneq (,$(filter $(DEB_HOST_ARCH), amd64 arm64 armel armhf i386 ppc64el s390x))
+-		GS_CONFIGURE_FLAGS += -Dsnap=true
++		GS_CONFIGURE_FLAGS += -Dsnap=false
+ 	endif
+ endif
+ 
+@@ -42,9 +42,9 @@ DISTRO_ID = debian
+ FREE_REPOS = \'@DISTRO@-*-main\'
+ FREE_URL = https:\/\/www.debian.org\/social_contract\#guidelines
+ ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
+-	DISTRO_ID = ubuntu
+-	FREE_REPOS = \'@DISTRO@-*-main\', \'@DISTRO@-*-universe\'
+-	FREE_URL = https:\/\/www.ubuntu.com\/about\/about-ubuntu\/licensing
++	DISTRO_ID = trisquel
++	FREE_REPOS = \'@DISTRO@-*-main\'
++	FREE_URL = https:\/\/trisquel.info\/legal
+ else ifeq (yes,$(shell dpkg-vendor --derives-from Tanglu && echo yes))
+ 	DISTRO_ID = tanglu
+ else ifeq (yes,$(shell dpkg-vendor --derives-from PureOS && echo yes))
+@@ -87,11 +87,7 @@ override_dh_shlibdeps:
+ override_dh_auto_test:
+ 
+ override_dh_gencontrol:
+-ifeq ($(shell dpkg-vendor --query vendor),Ubuntu)
+-	dh_gencontrol -- -Vplugin:Recommends='gnome-software-plugin-snap [linux-any]'
+-else
+-	dh_gencontrol -- -Vplugin:Suggests='gnome-software-plugin-snap [linux-any]'
+-endif
++	dh_gencontrol
+ 
+ override_dh_clean:
+ 	rm -f debian/gnome-software.gsettings-override

helpers/DATA/gnupg2/001-reduce_gpg-wks-server_dependency_to_match_later_releases.patch

@@ -0,0 +1,35 @@
+diff --git a/debian/control b/debian/control
+index c6a9778..ca0b1f0 100644
+--- a/debian/control
++++ b/debian/control
+@@ -254,8 +254,6 @@ Depends:
+  gpg-agent (>= ${source:Version}),
+  gpg-wks-client (<< ${source:Version}.1~),
+  gpg-wks-client (>= ${source:Version}),
+- gpg-wks-server (<< ${source:Version}.1~),
+- gpg-wks-server (>= ${source:Version}),
+  gpgsm (<< ${source:Version}.1~),
+  gpgsm (>= ${source:Version}),
+  gpgv (<< ${source:Version}.1~),
+@@ -265,6 +263,8 @@ Depends:
+ Recommends:
+  ${shlibs:Recommends},
+ Suggests:
++ gpg-wks-server (<< ${source:Version}.1~),
++ gpg-wks-server (>= ${source:Version}),
+  parcimonie,
+  xloadimage,
+ Breaks:
+diff --git a/debian/control b/debian/control
+index ca0b1f0..dc1d5cd 100644
+--- a/debian/control
++++ b/debian/control
+@@ -279,6 +279,8 @@ Breaks:
+  python-apt (<= 1.1.0~beta4),
+  python-gnupg (<< 0.3.8-3),
+  python3-apt (<= 1.1.0~beta4),
++Conflicts:
++ gpg-wks-server (<= 2.2.27-3ubuntu2.3+11.0trisquel0),
+ Replaces:
+  gnupg2 (<< 2.1.11-7+exp1),
+ Description: GNU privacy guard - a free PGP replacement

helpers/DATA/guix/cve/0001-etc-news-add-news-entry-for-build-user-takeover-vuln.patch

@@ -0,0 +1,57 @@
+From 532996c5908fb14cc8d102865280fb203c075c9c Mon Sep 17 00:00:00 2001
+From: Reepca Russelstein <reepca@russelstein.xyz>
+Date: Sun, 20 Oct 2024 17:32:23 -0500
+Subject: [PATCH] etc: news: add news entry for build user takeover
+ vulnerability fix.
+
+* etc/news.scm: add entry about build user takeover vulnerability.
+---
+ etc/news.scm | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/etc/news.scm b/etc/news.scm
+index a90f92a9ff..3fb53a9849 100644
+--- a/etc/news.scm
++++ b/etc/news.scm
+@@ -33,6 +33,38 @@
+ (channel-news
+  (version 0)
+ 
++ (entry (commit "5966e0fdc78771c562e0f484a22f381a77908be0")
++        (title
++         (en "Daemon vulnerability allowing takeover of build users fixed"))
++        (body
++         (en "A vulnerability allowing a local user to execute arbitrary code
++as any of the build users has been identified and fixed.  Most notably, this
++allows any local user to alter the result of any local build, even if it
++happens inside a container.  The only requirements to exploit this
++vulnerability are the ability to start a derivation build and the ability to
++run arbitrary code with access to the store in the root PID namespace on the
++machine that build occurs on.  This largely limits the vulnerability to
++multi-user systems.
++
++This vulnerability is caused by the fact that @command{guix-daemon} does not
++change ownership and permissions on the outputs of failed builds when it moves
++them to the store, and is also caused by there being a window of time between
++when it moves outputs of successful builds to the store and when it changes
++their ownership and permissions.  Because of this, a build can create a binary
++with both setuid and setgid bits set and have it become visible to the outside
++world once the build ends.  At that point any process that can access the
++store can execute it and gain the build user's privileges.  From there any
++process owned by that build user can be manipulated via procfs and signals at
++will, allowing the attacker to control the output of its builds.
++
++You are advised to upgrade @command{guix-daemon}.  Run @command{info \"(guix)
++Upgrading Guix\"}, for info on how to do that.  Additionally, if there is any
++risk that a builder may have already created these setuid binaries (for
++example on accident), run @command{guix gc} to remove all failed build
++outputs.
++
++See @uref{https://issues.guix.gnu.org/73919} for more information on this
++vulnerability.")))
+  (entry (commit "2161820ebbbab62a5ce76c9101ebaec54dc61586")
+         (title
+          (en "Risk of local privilege escalation during user account creation")
+-- 
+2.45.2
+

helpers/DATA/guix/cve/0001-nix-build-sanitize-failed-build-outputs-prior-to-exp.patch

@@ -0,0 +1,83 @@
+From e936861263d9bafdfbe395c12526f2dc48ac17d7 Mon Sep 17 00:00:00 2001
+Message-ID: <e936861263d9bafdfbe395c12526f2dc48ac17d7.1729457080.git.reepca@russelstein.xyz>
+From: Reepca Russelstein <reepca@russelstein.xyz>
+Date: Sun, 20 Oct 2024 15:36:06 -0500
+Subject: [PATCH 1/2] nix: build: sanitize failed build outputs prior to
+ exposing them.
+
+The only thing keeping a rogue builder and a local user from collaborating to
+usurp control over the builder's user during the build is the fact that
+whatever files the builder may produce are not accessible to any other users
+yet.  If we're going to make them accessible, we should probably do some
+sanity checking to ensure that sort of collaborating can't happen.
+
+Currently this isn't happening when failed build outputs are moved from the
+chroot as an aid to debugging.
+
+* nix/libstore/build.cc (secureFilePerms): new function.
+  (DerivationGoal::buildDone): use it.
+
+Change-Id: I9dce1e3d8813b31cabd87a0e3219bf9830d8be96
+---
+ nix/libstore/build.cc | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
+index d23c0944a4..67ebfe2f14 100644
+--- a/nix/libstore/build.cc
++++ b/nix/libstore/build.cc
+@@ -1301,6 +1301,34 @@ void replaceValidPath(const Path & storePath, const Path tmpPath)
+ MakeError(NotDeterministic, BuildError)
+ 
+ 
++/* Recursively make the file permissions of a path safe for exposure to
++   arbitrary users, but without canonicalising its permissions, timestamp, and
++   user.  Throw an exception if a file type that isn't explicitly known to be
++   safe is found. */
++static void secureFilePerms(Path path)
++{
++  struct stat st;
++  if (lstat(path.c_str(), &st)) return;
++
++  switch(st.st_mode & S_IFMT) {
++  case S_IFLNK:
++    return;
++
++  case S_IFDIR:
++    for (auto & i : readDirectory(path)) {
++      secureFilePerms(path + "/" + i.name);
++    }
++    /* FALLTHROUGH */
++
++  case S_IFREG:
++    chmod(path.c_str(), (st.st_mode & ~S_IFMT) & ~(S_ISUID | S_ISGID | S_IWOTH));
++    break;
++
++  default:
++    throw Error(format("file `%1%' has an unsupported type") % path);
++  }
++}
++
+ void DerivationGoal::buildDone()
+ {
+     trace("build done");
+@@ -1372,9 +1400,15 @@ void DerivationGoal::buildDone()
+                build failures. */
+             if (useChroot && buildMode == bmNormal)
+                 foreach (PathSet::iterator, i, missingPaths)
+-                    if (pathExists(chrootRootDir + *i))
++                    if (pathExists(chrootRootDir + *i)) {
++                      try {
++                        secureFilePerms(chrootRootDir + *i);
+                         rename((chrootRootDir + *i).c_str(), i->c_str());
++                      } catch(Error & e) {
++                        printMsg(lvlError, e.msg());
++                      }
++                    }
+ 
+             if (diskFull)
+                 printMsg(lvlError, "note: build failure may have been caused by lack of free disk space");
+
+-- 
+2.45.2
+

helpers/DATA/guix/cve/0002-nix-build-sanitize-successful-build-outputs-prior-to.patch

@@ -0,0 +1,64 @@
+From d096d653cc69118e05f49247ab312d0096b16656 Mon Sep 17 00:00:00 2001
+Message-ID: <d096d653cc69118e05f49247ab312d0096b16656.1729457080.git.reepca@russelstein.xyz>
+In-Reply-To: <e936861263d9bafdfbe395c12526f2dc48ac17d7.1729457080.git.reepca@russelstein.xyz>
+References: <e936861263d9bafdfbe395c12526f2dc48ac17d7.1729457080.git.reepca@russelstein.xyz>
+From: Reepca Russelstein <reepca@russelstein.xyz>
+Date: Sun, 20 Oct 2024 15:39:02 -0500
+Subject: [PATCH 2/2] nix: build: sanitize successful build outputs prior to
+ exposing them.
+
+There is currently a window of time between when the build outputs are exposed
+and when their metadata is canonicalized.
+
+* nix/libstore/build.cc (DerivationGoal::registerOutputs): wait until after
+  metadata canonicalization to move successful build outputs to the store.
+
+Change-Id: Ia995136f3f965eaf7b0e1d92af964b816f3fb276
+---
+ nix/libstore/build.cc | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
+index 67ebfe2f14..43a8a37184 100644
+--- a/nix/libstore/build.cc
++++ b/nix/libstore/build.cc
+@@ -2369,15 +2369,6 @@ void DerivationGoal::registerOutputs()
+         Path actualPath = path;
+         if (useChroot) {
+             actualPath = chrootRootDir + path;
+-            if (pathExists(actualPath)) {
+-                /* Move output paths from the chroot to the store. */
+-                if (buildMode == bmRepair)
+-                    replaceValidPath(path, actualPath);
+-                else
+-                    if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
+-                        throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
+-            }
+-            if (buildMode != bmCheck) actualPath = path;
+         } else {
+             Path redirected = redirectedOutputs[path];
+             if (buildMode == bmRepair
+@@ -2463,6 +2454,20 @@ void DerivationGoal::registerOutputs()
+         canonicalisePathMetaData(actualPath,
+             buildUser.enabled() && !rewritten ? buildUser.getUID() : -1, inodesSeen);
+ 
++        if (useChroot) {
++          if (pathExists(actualPath)) {
++            /* Now that output paths have been canonicalized (in particular
++               there are no setuid files left), move them outside of the
++               chroot and to the store. */
++            if (buildMode == bmRepair)
++              replaceValidPath(path, actualPath);
++            else
++              if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
++                throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
++          }
++          if (buildMode != bmCheck) actualPath = path;
++        }
++
+         /* For this output path, find the references to other paths
+            contained in it.  Compute the SHA-256 NAR hash at the same
+            time.  The hash is stored in the database so that we can
+-- 
+2.45.2
+

helpers/DATA/guix/cve/CVE-2024-27297_4a67c00ad02fbe7a7f5796c4c4dc2c0ad70f0472.patch

@@ -0,0 +1,378 @@
+From 4a67c00ad02fbe7a7f5796c4c4dc2c0ad70f0472 Mon Sep 17 00:00:00 2001
+From: Vagrant Cascadian <vagrant@debian.org>
+Date: Tue, 12 Mar 2024 09:18:23 -0700
+Subject: [PATCH] debian/patches: guix-daemon: Protect against file descriptor
+ escape when building fixed-output derivations (CVE-2024-27297). (Closes:
+ #1066113)
+
+---
+ ...gainst-FD-escape-when-building-fixed.patch | 232 ++++++++++++++++++
+ ...hortcoming-in-previous-security-fix-.patch | 106 ++++++++
+ debian/patches/series                         |   2 +
+ 3 files changed, 340 insertions(+)
+ create mode 100644 debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+ create mode 100644 debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+
+diff --git a/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch b/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+new file mode 100644
+index 0000000000..e6e02cf206
+--- /dev/null
++++ b/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+@@ -0,0 +1,232 @@
++From 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
++Date: Mon, 11 Mar 2024 10:59:42 +0100
++Subject: [PATCH 01/36] daemon: Protect against FD escape when building
++ fixed-output derivations (CVE-2024-27297).
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++This fixes a security issue (CVE-2024-27297) whereby a fixed-output
++derivation build process could open a writable file descriptor to its
++output, send it to some outside process for instance over an abstract
++AF_UNIX socket, which would then allow said process to modify the file
++in the store after it has been marked as “valid”.
++
++Vulnerability discovered by puck <https://github.com/puckipedia>.
++
++Nix security advisory:
++https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
++
++Nix fix:
++https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9
++
++* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
++a file descriptor.  Rewrite the ‘Path’ variant accordingly.
++(copyFile, copyFileRecursively): New functions.
++* nix/libutil/util.hh (copyFileRecursively): New declaration.
++* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
++is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
++
++Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4
++
++Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
++Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
++---
++ nix/libstore/build.cc |  16 ++++++
++ nix/libutil/util.cc   | 112 ++++++++++++++++++++++++++++++++++++++++--
++ nix/libutil/util.hh   |   6 +++
++ 3 files changed, 129 insertions(+), 5 deletions(-)
++
++diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
++index 461fcbc584..e2adee118b 100644
++--- a/nix/libstore/build.cc
+++++ b/nix/libstore/build.cc
++@@ -1382,6 +1382,22 @@ void DerivationGoal::buildDone()
++                 % drvPath % statusToString(status));
++         }
++ 
+++	if (fixedOutput) {
+++	    /* Replace the output, if it exists, by a fresh copy of itself to
+++               make sure that there's no stale file descriptor pointing to it
+++               (CVE-2024-27297).  */
+++	    foreach (DerivationOutputs::iterator, i, drv.outputs) {
+++		if (pathExists(i->second.path)) {
+++		    Path pivot = i->second.path + ".tmp";
+++		    copyFileRecursively(i->second.path, pivot, true);
+++		    int err = rename(pivot.c_str(), i->second.path.c_str());
+++		    if (err != 0)
+++			throw SysError(format("renaming `%1%' to `%2%'")
+++				       % pivot % i->second.path);
+++		}
+++	    }
+++	}
+++
++         /* Compute the FS closure of the outputs and register them as
++            being valid. */
++         registerOutputs();
++diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
++index 82eac72120..493f06f357 100644
++--- a/nix/libutil/util.cc
+++++ b/nix/libutil/util.cc
++@@ -215,14 +215,11 @@ bool isLink(const Path & path)
++ }
++ 
++ 
++-DirEntries readDirectory(const Path & path)
+++static DirEntries readDirectory(DIR *dir)
++ {
++     DirEntries entries;
++     entries.reserve(64);
++ 
++-    AutoCloseDir dir = opendir(path.c_str());
++-    if (!dir) throw SysError(format("opening directory `%1%'") % path);
++-
++     struct dirent * dirent;
++     while (errno = 0, dirent = readdir(dir)) { /* sic */
++         checkInterrupt();
++@@ -230,11 +227,29 @@ DirEntries readDirectory(const Path & path)
++         if (name == "." || name == "..") continue;
++         entries.emplace_back(name, dirent->d_ino, dirent->d_type);
++     }
++-    if (errno) throw SysError(format("reading directory `%1%'") % path);
+++    if (errno) throw SysError(format("reading directory"));
++ 
++     return entries;
++ }
++ 
+++DirEntries readDirectory(const Path & path)
+++{
+++    AutoCloseDir dir = opendir(path.c_str());
+++    if (!dir) throw SysError(format("opening directory `%1%'") % path);
+++    return readDirectory(dir);
+++}
+++
+++static DirEntries readDirectory(int fd)
+++{
+++    /* Since 'closedir' closes the underlying file descriptor, duplicate FD
+++       beforehand.  */
+++    int fdcopy = dup(fd);
+++    if (fdcopy < 0) throw SysError("dup");
+++
+++    AutoCloseDir dir = fdopendir(fdcopy);
+++    if (!dir) throw SysError(format("opening directory from file descriptor `%1%'") % fd);
+++    return readDirectory(dir);
+++}
++ 
++ unsigned char getFileType(const Path & path)
++ {
++@@ -364,6 +379,93 @@ void deletePath(const Path & path, unsigned long long & bytesFreed, size_t linkT
++     _deletePath(path, bytesFreed, linkThreshold);
++ }
++ 
+++static void copyFile(int sourceFd, int destinationFd)
+++{
+++    struct stat st;
+++    if (fstat(sourceFd, &st) == -1) throw SysError("statting file");
+++
+++    ssize_t result = copy_file_range(sourceFd, NULL, destinationFd, NULL, st.st_size, 0);
+++    if (result < 0 && errno == ENOSYS) {
+++	for (size_t remaining = st.st_size; remaining > 0; ) {
+++	    unsigned char buf[8192];
+++	    size_t count = std::min(remaining, sizeof buf);
+++
+++	    readFull(sourceFd, buf, count);
+++	    writeFull(destinationFd, buf, count);
+++	    remaining -= count;
+++	}
+++    } else {
+++	if (result < 0)
+++	    throw SysError(format("copy_file_range `%1%' to `%2%'") % sourceFd % destinationFd);
+++	if (result < st.st_size)
+++	    throw SysError(format("short write in copy_file_range `%1%' to `%2%'")
+++			   % sourceFd % destinationFd);
+++    }
+++}
+++
+++static void copyFileRecursively(int sourceroot, const Path &source,
+++				int destinationroot, const Path &destination,
+++				bool deleteSource)
+++{
+++    struct stat st;
+++    if (fstatat(sourceroot, source.c_str(), &st, AT_SYMLINK_NOFOLLOW) == -1)
+++	throw SysError(format("statting file `%1%'") % source);
+++
+++    if (S_ISREG(st.st_mode)) {
+++	AutoCloseFD sourceFd = openat(sourceroot, source.c_str(),
+++				      O_CLOEXEC | O_NOFOLLOW | O_RDONLY);
+++	if (sourceFd == -1) throw SysError(format("opening `%1%'") % source);
+++
+++	AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(),
+++					   O_CLOEXEC | O_CREAT | O_WRONLY | O_TRUNC,
+++					   st.st_mode);
+++	if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
+++
+++	copyFile(sourceFd, destinationFd);
+++    } else if (S_ISLNK(st.st_mode)) {
+++	char target[st.st_size + 1];
+++	ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
+++	if (result != st.st_size) throw SysError("reading symlink target");
+++	target[st.st_size] = '\0';
+++	int err = symlinkat(target, destinationroot, destination.c_str());
+++	if (err != 0)
+++	    throw SysError(format("creating symlink `%1%'") % destination);
+++    } else if (S_ISDIR(st.st_mode)) {
+++	int err = mkdirat(destinationroot, destination.c_str(), 0755);
+++	if (err != 0)
+++	    throw SysError(format("creating directory `%1%'") % destination);
+++
+++	AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(),
+++					   O_CLOEXEC | O_RDONLY | O_DIRECTORY);
+++	if (err != 0)
+++	    throw SysError(format("opening directory `%1%'") % destination);
+++
+++	AutoCloseFD sourceFd = openat(sourceroot, source.c_str(),
+++				      O_CLOEXEC | O_NOFOLLOW | O_RDONLY);
+++	if (sourceFd == -1)
+++	    throw SysError(format("opening `%1%'") % source);
+++
+++        if (deleteSource && !(st.st_mode & S_IWUSR)) {
+++	    /* Ensure the directory writable so files within it can be
+++	       deleted.  */
+++            if (fchmod(sourceFd, st.st_mode | S_IWUSR) == -1)
+++                throw SysError(format("making `%1%' directory writable") % source);
+++        }
+++
+++        for (auto & i : readDirectory(sourceFd))
+++	    copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
+++				deleteSource);
+++    } else throw Error(format("refusing to copy irregular file `%1%'") % source);
+++
+++    if (deleteSource)
+++	unlinkat(sourceroot, source.c_str(),
+++		 S_ISDIR(st.st_mode) ? AT_REMOVEDIR : 0);
+++}
+++
+++void copyFileRecursively(const Path &source, const Path &destination, bool deleteSource)
+++{
+++    copyFileRecursively(AT_FDCWD, source, AT_FDCWD, destination, deleteSource);
+++}
++ 
++ static Path tempName(Path tmpRoot, const Path & prefix, bool includePid,
++     int & counter)
++diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
++index 880b0e93b2..058f5f8446 100644
++--- a/nix/libutil/util.hh
+++++ b/nix/libutil/util.hh
++@@ -102,6 +102,12 @@ void deletePath(const Path & path);
++ void deletePath(const Path & path, unsigned long long & bytesFreed,
++     size_t linkThreshold = 1);
++ 
+++/* Copy SOURCE to DESTINATION, recursively.  Throw if SOURCE contains a file
+++   that is not a regular file, symlink, or directory.  When DELETESOURCE is
+++   true, delete source files once they have been copied.  */
+++void copyFileRecursively(const Path &source, const Path &destination,
+++    bool deleteSource = false);
+++
++ /* Create a temporary directory. */
++ Path createTempDir(const Path & tmpRoot = "", const Path & prefix = "nix",
++     bool includePid = true, bool useGlobalCounter = true, mode_t mode = 0755);
++-- 
++2.39.2
++
+diff --git a/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch b/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+new file mode 100644
+index 0000000000..0d0b6bd22f
+--- /dev/null
++++ b/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+@@ -0,0 +1,106 @@
++From ff1251de0bc327ec478fc66a562430fbf35aef42 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
++Date: Tue, 12 Mar 2024 11:53:35 +0100
++Subject: [PATCH 32/36] daemon: Address shortcoming in previous security fix
++ for CVE-2024-27297.
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.
++
++Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
++ways: (1) it didn’t have any effet for fixed-output derivations
++performed in a chroot, which is the case for all of them except those
++using “builtin:download” and “builtin:git-download”, and (2) it did not
++preserve ownership when copying, leading to “suspicious ownership or
++permission […] rejecting this build output” errors.
++
++* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
++‘chrootRootDir’ when copying ‘drv.outputs’.
++* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
++calls to preserve file ownership; this is necessary for chrooted
++fixed-output derivation builds.
++* nix/libutil/util.hh: Update comment.
++
++Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
++---
++ nix/libstore/build.cc | 11 ++++++-----
++ nix/libutil/util.cc   |  4 ++++
++ nix/libutil/util.hh   |  7 ++++---
++ 3 files changed, 14 insertions(+), 8 deletions(-)
++
++diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
++index e2adee118b..d23c0944a4 100644
++--- a/nix/libstore/build.cc
+++++ b/nix/libstore/build.cc
++@@ -1387,13 +1387,14 @@ void DerivationGoal::buildDone()
++                make sure that there's no stale file descriptor pointing to it
++                (CVE-2024-27297).  */
++ 	    foreach (DerivationOutputs::iterator, i, drv.outputs) {
++-		if (pathExists(i->second.path)) {
++-		    Path pivot = i->second.path + ".tmp";
++-		    copyFileRecursively(i->second.path, pivot, true);
++-		    int err = rename(pivot.c_str(), i->second.path.c_str());
+++		Path output = chrootRootDir + i->second.path;
+++		if (pathExists(output)) {
+++		    Path pivot = output + ".tmp";
+++		    copyFileRecursively(output, pivot, true);
+++		    int err = rename(pivot.c_str(), output.c_str());
++ 		    if (err != 0)
++ 			throw SysError(format("renaming `%1%' to `%2%'")
++-				       % pivot % i->second.path);
+++				       % pivot % output);
++ 		}
++ 	    }
++ 	}
++diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
++index 493f06f357..578d657293 100644
++--- a/nix/libutil/util.cc
+++++ b/nix/libutil/util.cc
++@@ -422,6 +422,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
++ 	if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
++ 
++ 	copyFile(sourceFd, destinationFd);
+++	fchown(destinationFd, st.st_uid, st.st_gid);
++     } else if (S_ISLNK(st.st_mode)) {
++ 	char target[st.st_size + 1];
++ 	ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
++@@ -430,6 +431,8 @@ static void copyFileRecursively(int sourceroot, const Path &source,
++ 	int err = symlinkat(target, destinationroot, destination.c_str());
++ 	if (err != 0)
++ 	    throw SysError(format("creating symlink `%1%'") % destination);
+++	fchownat(destinationroot, destination.c_str(),
+++		 st.st_uid, st.st_gid, AT_SYMLINK_NOFOLLOW);
++     } else if (S_ISDIR(st.st_mode)) {
++ 	int err = mkdirat(destinationroot, destination.c_str(), 0755);
++ 	if (err != 0)
++@@ -455,6 +458,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
++         for (auto & i : readDirectory(sourceFd))
++ 	    copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
++ 				deleteSource);
+++	fchown(destinationFd, st.st_uid, st.st_gid);
++     } else throw Error(format("refusing to copy irregular file `%1%'") % source);
++ 
++     if (deleteSource)
++diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
++index 058f5f8446..377aac0684 100644
++--- a/nix/libutil/util.hh
+++++ b/nix/libutil/util.hh
++@@ -102,9 +102,10 @@ void deletePath(const Path & path);
++ void deletePath(const Path & path, unsigned long long & bytesFreed,
++     size_t linkThreshold = 1);
++ 
++-/* Copy SOURCE to DESTINATION, recursively.  Throw if SOURCE contains a file
++-   that is not a regular file, symlink, or directory.  When DELETESOURCE is
++-   true, delete source files once they have been copied.  */
+++/* Copy SOURCE to DESTINATION, recursively, preserving ownership.  Throw if
+++   SOURCE contains a file that is not a regular file, symlink, or directory.
+++   When DELETESOURCE is true, delete source files once they have been
+++   copied.  */
++ void copyFileRecursively(const Path &source, const Path &destination,
++     bool deleteSource = false);
++ 
++-- 
++2.39.2
++
+diff --git a/debian/patches/series b/debian/patches/series_
+index 5d506e57..0b8879d1 100644
+--- a/debian/patches/series
++++ b/debian/patches/series_
+@@ -40,3 +40,5 @@ lsb-init-functions
+ guix-daemon-openrc-fixes
+ tests-Ensure-test-OpenPGP-keys-never-expire.patch
+ use-c-utf8-locale
++security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
++security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+-- 
+GitLab
+

helpers/DATA/guix/guix-1.3.0.4-to-1.3.0-5.patch

@@ -0,0 +1,157 @@
+diff --git a/debian/control b/debian/control
+index f5080c40..24f545ae 100644
+--- a/debian/control
++++ b/debian/control
+@@ -44,7 +44,9 @@ Depends: ${misc:Depends}, ${shlibs:Depends},
+  guile-sqlite3 (>= 0.1.3-2~),
+  guile-zlib (>= 0.1.0),
+  libssh-dev,
+-Recommends: nscd,
++Recommends: ca-certificates,
++ less,
++ nscd,
+  systemd,
+ Description: GNU Guix functional package manager
+  Guix is an advanced distribution of the GNU operating system
+diff --git a/debian/patches/series b/debian/patches/series
+index 2151eca4..5d506e57 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -38,3 +38,5 @@ lsb-init-functions
+ 0030-Disable-gexp-derivation-allowed-references-test-when.patch
+ 0031-Disable-substitue-deduplication-test-when-network-is.patch
+ guix-daemon-openrc-fixes
++tests-Ensure-test-OpenPGP-keys-never-expire.patch
++use-c-utf8-locale
+diff --git a/guix/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch b/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch
+new file mode 100644
+index 00000000..3d23bd95
+--- /dev/null
++++ b/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch
+@@ -0,0 +1,62 @@
++From 3ae7632ca0a1edca9d8c3c766efb0dcc8aa5da37 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
++Date: Wed, 18 May 2022 23:20:21 +0200
++Subject: [PATCH] tests: Ensure test OpenPGP keys never expire.
++
++All these keys had expiration dates.  'tests/keys/ed25519.pub' expired
++on 2022-04-24.
++
++Fixes <https://issues.guix.gnu.org/55506>.
++
++* tests/keys/ed25519.pub, tests/keys/ed25519-2.pub,
++tests/keys/ed25519-3.pub: Remove expiration date.
++---
++ tests/keys/ed25519-2.pub | 11 +++++------
++ tests/keys/ed25519-3.pub | 10 +++++-----
++ tests/keys/ed25519.pub   | 10 +++++-----
++ 3 files changed, 15 insertions(+), 16 deletions(-)
++
++Adjusted to apply to older locations present in 1.3.0.
++
++diff --git a/tests/ed25519bis.key b/tests/ed25519bis.key
++index f5329105d5..ef050e3845 100644
++--- a/tests/ed25519bis.key
+++++ b/tests/ed25519bis.key
++@@ -1,10 +1,9 @@
++ -----BEGIN PGP PUBLIC KEY BLOCK-----
++ 
++ mDMEXtVsNhYJKwYBBAHaRw8BAQdAnLsYdh3BpeK1xDguJE80XW2/MSmqeeP6pbQw
++-8jAw0OG0IkNoYXJsaWUgR3VpeCA8Y2hhcmxpZUBleGFtcGxlLm9yZz6IlgQTFggA
++-PhYhBKBDaY1jer75FlruS4IkDtyrgNqDBQJe1Ww2AhsDBQkDwmcABQsJCAcCBhUK
++-CQgLAgQWAgMBAh4BAheAAAoJEIIkDtyrgNqDM6cA/idDdoxo9SU+witdTXt24APH
++-yRzHbX9Iyh4dZNIek9JwAP9E0BwSvDHB4LY9z4RWf2hJp3dm/yZ/jEpK+w4BGN4J
++-Ag==
++-=JIU0
+++8jAw0OG0IkNoYXJsaWUgR3VpeCA8Y2hhcmxpZUBleGFtcGxlLm9yZz6IkAQTFggA
+++OAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBKBDaY1jer75FlruS4IkDtyr
+++gNqDBQJihWJtAAoJEIIkDtyrgNqDbs0BAPOaGSYf3pX3DReEe1zbxxVQrolX9/AZ
+++VP0AOt0TAgkzAP0Sr7G1NuCtjWWGK1WmlyTFPhOWLhNriKgZFkBZrGypAw==
+++=pdTB
++ -----END PGP PUBLIC KEY BLOCK-----
++diff --git a/tests/ed25519.key b/tests/ed25519.key
++index f6bf906783..5a2fccc9f9 100644
++--- a/tests/ed25519.key
+++++ b/tests/ed25519.key
++@@ -2,9 +2,9 @@
++ 
++ mDMEXqNaoBYJKwYBBAHaRw8BAQdArviKtelb4g0I3zx9xyDS40Oz8i1/LRXqppG6
++ b23Hdim0KEVkIFR3by1GaWZ0eSA8bHVkbyt0ZXN0LWVjY0BjaGJvdWliLm9yZz6I
++-lgQTFggAPhYhBETTHiGvcTj5tjIoCncfScv6rgctBQJeo1qgAhsDBQkDwmcABQsJ
++-CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHcfScv6rgctq4MA/1R9G0roEwrHwmTd
++-DHxt211eLqupwXE0Z7xY2FH6DHk9AP4owEefBU7jQprSAzBS+c6gdS3SCCKKqAh6
++-ToZ4LmbKAw==
++-=FXMK
+++kAQTFggAOAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBETTHiGvcTj5tjIo
+++CncfScv6rgctBQJihWH6AAoJEHcfScv6rgctfPMBAPv+yPmEgM+J6D1nZjXsO4zW
++++4e3y2Ez+QxgI2tn8Z2xAQDBUWyyu0X+8dguGmVlsaiQdkazaUSpexvIhh9zONYw
+++Bg==
+++=s4Vp
++ -----END PGP PUBLIC KEY BLOCK-----
++-- 
++2.30.2
++
+diff --git a/guix/debian/patches/use-c-utf8-locale b/debian/patches/use-c-utf8-locale
+new file mode 100644
+index 00000000..6f69c0fa
+--- /dev/null
++++ b/debian/patches/use-c-utf8-locale
+@@ -0,0 +1,58 @@
++Use the C.UTF-8 locale for guix-daemon and guix-publish.
++
++https://bugs.debian.org/1012536
++
++Index: guix/etc/guix-daemon.service.in
++===================================================================
++--- guix.orig/etc/guix-daemon.service.in
+++++ guix/etc/guix-daemon.service.in
++@@ -7,7 +7,7 @@ Description=Build daemon for GNU Guix
++ 
++ [Service]
++ ExecStart=/usr/bin/guix-daemon --build-users-group=_guixbuild
++-Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
+++Environment=LC_ALL=C.UTF-8
++ RemainAfterExit=yes
++ StandardOutput=syslog
++ StandardError=syslog
++Index: guix/etc/init.d/guix-daemon.in
++===================================================================
++--- guix.orig/etc/init.d/guix-daemon.in
+++++ guix/etc/init.d/guix-daemon.in
++@@ -35,8 +35,7 @@ start)
++       -a \
++       -e "/var/log/guix-daemon-stderr.log" \
++       -o "/var/log/guix-daemon-stdout.log" \
++-      -E GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale \
++-      -E LC_ALL=en_US.utf8 \
+++      -E LC_ALL=C.UTF-8 \
++       -p "/var/run/guix-daemon.pid" \
++       /usr/bin/guix-daemon \
++       --build-users-group=_guixbuild
++Index: guix/etc/openrc/guix-daemon.in
++===================================================================
++--- guix.orig/etc/openrc/guix-daemon.in
+++++ guix/etc/openrc/guix-daemon.in
++@@ -17,8 +17,7 @@
++ # You should have received a copy of the GNU General Public License
++ # along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
++ 
++-export GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale
++-export LC_ALL=en_US.utf8
+++export LC_ALL=C.UTF-8
++ command="/usr/bin/guix-daemon"
++ command_args="--build-users-group=_guixbuild"
++ command_background="yes"
++Index: guix/etc/guix-publish.service.in
++===================================================================
++--- guix.orig/etc/guix-publish.service.in
+++++ guix/etc/guix-publish.service.in
++@@ -10,7 +10,7 @@ After=guix-daemon.service
++ 
++ [Service]
++ ExecStart=/usr/bin/guix publish --user=nobody --port=8181
++-Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
+++Environment=LC_ALL=C.UTF-8
++ RemainAfterExit=yes
++ StandardOutput=syslog
++ StandardError=syslog

helpers/DATA/hplip/patch_changes/000-add_trisquel_distro_definition_distros_password.patch

@@ -0,0 +1,313 @@
+diff --git a/installer/distros.dat b/installer/distros.dat
+index 80588920..66bb81a1 100644
+--- a/installer/distros.dat
++++ b/installer/distros.dat
+@@ -94,7 +94,7 @@
+ # ****************************************
+ 
+ [distros]
+-distros=unknown,mepis,debian,suse,mandriva,fedora,redhat,rhel,slackware,gentoo,redflag,ubuntu,xandros,freebsd,linspire,ark,pclinuxos,centos,igos,linuxmint,linpus,gos,boss,lfs,manjarolinux,zorin,mxlinux,elementary
++distros=unknown,mepis,debian,suse,mandriva,fedora,redhat,rhel,slackware,gentoo,redflag,ubuntu,xandros,freebsd,linspire,ark,pclinuxos,centos,igos,linuxmint,linpus,gos,boss,lfs,manjarolinux,zorin,mxlinux,elementary,trisquel
+ 
+ # ****************************************
+ 
+@@ -18946,3 +18946,287 @@ packages=automake1.11
+ packages=epm
+ 
+ # ****************************************
++
++[trisquel]
++index=99
++versions=11.0.1,12.0
++display_name=Trisquel GNU/Linux
++alt_names=trisquel,Trisquel GNU/Linux
++display=1
++notes=
++package_mgrs=dpkg,apt-get,synaptic,update-manager,adept,aptitude,adept-updater
++package_mgr_cmd=sudo apt-get install --assume-yes $packages_to_install
++pre_depend_cmd=sudo dpkg --configure -a,sudo apt-get install --yes --force-yes -f,sudo apt-get update
++post_depend_cmd=
++hp_libs_remove_cmd= sudo apt-get remove libhpmud0 libsane-hpaio printer-driver-postscript-hp
++hplip_remove_cmd=sudo aptitude remove --assume-yes hplip hpijs
++su_sudo=sudo
++ppd_install=ppd
++udev_mode_fix=1
++ppd_dir=
++fix_ppd_symlink=0
++drv_dir=/usr/share/cups/drv/HP
++
++# ****************************************
++
++[trisquel:11.0.1]
++code_name=aramo
++supported=1
++scan_supported=1
++fax_supported=1
++pcard_supported=1
++network_supported=1
++parallel_supported=1
++usb_supported=1
++packaged_version=3.21.12
++release_date=01/01/2022
++notes=
++ppd_install=drv
++udev_mode_fix=1
++ppd_dir=/usr/share/ppd/HP
++fix_ppd_symlink=0
++drv_dir=/usr/share/cups/drv/HP
++ui_toolkit=qt5
++native_cups=1
++acl_rules=1
++
++libdir_path=/usr/lib
++
++[trisquel:11.0.1:cups]
++packages=libcups2
++
++[trisquel:11.0.1:cups-devel]
++packages=libcups2-dev,cups-bsd,cups-client
++
++[trisquel:11.0.1:gcc]
++packages=build-essential
++
++[trisquel:11.0.1:gs]
++packages=ghostscript
++
++[trisquel:11.0.1:libcrypto]
++packages=openssl
++
++[trisquel:11.0.1:libjpeg]
++packages=libjpeg-dev
++
++[trisquel:11.0.1:libatk-adaptor]
++packages=libatk-adaptor
++
++[trisquel:11.0.1:libgail-common]
++packages=libgail-common
++
++[trisquel:11.0.1:libnetsnmp-devel]
++packages=libsnmp-dev
++
++[trisquel:11.0.1:libpthread]
++packages=build-essential
++
++[trisquel:11.0.1:libtool]
++packages=libtool,libtool-bin
++
++[trisquel:11.0.1:libusb]
++packages=libusb-1.0-0-dev,libusb-0.1-4
++
++[trisquel:11.0.1:make]
++packages=build-essential
++
++[trisquel:11.0.1:ppdev]
++packages=
++commands=sudo modprobe ppdev,sudo cp -f /etc/modules /etc/modules.hplip,echo ppdev | sudo tee -a /etc/modules
++
++[trisquel:11.0.1:sane]
++packages=libsane
++
++[trisquel:11.0.1:sane-devel]
++packages=libsane-dev
++
++[trisquel:11.0.1:scanimage]
++packages=sane-utils
++
++[trisquel:11.0.1:xsane]
++packages=gtk2-engines-pixbuf,xsane
++
++[trisquel:11.0.1:dbus]
++packages=libdbus-1-dev
++
++[trisquel:11.0.1:cups-image]
++packages=libcupsimage2-dev
++
++[trisquel:11.0.1:cups-ddk]
++packages=cups
++
++[trisquel:11.0.1:policykit]
++packages=policykit-1,policykit-1-gnome
++
++[trisquel:11.0.1:network]
++packages=wget
++
++[trisquel:11.0.1:avahi-utils]
++packages=avahi-utils
++
++[trisquel:11.0.1:libavahi-dev]
++packages=libavahi-client-dev,libavahi-core-dev,libavahi-common-dev
++
++[trisquel:11.0.1:python3-notify2]
++packages=python3-notify2
++
++[trisquel:11.0.1:python3-pyqt5-dbus]
++packages=python3-dbus.mainloop.pyqt5
++
++[trisquel:11.0.1:python3-pyqt5]
++packages=python3-pyqt5,gtk2-engines-pixbuf
++
++[trisquel:11.0.1:python3-dbus]
++packages=python3-dbus,python3-gi
++
++[trisquel:11.0.1:python3-xml]
++packages=python3-lxml
++
++[trisquel:11.0.1:python3-devel]
++packages=python3-dev
++
++[trisquel:11.0.1:python3-pil]
++packages=python3-pil
++
++[trisquel:11.0.1:python3-reportlab]
++packages=python3-reportlab
++
++[trisquel:11.0.1:automake]
++packages=automake1.11
++
++[trisquel:11.0.1:epm]
++packages=epm
++
++# ****************************************
++
++[trisquel:12.0]
++code_name=ecne
++supported=1
++scan_supported=1
++fax_supported=1
++pcard_supported=1
++network_supported=1
++parallel_supported=1
++usb_supported=1
++packaged_version=3.23.12
++release_date=01/01/2022
++notes=
++ppd_install=drv
++udev_mode_fix=1
++ppd_dir=/usr/share/ppd/HP
++fix_ppd_symlink=0
++drv_dir=/usr/share/cups/drv/HP
++ui_toolkit=qt5
++native_cups=1
++acl_rules=1
++
++libdir_path=/usr/lib
++
++[trisquel:12.0:cups]
++packages=libcups2t64
++
++[trisquel:12.0:cups-devel]
++packages=libcups2-dev,cups-bsd,cups-client
++
++[trisquel:12.0:gcc]
++packages=build-essential
++
++[trisquel:12.0:gs]
++packages=ghostscript
++
++[trisquel:12.0:libcrypto]
++packages=openssl
++
++[trisquel:12.0:libjpeg]
++packages=libjpeg-dev
++
++[trisquel:12.0:libatk-adaptor]
++packages=libatk-adaptor
++
++[trisquel:12.0:libgail-common]
++packages=libgail-common
++
++[trisquel:12.0:libnetsnmp-devel]
++packages=libsnmp-dev
++
++[trisquel:12.0:libpthread]
++packages=build-essential
++
++[trisquel:12.0:libtool]
++packages=libtool,libtool-bin
++
++[trisquel:12.0:libusb]
++packages=libusb-1.0-0-dev,libusb-0.1-4
++
++[trisquel:12.0:make]
++packages=build-essential
++
++[trisquel:12.0:ppdev]
++packages=
++commands=sudo modprobe ppdev,sudo cp -f /etc/modules /etc/modules.hplip,echo ppdev | sudo tee -a /etc/modules
++
++[trisquel:12.0:sane]
++packages=libsane1
++
++[trisquel:12.0:sane-devel]
++packages=libsane-dev
++
++[trisquel:12.0:scanimage]
++packages=sane-utils
++
++[trisquel:12.0:xsane]
++packages=gtk2-engines-pixbuf,xsane
++
++[trisquel:12.0:dbus]
++packages=libdbus-1-dev
++
++[trisquel:12.0:cups-image]
++packages=libcupsimage2-dev
++
++[trisquel:12.0:cups-ddk]
++packages=cups
++
++[trisquel:12.0:policykit]
++packages=policykit-1,policykit-1-gnome
++
++[trisquel:12.0:network]
++packages=wget
++
++[trisquel:12.0:avahi-utils]
++packages=avahi-utils
++
++[trisquel:12.0:libavahi-dev]
++packages=libavahi-client-dev,libavahi-core-dev,libavahi-common-dev
++
++[trisquel:12.0:python3-notify2]
++packages=python3-notify2
++
++[trisquel:12.0:python3-pyqt5-dbus]
++packages=python3-dbus.mainloop.pyqt5
++
++[trisquel:12.0:python3-pyqt5]
++packages=python3-pyqt5,gtk2-engines-pixbuf
++
++[trisquel:12.0:python3-dbus]
++packages=python3-dbus,python3-gi
++
++[trisquel:12.0:python3-xml]
++packages=python3-lxml
++
++[trisquel:12.0:python3-devel]
++packages=python3-dev
++
++[trisquel:12.0:python3-pil]
++packages=python3-pil
++
++[trisquel:12.0:python3-reportlab]
++packages=python3-reportlab
++
++[trisquel:12.0:automake]
++packages=automake1.11
++
++[trisquel:12.0:epm]
++packages=epm
++
++# ****************************************
+diff --git a/base/password.py b/base/password.py
+index a76d4048..b0c6fe20 100644
+--- a/base/password.py
++++ b/base/password.py
+@@ -63,6 +63,7 @@ AUTH_TYPES = {'mepis': 'su',
+               'debiangnu/linux' : 'su',
+               'mxlinux' : 'su',
+               'elementaryos' : 'sudo',
++              'trisquel' : 'sudo',
+               }
+ 
+ 

helpers/DATA/hplip/patch_changes/001-enable_distro_name_dectection.patch

@@ -0,0 +1,16 @@
+diff --git a/installer/core_install.py b/installer/core_install.py
+index 1c8af23e..9595b2c7 100644
+--- a/installer/core_install.py
++++ b/installer/core_install.py
+@@ -644,6 +644,11 @@ class CoreInstall(object):
+         ld = distro.linux_distribution(full_distribution_name=False)
+         name = ld[0]
+         ver = ld[1]
++        # Ensure variable exists (used below for MX detection)
++        try:
++            distro_release_name = distro.name(pretty=True) or ""
++        except Exception:
++            distro_release_name = ""
+ 
+         found = True
+ 

helpers/DATA/inetutils/patch_changes/000-fix_injection_bug_with_bogus_user_names.patch

@@ -0,0 +1,34 @@
+From fd702c02497b2f398e739e3119bed0b23dd7aa7b Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Tue, 20 Jan 2026 01:10:36 -0800
+Subject: [PATCH] Fix injection bug with bogus user names
+
+Problem reported by Kyu Neushwaistein.
+* telnetd/utility.c (_var_short_name):
+Ignore user names that start with '-' or contain shell metacharacters.
+
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+---
+ telnetd/utility.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index b486226e..c02cd0e6 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -1733,7 +1733,14 @@ _var_short_name (struct line_expander *exp)
+       return user_name ? xstrdup (user_name) : NULL;
+ 
+     case 'U':
+-      return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
++      {
++	/* Ignore user names starting with '-' or containing shell
++	   metachars, as they can cause trouble.  */
++	char const *u = getenv ("USER");
++	return xstrdup ((u && *u != '-'
++			 && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
++			? u : "");
++      }
+ 
+     default:
+       exp->state = EXP_STATE_ERROR;

helpers/DATA/inetutils/patch_changes/001-telnetd_sanitize_all_variable_expansions.patch

@@ -0,0 +1,78 @@
+From ccba9f748aa8d50a38d7748e2e60362edd6a32cc Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Tue, 20 Jan 2026 14:02:39 +0100
+Subject: [PATCH] telnetd: Sanitize all variable expansions
+
+* telnetd/utility.c (sanitize): New function.
+(_var_short_name): Use it for all variables.
+---
+ telnetd/utility.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index c02cd0e6..b21ad961 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -1684,6 +1684,17 @@ static void _expand_cond (struct line_expander *exp);
+ static void _skip_block (struct line_expander *exp);
+ static void _expand_block (struct line_expander *exp);
+ 
++static char *
++sanitize (const char *u)
++{
++  /* Ignore values starting with '-' or containing shell metachars, as
++     they can cause trouble.  */
++  if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
++    return u;
++  else
++    return "";
++}
++
+ /* Expand a variable referenced by its short one-symbol name.
+    Input: exp->cp points to the variable name.
+    FIXME: not implemented */
+@@ -1710,13 +1721,13 @@ _var_short_name (struct line_expander *exp)
+       return xstrdup (timebuf);
+ 
+     case 'h':
+-      return xstrdup (remote_hostname);
++      return xstrdup (sanitize (remote_hostname));
+ 
+     case 'l':
+-      return xstrdup (local_hostname);
++      return xstrdup (sanitize (local_hostname));
+ 
+     case 'L':
+-      return xstrdup (line);
++      return xstrdup (sanitize (line));
+ 
+     case 't':
+       q = strchr (line + 1, '/');
+@@ -1724,23 +1735,16 @@ _var_short_name (struct line_expander *exp)
+ 	q++;
+       else
+ 	q = line;
+-      return xstrdup (q);
++      return xstrdup (sanitize (q));
+ 
+     case 'T':
+-      return terminaltype ? xstrdup (terminaltype) : NULL;
++      return terminaltype ? xstrdup (sanitize (terminaltype)) : NULL;
+ 
+     case 'u':
+-      return user_name ? xstrdup (user_name) : NULL;
++      return user_name ? xstrdup (sanitize (user_name)) : NULL;
+ 
+     case 'U':
+-      {
+-	/* Ignore user names starting with '-' or containing shell
+-	   metachars, as they can cause trouble.  */
+-	char const *u = getenv ("USER");
+-	return xstrdup ((u && *u != '-'
+-			 && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")])
+-			? u : "");
+-      }
++      return xstrdup (sanitize (getenv ("USER")));
+ 
+     default:
+       exp->state = EXP_STATE_ERROR;

helpers/DATA/libmateweather/patch_changes/003-weather_server_uri_update_138.patch

@@ -0,0 +1,38 @@
+From 4e54f44dab4efa8c216b26ea7188b99c94882ba4 Mon Sep 17 00:00:00 2001
+From: Victor Kareh <vkareh@redhat.com>
+Date: Thu, 18 Sep 2025 11:40:55 -0400
+Subject: [PATCH] metar: Update AviationWeather URL
+
+According to their website: "The AviationWeather Data API has been
+redeveloped in 2025."
+
+Also they put 'METAR' (or 'SPECI') onto the beginning of data to make it
+ICAO compliant, so we add code to parse that.
+
+Fixes #135
+---
+ libmateweather/weather-metar.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libmateweather/weather-metar.c b/libmateweather/weather-metar.c
+index 7bc24fc9..4698a077 100644
+--- a/libmateweather/weather-metar.c
++++ b/libmateweather/weather-metar.c
+@@ -510,7 +510,7 @@ metar_finish (SoupSession *session, SoupMessage *msg, gpointer data)
+ 
+     loc = info->location;
+ 
+-    searchkey = g_strdup_printf ("<raw_text>%s", loc->code);
++    searchkey = g_strdup_printf ("<raw_text>METAR %s", loc->code);
+     p = strstr (msg->response_body->data, searchkey);
+     g_free (searchkey);
+     if (p) {
+@@ -550,7 +550,7 @@ metar_start_open (WeatherInfo *info)
+     }
+ 
+     msg = soup_form_request_new (
+-        "GET", "https://www.aviationweather.gov/cgi-bin/data/dataserver.php",
++        "GET", "https://aviationweather.gov/api/data/dataserver",
+         "dataSource", "metars",
+         "requestType", "retrieve",
+         "format", "xml",

helpers/DATA/linux-hwe-6.5/deblob-check

@@ -7058,6 +7058,9 @@ set_except () {
     # New in 6.6-rc, 6.5.9, 6.1.60, 5.15.137, 5.10.199.
     blobname 'gsl1680-\(bush-bush-windows-tablet\|positivo-c4128b\)\.fw' drivers/platform/x86/otuchscreen_dmi.c
 
+    # Trisquel changes for HWE 6.5
+    blobname 'qcom[/]prog_firehose_sdx6x\.elf' drivers/bus/mhi/host/pci_generic.c
+
     ;;
 
   */*freedo*.patch | */*logo*.patch)

helpers/DATA/linux-hwe-6.5/silent-accept-firmware.patch

@@ -229,20 +229,21 @@ diff --color -Nru a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c b/drivers/gpu/drm/amd/
  		for (i = 0; i < adev->sdma.num_instances; i++)
  			amdgpu_ucode_release(&adev->sdma.instance[i].fw);
  	}
-diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
-index 49d34c7..376ccc3 100644
---- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
-+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
-@@ -4011,8 +4011,7 @@ static int gfx_v10_0_init_microcode(struct amdgpu_device *adev)
- 			goto out;
- 		if (err)
- 			dev_dbg(adev->dev,
--				"gfx10: amdgpu_ucode_request() failed \"%s\"\n",
--				fw_name);
-+				"gfx10: amdgpu_ucode_request() failed \n");
- 		rlc_hdr = (const struct rlc_firmware_header_v2_0 *)adev->gfx.rlc_fw->data;
- 		version_major = le16_to_cpu(rlc_hdr->header.header_version_major);
- 		version_minor = le16_to_cpu(rlc_hdr->header.header_version_minor);
+# removed starting at
+#diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+#index 49d34c7..376ccc3 100644
+#--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+#+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+#@@ -4011,8 +4011,7 @@ static int gfx_v10_0_init_microcode(struct amdgpu_device *adev)
+# 			goto out;
+# 		if (err)
+# 			dev_dbg(adev->dev,
+#-				"gfx10: amdgpu_ucode_request() failed \"%s\"\n",
+#-				fw_name);
+#+				"gfx10: amdgpu_ucode_request() failed \n");
+# 		rlc_hdr = (const struct rlc_firmware_header_v2_0 *)adev->gfx.rlc_fw->data;
+# 		version_major = le16_to_cpu(rlc_hdr->header.header_version_major);
+# 		version_minor = le16_to_cpu(rlc_hdr->header.header_version_minor);
 diff --color -Nru a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
 --- a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c	2022-07-31 16:03:01.000000000 -0500
 +++ b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c	2023-03-09 19:48:18.700813841 -0600
@@ -1973,3 +1974,88 @@ index bd4c4174..9beeb2e6 100644
  
  	return request_firmware_nowait(THIS_MODULE, 1, drv->firmware_name,
  				       drv->trans->dev,
+diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c
+index f9d2740a..37f4b0c3 100644
+--- a/drivers/bluetooth/hci_intel.c
++++ b/drivers/bluetooth/hci_intel.c
+@@ -701,8 +701,7 @@ static int intel_setup(struct hci_uart *hu)
+ 
+ 	err = request_firmware(&fw, fwname, &hdev->dev);
+ 	if (err < 0) {
+-		bt_dev_err(hdev, "Failed to load Intel firmware file (%d)",
+-			   err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 
+diff --git a/drivers/bluetooth/hci_nokia.c b/drivers/bluetooth/hci_nokia.c
+index 97da0b2b..f8c38d91 100644
+--- a/drivers/bluetooth/hci_nokia.c
++++ b/drivers/bluetooth/hci_nokia.c
+@@ -344,8 +344,7 @@ static int nokia_setup_fw(struct hci_uart *hu)
+ 
+ 	err = request_firmware(&fw, fwname, dev);
+ 	if (err < 0) {
+-		dev_err(dev, "%s: Failed to load Nokia firmware file (%d)",
+-			hu->hdev->name, err);
++		dev_err(dev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 
+diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
+index f9b77a17..147d9fff 100644
+--- a/drivers/bluetooth/btintel.c
++++ b/drivers/bluetooth/btintel.c
+@@ -2049,12 +2049,11 @@ static int btintel_download_fw(struct hci_dev *hdev,
+ 			return 0;
+ 		}
+ 
+-		bt_dev_err(hdev, "Failed to load Intel firmware file (%d)",
+-			   err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 
+-	bt_dev_info(hdev, "Found device firmware: %s", fwname);
++	bt_dev_info(hdev, "Found device firmware");
+ 
+ 	if (fw->size < 644) {
+ 		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
+@@ -2238,13 +2237,12 @@ static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev,
+ 			return 0;
+ 		}
+ 
+-		bt_dev_err(hdev, "Failed to load Intel firmware file (%d)",
+-			   err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 
+ 		return err;
+ 	}
+ 
+-	bt_dev_info(hdev, "Found device firmware: %s", fwname);
++	bt_dev_info(hdev, "Found device firmware");
+ 
+ 	if (fw->size < 644) {
+ 		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
+diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
+index 809762d6..fe2545ce 100644
+--- a/drivers/bluetooth/btmtk.c
++++ b/drivers/bluetooth/btmtk.c
+@@ -69,7 +69,7 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
+ 
+ 	err = request_firmware(&fw, fwname, &hdev->dev);
+ 	if (err < 0) {
+-		bt_dev_err(hdev, "Failed to load firmware file (%d)", err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 
+@@ -181,7 +181,7 @@ int btmtk_setup_firmware(struct hci_dev *hdev, const char *fwname,
+ 
+ 	err = request_firmware(&fw, fwname, &hdev->dev);
+ 	if (err < 0) {
+-		bt_dev_err(hdev, "Failed to load firmware file (%d)", err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 

helpers/DATA/linux-hwe-6.5/udeb/d-i.patch

@@ -1,8 +1,8 @@
 diff --git a/debian/rules b/debian/rules
-index fe52711..b2d1921 100755
+index 661286bd..e828a0ac 100755
 --- a/debian/rules
 +++ b/debian/rules
-@@ -134,12 +134,19 @@ clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.
+@@ -128,12 +128,19 @@ clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.
  	dh_testroot
  	dh_clean
  
@@ -12,7 +12,7 @@ index fe52711..b2d1921 100755
 +	rm -f $(DEBIAN)/d-i/firmware/$(arch)/kernel-image
 +
  	# normal build junk
- 	rm -rf $(DEBIAN)/abi/$(release)-$(revision)
+ 	rm -rf $(DEBIAN)/abi
  	rm -rf $(builddir)
  	rm -f $(stampdir)/stamp-*
  	rm -rf debian/linux-*/
@@ -22,14 +22,15 @@ index fe52711..b2d1921 100755
  	cp $(DEBIAN)/changelog debian/changelog
  
  	# Install the copyright information.
-@@ -184,7 +191,6 @@ $(DEBIAN)/control.stub: 				\
- 		$(DROOT)/scripts/control-create		\
- 		$(control_files)			\
- 		debian/canonical-revoked-certs.pem	\
--		$(DROOT)/control.d/flavour-module.stub	\
- 		$(DEBIAN)/changelog			\
- 		$(wildcard $(DEBIAN)/control.d/* $(DEBIAN)/sub-flavours/*.vars)
- 	for i in $(control_files); do                                           \
+#removed at 6.5.0-27.28~22.04.1
+#@@ -184,7 +191,6 @@ $(DEBIAN)/control.stub: 				\
+# 		$(DROOT)/scripts/control-create		\
+# 		$(control_files)			\
+# 		debian/canonical-revoked-certs.pem	\
+#-		$(DROOT)/control.d/flavour-module.stub	\
+# 		$(DEBIAN)/changelog			\
+# 		$(wildcard $(DEBIAN)/control.d/* $(DEBIAN)/sub-flavours/*.vars)
+# 	for i in $(control_files); do                                           \
 @@ -211,7 +217,14 @@ $(DEBIAN)/control.stub: 				\
  
  .PHONY: debian/control

helpers/DATA/linux-hwe-6.5/udeb/disable_zstd_module_compression.patch

@@ -0,0 +1,15 @@
+diff --git a/debian/rules.d/0-common-vars.mk b/debian/rules.d/0-common-vars.mk_
+index bc873563..d6692ca1 100644
+--- a/debian/rules.d/0-common-vars.mk
++++ b/debian/rules.d/0-common-vars.mk_
+@@ -197,8 +197,9 @@ do_dtbs=false
+ do_fips_checks=false
+ 
+ # ZSTD compressed kernel modules
++ifeq ($(filter $(series),jammy aramo),)
+ do_zstd_ko=true
+-ifeq ($(series),jammy)
++else
+ do_zstd_ko=
+ endif
+ 

helpers/DATA/linux-hwe-6.8/001-revert_iwlwifi_clear_firmware1.patch

@@ -0,0 +1,21 @@
+reverts https://lore.kernel.org/all/iwlwifi.20211210110539.1f742f0eb58a.I1315f22f6aa632d94ae2069f85e1bca5e734dce0@changeid/
+
+--- b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1597,8 +1597,15 @@
+ 	 * else from proceeding if the module fails to load
+ 	 * or hangs loading.
+ 	 */
++	if (load_module) {
+-	if (load_module)
+ 		request_module("%s", op->name);
++#ifdef CONFIG_IWLWIFI_OPMODE_MODULAR
++		if (err)
++			IWL_ERR(drv,
++				"failed to load module %s (error %d), is dynamic loading enabled?\n",
++				op->name, err);
++#endif
++	}
+ 	failure = false;
+ 	goto free;
+ 

helpers/DATA/linux-hwe-6.8/002-revert_iwlwifi_clear_firmware2.patch

@@ -0,0 +1,40 @@
+reverts https://lore.kernel.org/all/iwlwifi.20211210110539.1f742f0eb58a.I1315f22f6aa632d94ae2069f85e1bca5e734dce0@changeid/
+
+--- b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -130,9 +130,6 @@
+ 
+ 	for (i = 0; i < IWL_UCODE_TYPE_MAX; i++)
+ 		iwl_free_fw_img(drv, drv->fw.img + i);
+-
+-	/* clear the data for the aborted load case */
+-	memset(&drv->fw, 0, sizeof(drv->fw));
+ }
+ 
+ static int iwl_alloc_fw_desc(struct iwl_drv *drv, struct fw_desc *desc,
+@@ -1429,7 +1426,6 @@
+ 	int i;
+ 	bool load_module = false;
+ 	bool usniffer_images = false;
+-	bool failure = true;
+ 
+ 	fw->ucode_capa.max_probe_length = IWL_DEFAULT_MAX_PROBE_LENGTH;
+ 	fw->ucode_capa.standard_phy_calibration_size =
+@@ -1699,7 +1695,6 @@
+ 				op->name, err);
+ #endif
+ 	}
+-	failure = false;
+ 	goto free;
+ 
+  try_again:
+@@ -1715,9 +1710,6 @@
+ 	complete(&drv->request_firmware_complete);
+ 	device_release_driver(drv->trans->dev);
+  free:
+-	if (failure)
+-		iwl_dealloc_ucode(drv);
+-
+ 	if (pieces) {
+ 		for (i = 0; i < ARRAY_SIZE(pieces->img); i++)
+ 			kfree(pieces->img[i].sec);

helpers/DATA/linux-hwe-6.8/003-revert_iwlwifi_clear_firmware3.patch

@@ -0,0 +1,13 @@
+reverts https://lore.kernel.org/all/iwlwifi.20211210110539.1f742f0eb58a.I1315f22f6aa632d94ae2069f85e1bca5e734dce0@changeid/
+
+diff -ru source.orig/drivers/net/wireless/intel/iwlwifi/iwl-drv.c source/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+--- source.orig/drivers/net/wireless/intel/iwlwifi/iwl-drv.c	2022-05-13 16:10:11.883295769 -0400
++++ source/drivers/net/wireless/intel/iwlwifi/iwl-drv.c	2022-05-13 20:13:06.568151229 -0400
+@@ -1605,7 +1605,6 @@
+ 	complete(&drv->request_firmware_complete);
+ 	device_release_driver(drv->trans->dev);
+ 	/* drv has just been freed by the release */
+-	failure = false;
+  free:
+ 	if (pieces) {
+ 		for (i = 0; i < ARRAY_SIZE(pieces->img); i++)

helpers/DATA/linux-hwe-6.8/004-enable_blobless_activation_radeon.patch

@@ -0,0 +1,227 @@
+Based on https://libreplanet.org/wiki/Group:Hardware/research/gpu/radeon
+
+diff -ru a/drivers/gpu/drm/radeon/btc_dpm.c b/drivers/gpu/drm/radeon/btc_dpm.c
+--- a/drivers/gpu/drm/radeon/btc_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/btc_dpm.c	2023-02-13 15:50:41.218608376 -0500
+@@ -2437,7 +2437,6 @@
+ 	ret = rv770_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("rv770_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 	ret = cypress_get_table_locations(rdev);
+ 	if (ret) {
+diff -ru a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c
+--- a/drivers/gpu/drm/radeon/ci_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/ci_dpm.c	2023-02-13 15:53:38.591724496 -0500
+@@ -5157,7 +5157,6 @@
+ 	ret = ci_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("ci_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 	ret = ci_process_firmware_header(rdev);
+ 	if (ret) {
+diff -ru a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c
+--- a/drivers/gpu/drm/radeon/cik.c	2023-02-13 15:21:35.174999782 -0500
++++ b/drivers/gpu/drm/radeon/cik.c	2023-02-13 15:47:37.149601121 -0500
+@@ -8285,7 +8285,6 @@
+ 		r = ci_mc_load_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load MC firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -8591,7 +8590,6 @@
+ 			r = cik_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	} else {
+@@ -8601,7 +8599,6 @@
+ 			r = cik_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	}
+@@ -8668,7 +8665,6 @@
+ 	 */
+ 	if (!rdev->mc_fw && !(rdev->flags & RADEON_IS_IGP)) {
+ 		DRM_ERROR("radeon: MC ucode required for NI+.\n");
+-		return -EINVAL;
+ 	}
+ 
+ 	return 0;
+diff -ru a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c
+--- a/drivers/gpu/drm/radeon/cypress_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/cypress_dpm.c	2023-02-13 15:50:25.130869935 -0500
+@@ -1862,7 +1862,6 @@
+ 	ret = rv770_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("rv770_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 
+ 	ret = cypress_get_table_locations(rdev);
+diff -ru a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
+--- a/drivers/gpu/drm/radeon/evergreen.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/evergreen.c	2023-02-13 15:47:50.457384749 -0500
+@@ -5018,7 +5018,6 @@
+ 		r = ni_mc_load_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load MC firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -5235,7 +5234,6 @@
+ 			r = ni_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	} else {
+@@ -5243,7 +5241,6 @@
+ 			r = r600_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	}
+@@ -5289,7 +5286,6 @@
+ 	if (ASIC_IS_DCE5(rdev)) {
+ 		if (!rdev->mc_fw && !(rdev->flags & RADEON_IS_IGP)) {
+ 			DRM_ERROR("radeon: MC ucode required for NI+.\n");
+-			return -EINVAL;
+ 		}
+ 	}
+ 
+diff -ru a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c
+--- a/drivers/gpu/drm/radeon/ni.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/ni.c	2023-02-13 15:46:45.402442454 -0500
+@@ -2163,7 +2163,6 @@
+ 		r = ni_mc_load_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load MC firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -2390,7 +2389,6 @@
+ 			r = ni_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	} else {
+@@ -2398,7 +2396,6 @@
+ 			r = ni_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	}
+@@ -2453,7 +2450,6 @@
+ 	 */
+ 	if (!rdev->mc_fw && !(rdev->flags & RADEON_IS_IGP)) {
+ 		DRM_ERROR("radeon: MC ucode required for NI+.\n");
+-		return -EINVAL;
+ 	}
+ 
+ 	return 0;
+diff -ru a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
+--- a/drivers/gpu/drm/radeon/r100.c	2023-02-13 15:21:35.174999782 -0500
++++ b/drivers/gpu/drm/radeon/r100.c	2023-02-13 15:49:15.548001277 -0500
+@@ -1134,7 +1134,6 @@
+ 		r = r100_cp_init_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+diff -ru a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
+--- a/drivers/gpu/drm/radeon/r600.c	2023-02-13 15:21:35.174999782 -0500
++++ b/drivers/gpu/drm/radeon/r600.c	2023-02-13 15:46:07.291062125 -0500
+@@ -3299,7 +3299,6 @@
+ 		r = r600_init_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+diff -ru a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c
+--- a/drivers/gpu/drm/radeon/rv770.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/rv770.c	2023-02-13 15:26:54.385808292 -0500
+@@ -1966,7 +1966,6 @@
+ 		r = r600_init_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+diff -ru a/drivers/gpu/drm/radeon/rv770_dpm.c b/drivers/gpu/drm/radeon/rv770_dpm.c
+--- a/drivers/gpu/drm/radeon/rv770_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/rv770_dpm.c	2023-02-13 15:50:13.591057564 -0500
+@@ -1948,12 +1948,10 @@
+ 	ret = rv770_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("rv770_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 	ret = rv770_init_smc_table(rdev, boot_ps);
+ 	if (ret) {
+ 		DRM_ERROR("rv770_init_smc_table failed\n");
+-		return ret;
+ 	}
+ 
+ 	rv770_program_response_times(rdev);
+diff -ru a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c
+--- a/drivers/gpu/drm/radeon/si.c	2023-02-13 15:21:35.178999717 -0500
++++ b/drivers/gpu/drm/radeon/si.c	2023-02-13 15:47:00.042204445 -0500
+@@ -6619,7 +6619,6 @@
+ 		r = si_mc_load_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load MC firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -6867,7 +6866,6 @@
+ 		r = si_init_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -6926,7 +6924,6 @@
+ 	 */
+ 	if (!rdev->mc_fw) {
+ 		DRM_ERROR("radeon: MC ucode required for NI+.\n");
+-		return -EINVAL;
+ 	}
+ 
+ 	return 0;
+diff -ru a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c
+--- a/drivers/gpu/drm/radeon/si_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/si_dpm.c	2023-02-13 15:53:00.844338238 -0500
+@@ -6366,7 +6366,6 @@
+ 	ret = si_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("si_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 	ret = si_process_firmware_header(rdev);
+ 	if (ret) {

helpers/DATA/linux-hwe-6.8/005-removal_of_external_recommendation_for_firmware.patch

@@ -0,0 +1,29 @@
+Removal of references to external repositories we can't manage what kind of firmware is pointed to.
+The only firmware we can confirm to work with is the one contained on the packge source code.
+
+diff --git a/drivers/net/wireless/atmel/at76c50x-usb.c b/drivers/net/wireless/atmel/at76c50x-usb.c
+index 447b51cf..898b83af 100644
+--- a/drivers/net/wireless/atmel/at76c50x-usb.c
++++ b/drivers/net/wireless/atmel/at76c50x-usb.c
+@@ -1619,8 +1619,6 @@ static struct fwentry *at76_load_firmware(struct usb_device *udev,
+ 	if (ret < 0) {
+ 		dev_err(&udev->dev, "firmware %s not found!\n",
+ 			fwe->fwname);
+-		dev_err(&udev->dev,
+-			"you may need to download the firmware from http://developer.berlios.de/projects/at76c503a/\n");
+ 		goto exit;
+ 	}
+ 
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index f3b50528..1860f2b7 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -2445,8 +2445,6 @@ int snd_sof_load_topology(struct snd_soc_component *scomp, const char *file)
+ 	if (ret < 0) {
+ 		dev_err(scomp->dev, "error: tplg request firmware %s failed err: %d\n",
+ 			file, ret);
+-		dev_err(scomp->dev,
+-			"you may need to download the firmware from https://github.com/thesofproject/sof-bin/\n");
+ 		return ret;
+ 	}
+ 

helpers/DATA/linux-hwe-6.8/check.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+files=`find -type f`
+while read -r line
+do
+    ./deblob-check $line
+done <<< "$files"