Merge branch 'aramo' of git.cmxsl.org:CMXSL.org/package-helpers-cmxsl into aramo-cmxsl

Prueba de emacs 30.1 en Aramo

Co-authored-by: Ark74 <ark@switnet.org>
Reviewed-on: #1

.gitlab/issue_templates/Default.md

@@ -0,0 +1,52 @@
+## Bug Report Template
+
+> **If you have a question or are not sure about what you are about to post, please use the forums instead.**
+> **Also, check for possible duplicate reports here or in the forum before submitting this issue.**
+
+---
+
+### 1. Affected Package revision / version
+
+<!-- Example: v1.3.2, v1.2.3trisquel1, etc -->
+
+---
+
+### 2. Steps to Reproduce
+
+<!-- List the minimal steps to reproduce the issue -->
+
+1. ...
+2. ...
+3. ...
+
+---
+
+### 3. Current Behavior
+
+<!-- Describe what is happening -->
+
+---
+
+### 4. Expected Behavior *(optional)*
+
+<!-- Describe what you expected to happen instead -->
+
+---
+
+### 5. Workaround *(optional)*
+
+<!-- Is there a known workaround? -->
+
+---
+
+### 6. Suggestions, Investigation and Possible Causes *(optional)*
+
+<!-- Share any insights, code references, or debugging steps you've taken -->
+
+---
+
+### 7. Other Tests *(optional)*
+
+<!-- Any other environments or tests tried? -->
+
+---

helpers/DATA/apparmor-profiles-extra/70aed868a4ed76d74eecf3b210ce7bf3098ffab4.patch

@@ -0,0 +1,38 @@
+From 70aed868a4ed76d74eecf3b210ce7bf3098ffab4 Mon Sep 17 00:00:00 2001
+From: Jacob K <jacobk@disroot.org>
+Date: Wed, 12 Feb 2025 12:19:24 -0600
+Subject: [PATCH] Add some lines from Atril's profile to fix the screen reader
+
+---
+ profiles/usr.bin.pidgin | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/profiles/usr.bin.pidgin b/profiles/usr.bin.pidgin
+index 5e18702..085301c 100644
+--- a/profiles/usr.bin.pidgin
++++ b/profiles/usr.bin.pidgin
+@@ -8,6 +8,7 @@
+   #include <abstractions/bash>
+   #include <abstractions/dbus-session>
+   #include <abstractions/dbus-strict>
++  #include <abstractions/dbus-accessibility>
+   #include <abstractions/dconf>
+   #include <abstractions/enchant>
+   #include <abstractions/gnome>
+@@ -82,6 +83,13 @@
+   owner @{PROC}/@{pid}/auxv r,
+   owner @{PROC}/@{pid}/fd/ r,
+ 
++  # These lines were copied from Atril's profile to make the screen reader functional
++  owner /{,var/}run/user/*/at-spi2-*/   rw,
++  owner /{,var/}run/user/*/at-spi2-*/** rw,
++  # Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
++  #   https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43
++  owner /{,var/}run/user/*/at-spi/bus* rw,
++
+   # Site-specific additions and overrides. See local/README for details.
+   #include <local/usr.bin.pidgin>
+ }
+-- 
+2.25.1
+

helpers/DATA/apparmor/b5a7641dd3502fcfb897d3b96e197628b674ce3c.patch

@@ -17,7 +17,7 @@ index 01493260d..dd783992d 100644
  /etc/wildmidi/wildmidi.cfg r,
  
 +# pipewire
-+/usr/share/pipewire/client.conf r,
++/usr/share/pipewire/client{,-rt}.conf r,
 +
    # Include additions to the abstraction
    include if exists <abstractions/audio.d>

helpers/DATA/atril/apparmor-profile

@@ -0,0 +1,350 @@
+# vim:syntax=apparmor
+
+# evince is not written with application confinement in mind and is designed to
+# operate within a trusted desktop session where anything running within the
+# user's session is trusted. That said, evince will often process untrusted
+# input (PDFs, images, etc). Ideally evince would be written in such a way that
+# image processing is separate from the main process and that processing
+# happens in a restrictive sandbox, but unfortunately that is not currently the
+# case. Because evince will process untrusted input, this profile aims to
+# provide some hardening, but considering evince's design and other factors such
+# as X, gsettings, accessibility, translations, DBus session and system
+# services, etc, complete confinement is not possible.
+
+#include <tunables/global>
+
+/usr/bin/atril {
+  #include <abstractions/audio>
+  #include <abstractions/bash>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus-accessibility>
+  #include <abstractions/atril>
+  #include <abstractions/ibus>
+  #include <abstractions/nameservice>
+
+  #include <abstractions/ubuntu-browsers>
+  #include <abstractions/ubuntu-console-browsers>
+  #include <abstractions/ubuntu-email>
+  #include <abstractions/ubuntu-console-email>
+  #include <abstractions/ubuntu-media-players>
+
+  # allow atril to spawn browsers distributed as snaps (LP: #1794064)
+  #include <abstractions/snap_browsers>
+
+  # For now, let atril talk to any session services over dbus. We can
+  # blacklist any problematic ones (but note, evince uses libsecret :\)
+  #include <abstractions/dbus-session>
+
+  #include <abstractions/dbus-strict>
+  dbus (receive) bus=system,
+  # Allow getting information from various system services
+  dbus (send)
+      bus=system
+      member="Get*"
+      peer=(label=unconfined),
+  # Allow talking to avahi with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.Avahi{,.*}",
+  # Allow talking to colord with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.ColorManager{,.*}",
+
+  # Terminals for using console applications. These abstractions should ideally
+  # have 'ix' to restrict access to what only atril is allowed to do
+  #include <abstractions/ubuntu-gnome-terminal>
+
+  # By default, we won't support launching a terminal program in Xterm or
+  # KDE's konsole. It opens up too many unnecessary files for most users.
+  # People who need this functionality can uncomment the following:
+  ##include <abstractions/ubuntu-xterm>
+  ##include <abstractions/ubuntu-konsole>
+
+  /usr/bin/atril rmPx,
+  /usr/bin/atril-previewer Px,
+  /usr/bin/yelp Cx -> sanitized_helper,
+  /usr/bin/bug-buddy px,
+  # 'Show Containing Folder' (LP: #1022962)
+  /usr/bin/nautilus Cx -> sanitized_helper, # Gnome
+  /usr/bin/pcmanfm Cx -> sanitized_helper,  # LXDE
+  /usr/bin/krusader Cx -> sanitized_helper, # KDE
+  /usr/bin/thunar Cx -> sanitized_helper,   # XFCE
+
+  # Print Dialog
+  /usr/lib/@{multiarch}/libproxy/*/pxgsettings Cx -> sanitized_helper,
+
+  # For Xubuntu to launch the browser
+  #include <abstractions/exo-open>
+
+  # For text attachments
+  /usr/bin/gedit ixr,
+
+  # For Send to
+  /usr/bin/nautilus-sendto Cx -> sanitized_helper,
+
+  # GLib desktop launch helper (used under the hood by g_app_info_launch)
+  /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
+  /usr/bin/env ixr,
+
+  # allow directory listings (ie 'r' on directories) so browsing via the file
+  # dialog works
+  / r,
+  /**/ r,
+
+  # This is need for saving files in your home directory without an extension.
+  # Changing this to '@{HOME}/** r' makes it require an extension and more
+  # secure (but with 'rw', we still have abstractions/private-files-strict in
+  # effect).
+  owner @{HOME}/** rw,
+  owner /media/**  rw,
+  owner @{HOME}/.local/share/gvfs-metadata/** l,
+  owner /{,var/}run/user/*/gvfs-metadata/** l,
+
+  # Maybe add to an abstraction?
+  /etc/dconf/**                                       r,
+  owner @{HOME}/.cache/dconf/user                     rw,
+  owner @{HOME}/.config/dconf/user                    r,
+  owner @{HOME}/.config/enchant/*                     rk,
+  owner /{,var/}run/user/*/dconf/                     w,
+  owner /{,var/}run/user/*/dconf/user                 rw,
+  owner /{,var/}run/user/*/dconf-service/keyfile/     w,
+  owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
+
+  owner /{,var/}run/user/*/at-spi2-*/   rw,
+  owner /{,var/}run/user/*/at-spi2-*/** rw,
+
+  # Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
+  #   https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43
+  owner /{,var/}run/user/*/at-spi/bus* rw,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read and write for all supported file formats
+  /**.[aA][iI]         rw,
+  /**.[bB][mM][pP]     rw,
+  /**.[dD][jJ][vV][uU] rw,
+  /**.[dD][vV][iI]     rw,
+  /**.[gG][iI][fF]     rw,
+  /**.[jJ][pP][gG]     rw,
+  /**.[jJ][pP][eE][gG] rw,
+  /**.[oO][dD][pP]     rw,
+  /**.[fFpP][dD][fF]   rw,
+  /**.[pP][nN][mM]     rw,
+  /**.[pP][nN][gG]     rw,
+  /**.[pP][sS]         rw,
+  /**.[eE][pP][sS]     rw,
+  /**.[tT][iI][fF]     rw,
+  /**.[tT][iI][fF][fF] rw,
+  /**.[xX][pP][mM]     rw,
+  /**.[gG][zZ]         rw,
+  /**.[bB][zZ]2        rw,
+  /**.[cC][bB][rRzZ7]  rw,
+  /**.[xX][zZ]         rw,
+
+  # atril creates a temporary stream file like '.goutputstream-XXXXXX' in the
+  # directory a file is saved. This allows that behavior.
+  owner /**/.goutputstream-* w,
+
+  # allow atril to spawn browsers distributed as snaps (LP: #1794064)
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers,
+}
+
+/usr/bin/atril-previewer {
+  #include <abstractions/audio>
+  #include <abstractions/bash>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus-accessibility>
+  #include <abstractions/atril>
+  #include <abstractions/ibus>
+  #include <abstractions/nameservice>
+
+  #include <abstractions/ubuntu-browsers>
+  #include <abstractions/ubuntu-console-browsers>
+  #include <abstractions/ubuntu-email>
+  #include <abstractions/ubuntu-console-email>
+  #include <abstractions/ubuntu-media-players>
+
+  # For now, let atril talk to any session services over dbus. We can
+  # blacklist any problematic ones (but note, evince uses libsecret :\)
+  #include <abstractions/dbus-session>
+
+  #include <abstractions/dbus-strict>
+  dbus (receive) bus=system,
+  # Allow getting information from various system services
+  dbus (send)
+      bus=system
+      member="Get*"
+      peer=(label=unconfined),
+  # Allow talking to avahi with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.Avahi{,.*}",
+  # Allow talking to colord with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.ColorManager{,.*}",
+
+
+  # Terminals for using console applications. These abstractions should ideally
+  # have 'ix' to restrict access to what only atril is allowed to do
+  #include <abstractions/ubuntu-gnome-terminal>
+
+  # By default, we won't support launching a terminal program in Xterm or
+  # KDE's konsole. It opens up too many unnecessary files for most users.
+  # People who need this functionality can uncomment the following:
+  ##include <abstractions/ubuntu-xterm>
+
+  /usr/bin/atril-previewer mr,
+  /usr/bin/yelp Cx -> sanitized_helper,
+  /usr/bin/bug-buddy px,
+
+  # Lenient, but remember we still have abstractions/private-files-strict in
+  # effect). Write is needed for 'print to file' from the previewer.
+  @{HOME}/ r,
+  @{HOME}/** rw,
+
+  # Maybe add to an abstraction?
+  owner /{,var/}run/user/*/dconf/          w,
+  owner /{,var/}run/user/*/dconf/user      rw,
+}
+
+/usr/bin/atril-thumbnailer {
+  #include <abstractions/base>
+  #include <abstractions/private-files-strict>
+
+  #include <abstractions/fonts>
+  deny @{HOME}/.{,cache/}fontconfig/** wl,
+  deny @{HOME}/missfont.log wl,
+
+  #include <abstractions/dbus-session-strict>
+  dbus (receive) bus=session,
+  dbus (send)
+    bus=session
+    path="/org/gtk/vfs/mounttracker"
+    interface="org.gtk.vfs.MountTracker"
+    member="ListMountableInfo"
+    peer=(label=unconfined),
+
+  # updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it
+  deny dbus (send)
+    bus=session
+    path="/org/gtk/vfs/metadata"
+    interface="org.gtk.vfs.Metadata"
+    member="GetTreeFromDevice"
+    peer=(label=unconfined),
+  deny @{HOME}/.local/share/gvfs-metadata/* r,
+
+  dbus (send)
+    bus=session
+    path="/org/gtk/vfs/Daemon"
+    interface="org.gtk.vfs.Daemon"
+    member="List*"
+    peer=(label=unconfined),
+
+  # The thumbnailer doesn't need access to everything in the nameservice
+  # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
+  # logging denial of nsswitch.conf.
+  /etc/passwd r,
+  /etc/group r,
+  deny /etc/nsswitch.conf r,
+
+  # TCP/UDP network access for NFS
+  network inet  stream,
+  network inet6 stream,
+  network inet  dgram,
+  network inet6 dgram,
+
+  /etc/papersize r,
+
+  /usr/bin/atril-thumbnailer mr,
+
+  /etc/texmf/ r,
+  /etc/texmf/** r,
+  /etc/xpdf/* r,
+
+  /usr/bin/gs-esp ixr,
+  # Silence these denials since 'no new privs' drops transitions to
+  # sanitized_helper, we don't want all those perms in the thumbnailer
+  # and the thumbnailer generates thumbnails without these just fine.
+  deny /usr/bin/mktexpk x,
+  deny /usr/bin/mktextfm x,
+  deny /usr/bin/dvipdfm x,
+  deny /usr/bin/dvipdfmx x,
+  deny /usr/bin/mkofm x,
+
+  # supported archivers
+  /{usr/,}bin/gzip ixr,
+  /{usr/,}bin/bzip2 ixr,
+  /usr/bin/unrar* ixr,
+  /usr/bin/unzip ixr,
+  /usr/bin/7zr ixr,
+  /usr/lib/p7zip/7zr ixr,
+  /usr/bin/7za ixr,
+  /usr/lib/p7zip/7za ixr,
+  /usr/bin/zipnote ixr,
+  /{usr/,}bin/tar ixr,
+  /usr/bin/xz ixr,
+
+  # miscellaneous access for the above
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  /sys/devices/system/cpu/ r,
+
+  # allow read access to anything in /usr/share, for plugins and input methods
+  /usr/local/share/** r,
+  /usr/share/** r,
+  /usr/lib/ghostscript/** mr,
+  /var/lib/ghostscript/** r,
+  /var/lib/texmf/** r,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read for all supported file formats
+  /**.[bB][mM][pP]     r,
+  /**.[dD][jJ][vV][uU] r,
+  /**.[dD][vV][iI]     r,
+  /**.[gG][iI][fF]     r,
+  /**.[jJ][pP][gG]     r,
+  /**.[jJ][pP][eE][gG] r,
+  /**.[oO][dD][pP]     r,
+  /**.[fFpP][dD][fF]   r,
+  /**.[pP][nN][mM]     r,
+  /**.[pP][nN][gG]     r,
+  /**.[pP][sS]         r,
+  /**.[eE][pP][sS]     r,
+  /**.[eE][pP][sS][fFiI23] r,
+  /**.[tT][iI][fF]     r,
+  /**.[tT][iI][fF][fF] r,
+  /**.[xX][pP][mM]     r,
+  /**.[gG][zZ]         r,
+  /**.[bB][zZ]2        r,
+  /**.[cC][bB][rRzZ7]  r,
+  /**.[xX][zZ]         r,
+
+  owner @{HOME}/.texlive*/** r,
+  owner @{HOME}/.texmf*/** r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+
+  # With the network rules above, this allows data exfiltration for files
+  # not covered by private-files-strict.
+  @{HOME}/ r,
+  owner @{HOME}/[^.]** r,
+  owner /media/**  r,
+
+  owner /tmp/.gnome_desktop_thumbnail* w,
+  owner /tmp/gnome-desktop-* rw,
+  owner /tmp/atril-thumbnailer*/{,**} rw,
+  
+  # these happen post pivot_root
+  / r,
+  deny /missfont.log w,
+
+  # Add apparmor rule for mate's caja - LP#1798091
+  owner /tmp/.mate_desktop_thumbnail* w,
+  owner /tmp/mate-desktop-thumbnailer* w,
+
+  # Fix thumbnail issue #915024
+  owner @{HOME}/.cache/thumbnails/** rw,
+  owner /tmp/atril-thumbnailer* rw,
+
+}

helpers/DATA/atril/apparmor-profile.abstraction

@@ -0,0 +1,127 @@
+# vim:syntax=apparmor
+#
+# abstraction used by atril binaries
+#
+
+  #include <abstractions/gnome>
+  #include <abstractions/p11-kit>
+  #include <abstractions/ubuntu-helpers>
+
+  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/[0-9]*/mountinfo r,
+  owner @{PROC}/[0-9]*/auxv r,
+  owner @{PROC}/[0-9]*/status r,
+
+  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+  # Possibly move to an abstraction if anything else needs it.
+  deny /run/udev/data/** r,
+
+  # move out to the gnome abstraction if anyone else needs these
+  /etc/udev/udev.conf r,
+  /sys/devices/**/block/**/uevent r,
+
+  # apport
+  /etc/default/apport r,
+
+  # XFCE
+  /etc/xfce4/defaults.list r,
+
+  # Lubuntu
+  /etc/xdg/lubuntu/applications/defaults.list r,
+
+  # atril specific
+  /etc/ r,
+  /etc/fstab r,
+  /etc/texmf/ r,
+  /etc/texmf/** r,
+  /etc/xpdf/* r,
+  owner @{HOME}/.config/atril/   rw,
+  owner @{HOME}/.config/atril/** rwkl,
+
+  /usr/bin/gs-esp ixr,
+  /usr/bin/mktexpk Cx -> sanitized_helper,
+  /usr/bin/mktextfm Cx -> sanitized_helper,
+  /usr/bin/dvipdfm Cx -> sanitized_helper,
+  /usr/bin/dvipdfmx Cx -> sanitized_helper,
+
+  # gio-launch-desktop was replaced by a very small shell script
+  /{usr/,}bin/{dash,bash} ixr,
+ 
+  # supported archivers
+  /{usr/,}bin/gzip ixr,
+  /{usr/,}bin/bzip2 ixr,
+  /usr/bin/unrar* ixr,
+  /usr/bin/unzip ixr,
+  /usr/bin/7zr ixr,
+  /usr/lib/p7zip/7zr ixr,
+  /usr/bin/7za ixr,
+  /usr/lib/p7zip/7za ixr,
+  /usr/bin/zipnote ixr,
+  /{usr/,}bin/tar ixr,
+  /usr/bin/xz ixr,
+
+  # allow read access to anything in /usr/share, for plugins and input methods
+  /usr/local/share/** r,
+  /usr/share/** r,
+  /usr/lib/ghostscript/** mr,
+  /var/lib/ghostscript/** r,
+  /var/lib/texmf/{,**} r,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read for all supported file formats
+  /**.[aA][iI]         r,
+  /**.[bB][mM][pP]     r,
+  /**.[dD][jJ][vV][uU] r,
+  /**.[dD][vV][iI]     r,
+  /**.[gG][iI][fF]     r,
+  /**.[jJ][pP][gG]     r,
+  /**.[jJ][pP][eE][gG] r,
+  /**.[oO][dD][pP]     r,
+  /**.[fFpP][dD][fF]   r,
+  /**.[pP][nN][mM]     r,
+  /**.[pP][nN][gG]     r,
+  /**.[pP][sS]         r,
+  /**.[eE][pP][sS]     r,
+  /**.[eE][pP][sS][fFiI23] r,
+  /**.[tT][iI][fF]     r,
+  /**.[tT][iI][fF][fF] r,
+  /**.[xX][pP][mM]     r,
+  /**.[gG][zZ]         r,
+  /**.[bB][zZ]2        r,
+  /**.[cC][bB][rRzZ7]  r,
+  /**.[xX][zZ]         r,
+
+  # Use abstractions/private-files instead of abstractions/private-files-strict
+  # and add the sensitive files manually to work around LP: #451422. The goal
+  # is to disallow access to the .mozilla folder in general, but to allow
+  # access to the Cache directory, which the browser may tell atril to open
+  # from directly.
+
+  #include <abstractions/private-files>
+  audit deny @{HOME}/.gnupg/{,**} mrwkl,
+  audit deny @{HOME}/.ssh/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2/ w,
+  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
+  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl,
+  audit deny @{HOME}/.pki/{,nssdb/} w,
+  audit deny @{HOME}/.pki/nssdb/{,**} wl,
+
+  audit deny @{HOME}/.mozilla/{,**/} w,
+  audit deny @{HOME}/.mozilla/*/*/* mrwkl,
+  audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl,
+
+  audit deny @{HOME}/.config/ w,
+  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+  audit deny @{HOME}/.evolution/{,**} mrwkl,
+  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde/share/config/{,**} mrwkl,
+  audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl,

helpers/DATA/atril/atril.apport

@@ -0,0 +1,21 @@
+'''apport package hook for atril
+
+(c) 2024 Luis Guzmán
+Author:
+Luis Guzmán <ark@switnet.org>
+based on evince's hook
+
+'''
+
+from apport.hookutils import *
+from os import path
+import re
+
+def add_info(report):
+    attach_conffiles(report, 'atril')
+    attach_related_packages(report, ['apparmor', 'libapparmor1',
+        'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit1'])
+
+    attach_mac_events(report, ['/usr/bin/atril',
+                               '/usr/bin/atril-previewer',
+                               '/usr/bin/atril-thumbnailer'])

helpers/DATA/atril/patches/add_install_profiles_rules.patch

@@ -0,0 +1,29 @@
+diff --git a/debian/rules b/debian/rules
+old mode 100755
+new mode 100644
+index 8a7ff87..655c574
+--- a/debian/rules
++++ b/debian/rules
+@@ -52,3 +52,9 @@ override_dh_auto_configure:
+ 
+ get-orig-source:
+ 	uscan --noconf --force-download --rename --download-current-version --destdir=..
++
++execute_after_dh_install:
++	install -m 0644 -D debian/apparmor-profile debian/atril/etc/apparmor.d/usr.bin.atril
++	install -m 0644 -D debian/apparmor-profile.abstraction debian/atril/etc/apparmor.d/abstractions/atril
++	install -m 0644 -D debian/atril.apport debian/atril/usr/share/apport/package-hooks/source_atril.py
++	dh_apparmor --profile-name=usr.bin.atril -patril
+
+diff --git a/debian/control b/debian/control
+index f5bda53..6d72cc9 100644
+--- a/debian/control
++++ b/debian/control
+@@ -9,6 +9,7 @@ Uploaders: Mike Gabriel <sunweaver@debian.org>,
+            Vangelis Mouhtsis <vangelis@gnugr.org>,
+            Martin Wimpress <code@flexion.org>,
+ Build-Depends: debhelper-compat (= 13),
++               dh-apparmor,
+                dpkg-dev (>= 1.16.1.1),
+                gobject-introspection,
+                intltool,

helpers/DATA/choose-mirror/rev_Makefile.patch

@@ -5,7 +5,7 @@ diff -ru choose-mirror-2.78ubuntu7+10.0trisquel3/Makefile choose-mirror-2.111/Ma
  STRIP=strip
  
  # Derivative distributions may want to change these.
--#MIRRORLISTURL=https://anonscm.debian.org/git/mirror/mirror-masterlist.git/plain/Mirrors.masterlist
+-#MIRRORLISTURL=https://gitlab.trisquel.org/trisquel/trisquel-packages/-/raw/master/extra/mirrors/Mirrors.masterlist
 -MASTERLIST=Mirrors.masterlist.trisquel
 +MIRRORLISTURL=https://salsa.debian.org/mirror-team/masterlist/raw/master/Mirrors.masterlist
 +MASTERLIST=Mirrors.masterlist

helpers/DATA/cron/license-info-fix.patch

@@ -0,0 +1,37 @@
+diff --git a/debian/copyright b/debian/copyright
+index 3c8824f..c6ec81a 100644
+--- a/debian/copyright
++++ b/debian/copyright
+@@ -38,7 +38,7 @@ License: GPL-2+
+ 
+ Files: debian/examples/crontab2english.pl
+ Copyright: 2001, Sean M. Burke
+-License: Artistic
++License: GPL-1+ or Artistic
+ 
+ License: Paul-Vixie's-license
+  Distribute freely, except: don't remove my name from the source or
+@@ -67,6 +67,23 @@ License: GPL-2+
+  On Debian systems, the complete text of the GNU General
+  Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
+ 
++License: GPL-1+
++ This package is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 1 of the License, or
++ (at your option) any later version.
++ .
++ This package is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ GNU General Public License for more details.
++ .
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>
++ .
++ On Debian systems, the complete text of the GNU General
++ Public License version 1 can be found in "/usr/share/common-licenses/GPL-1".
++
+ License: Artistic
+  This program is free software; you can redistribute it and/or modify it
+  under the terms of the "Artistic License" which comes with Debian.

helpers/DATA/debconf-kde/patch_changes/000-fix_TPH_212_LP_1851573.patch

@@ -0,0 +1,33 @@
+diff --git a/tools/main.cpp b/tools/main.cpp
+index 813aba5a..5f91e057 100644
+--- a/tools/main.cpp
++++ b/tools/main.cpp
+@@ -37,6 +37,8 @@
+ 
+ #include <DebconfGui.h>
+ 
++#include <pwd.h>
++
+ using namespace DebconfKde;
+ 
+ // Handle SIGQUIT. Clients (e.g. packagekit) may use QUIT which would otherwise
+@@ -73,6 +76,19 @@ static void setupQuitHandler() {
+ 
+ int main(int argc, char **argv)
+ {
++    /* TPH: #212 | LP: #1851573 — When the helper is started through pkexec/aptdaemon
++     * the environment may arrive without $HOME.  Without HOME, KConfig writes
++     * to "//.config/..." and shows a "not writable" dialog for every debconf
++     * question.  Substitute the passwd entry’s home directory.
++     */
++    const char *homeEnv = getenv("HOME");
++    if (!homeEnv || homeEnv[0] == '\0') {
++        struct passwd *pw = getpwuid(getuid());
++        if (pw && pw->pw_dir) {
++            setenv("HOME", pw->pw_dir, /* overwrite = */ 1);
++        }
++    }
++
+     QApplication app(argc, argv);
+     setupQuitHandler();
+ 

helpers/DATA/debootstrap/ecne

@@ -0,0 +1 @@
+trisquel

helpers/DATA/dino-im/cve/01_ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec.patch

@@ -0,0 +1,37 @@
+From ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec Mon Sep 17 00:00:00 2001
+From: Marvin W <git@larma.de>
+Date: Thu, 23 Mar 2023 10:13:30 -0600
+Subject: [PATCH] Check sender of bookmark:1 updates
+
+---
+ xmpp-vala/src/module/xep/0402_bookmarks2.vala | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/xmpp-vala/src/module/xep/0402_bookmarks2.vala b/xmpp-vala/src/module/xep/0402_bookmarks2.vala
+index 406f37f43..d1e53e6e3 100644
+--- a/xmpp-vala/src/module/xep/0402_bookmarks2.vala
++++ b/xmpp-vala/src/module/xep/0402_bookmarks2.vala
+@@ -68,6 +68,11 @@ public class Module : BookmarksProvider, XmppStreamModule {
+     }
+ 
+     private void on_pupsub_item(XmppStream stream, Jid jid, string id, StanzaNode? node) {
++        if (!jid.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) {
++            warning("Received alleged bookmarks:1 item from %s, ignoring", jid.to_string());
++            return;
++        }
++
+         Conference conference = parse_item_node(node, id);
+         Flag? flag = stream.get_flag(Flag.IDENTITY);
+         if (flag != null) {
+@@ -77,6 +82,11 @@ public class Module : BookmarksProvider, XmppStreamModule {
+     }
+ 
+     private void on_pupsub_retract(XmppStream stream, Jid jid, string id) {
++        if (!jid.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) {
++            warning("Received alleged bookmarks:1 retract from %s, ignoring", jid.to_string());
++            return;
++        }
++
+         try {
+             Jid jid_parsed = new Jid(id);
+             Flag? flag = stream.get_flag(Flag.IDENTITY);

helpers/DATA/distro-info-data/README.Debian.patch

@@ -1,5 +1,5 @@
---- debian/README.Debian	2019-10-17 15:10:30.000000000 -0500
-+++ debian/README.Debian_trisquel	2021-11-26 13:26:20.362971709 -0600
+--- a/debian/README.Debian	2019-10-17 15:10:30.000000000 -0500
++++ b/debian/README.Debian	2021-11-26 13:26:20.362971709 -0600
 @@ -2,7 +2,7 @@
  ===========
  

helpers/DATA/distro-info-data/add_trisquel_tools_py.patch

@@ -1,5 +1,5 @@
---- lib/tools.py	2021-10-15 08:01:00.000000000 -0500
-+++ lib/tools.py	2022-04-06 12:27:07.672427372 -0500
+--- a/lib/tools.py	2021-10-15 08:01:00.000000000 -0500
++++ a/lib/tools.py	2022-04-06 12:27:07.672427372 -0500
 @@ -37,7 +37,7 @@
  def main(validation_function):
      """Main function with command line parameter parsing."""

helpers/DATA/distro-info-data/add_trisquel_validate.patch

@@ -1,5 +1,5 @@
---- validate-csv-data	2021-10-15 08:01:00.000000000 -0500
-+++ validate-csv-data	2022-04-06 12:27:29.004706669 -0500
+--- a/validate-csv-data	2021-10-15 08:01:00.000000000 -0500
++++ b/validate-csv-data	2022-04-06 12:27:29.004706669 -0500
 @@ -27,6 +27,13 @@
  
  

helpers/DATA/distro-info-data/trisquel.csv

@@ -12,3 +12,4 @@ version,codename,series,created,release,eol,upstream
 9.0 LTS,Etiona,etiona,2017-10-19,2020-10-16,2023-05-31,bionic
 10.0 LTS,Nabia,nabia,2019-10-17,2021-12-16,2025-05-29,focal
 11.0 LTS,Aramo,aramo,2021-10-14,2023-03-19,2027-06-01,jammy
+12.0 LTS,Ecne,ecne,2023-10-12,2029-05-31,2029-05-31,noble

helpers/DATA/emacs/patch_changes/000-add_custom_libs_imagemagic_tree-sitter_json.patch

@@ -0,0 +1,41 @@
+diff --git a/debian/rules b/debian/rules
+index 2aaaef13..db5d184f 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -297,6 +297,9 @@ confflags_gtk := $(confflags)
+ confflags_gtk += --with-cairo
+ confflags_gtk += --with-x=yes
+ confflags_gtk += --with-x-toolkit=gtk3
++confflags_gtk += --with-imagemagick
++#confflags_gtk += --with-tree-sitter
++confflags_gtk += --with-json
+ # For those who prefer the old-style non-toolkit scrollbars, just
+ # change the assignment below to --without-toolkit-scroll-bars.  The
+ # resulting emacs-gtk package will have the old scrollbars.
+@@ -317,6 +320,9 @@ confflags_lucid += --with-x=yes
+ confflags_lucid += --with-x-toolkit=lucid
+ confflags_lucid += --with-toolkit-scroll-bars
+ confflags_lucid += --without-gsettings
++confflags_gtk += --with-imagemagick
++#confflags_gtk += --with-tree-sitter
++confflags_gtk += --with-json
+ 
+ define cfg_tree
+   cd $(1) && \
+diff --git a/debian/control b/debian/control
+index 005b695..169abfc 100644
+--- a/debian/control
++++ b/debian/control
+@@ -26,10 +26,12 @@ Build-Depends:
+  libgpm-dev [linux-any],
+  libgtk-3-dev,
+  libharfbuzz-dev,
++ libjansson-dev,
+  libjpeg-dev,
+  liblcms2-dev,
+  liblockfile-dev,
+  libm17n-dev,
++ libmagickwand-dev,
+  libncurses-dev,
+  liboss4-salsa-dev [hurd-i386 kfreebsd-i386 kfreebsd-amd64],
+  libotf-dev,

helpers/DATA/firefox/branding/content/aboutDialog.css

@@ -40,8 +40,9 @@
 }
 
 #rightBox {
-  margin-left: 30px;
-  margin-right: 30px;
+  background-size: auto 64px;
+  margin-inline: 30px;
+  padding-top: 64px;
 }
 
 #bottomBox {

helpers/DATA/firefox/default-strict.patch

@@ -1,7 +1,8 @@
-diff -ru firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs_fix
---- firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs	2023-02-07 01:52:32.000000000 -0600
-+++ firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs_fix	2023-02-07 14:52:59.465762604 -0600
-@@ -1637,6 +1637,19 @@
+diff --git a/browser/components/BrowserGlue.sys.mjs b/browser/components/BrowserGlue.sys.mjs
+index 8fa6f7a..a34ab8b 100644
+--- a/browser/components/BrowserGlue.sys.mjs
++++ b/browser/components/BrowserGlue.sys.mjs
+@@ -1860,6 +1860,19 @@ BrowserGlue.prototype = {
        }
      });
  
@@ -18,6 +19,6 @@ diff -ru firefox-110.0+build1/browser/components/BrowserGlue.sys.mjs firefox-110
 +      Services.prefs.setStringPref("browser.contentblocking.category", "strict"); this._updateCBCategory;
 +    }
 +
-     // Offer to reset a user's profile if it hasn't been used for 60 days.
-     const OFFER_PROFILE_RESET_INTERVAL_MS = 60 * 24 * 60 * 60 * 1000;
-     let lastUse = Services.appinfo.replacedLockTime;
+     this._maybeOfferProfileReset();
+ 
+     this._checkForOldBuildUpdates();

helpers/DATA/firefox/patch_changes/001-Remove_Android_and_iOS_promotion.patch

@@ -1,13 +1,14 @@
 diff --git a/browser/components/preferences/sync.inc.xhtml b/browser/components/preferences/sync.inc.xhtml
-index 7d37d26..4ebbc06 100644
+index 492491a3..0c8c462a 100644
 --- a/browser/components/preferences/sync.inc.xhtml
 +++ b/browser/components/preferences/sync.inc.xhtml
-@@ -35,22 +35,6 @@
+@@ -35,24 +35,6 @@
          </hbox>
        </vbox>
      </hbox>
 -    <label class="fxaMobilePromo" data-l10n-id="sync-mobile-promo">
 -      <html:img
+-        role="none"
 -        src="chrome://browser/skin/logo-android.svg"
 -        data-l10n-name="android-icon"
 -        class="androidIcon"/>
@@ -15,6 +16,7 @@ index 7d37d26..4ebbc06 100644
 -        data-l10n-name="android-link"
 -        class="fxaMobilePromo-android text-link" target="_blank"/>
 -      <html:img
+-        role="none"
 -        src="chrome://browser/skin/logo-ios.svg"
 -        data-l10n-name="ios-icon"
 -        class="iOSIcon"/>
@@ -49,12 +51,12 @@ index 1b29e8d..6f7566c 100644
  sync-profile-picture =
      .tooltiptext = Change profile picture
 diff --git a/browser/components/protections/content/vpn-card.mjs b/browser/components/protections/content/vpn-card.mjs
-index 2417f1a641..698c48ccc3 100644
+index d9fe35c0..1b166048 100644
 --- a/browser/components/protections/content/vpn-card.mjs
 +++ b/browser/components/protections/content/vpn-card.mjs
-@@ -23,22 +23,6 @@ export default class VPNCard {
+@@ -24,22 +24,6 @@ export default class VPNCard {
      vpnLink.addEventListener("click", () => {
-       this.doc.sendTelemetryEvent("click", "vpn_card_link");
+       this.doc.sendTelemetryEvent("clickVpnCardLink");
      });
 -    let androidVPNAppLink = document.getElementById(
 -      "vpn-google-playstore-link"
@@ -63,14 +65,14 @@ index 2417f1a641..698c48ccc3 100644
 -      "browser.contentblocking.report.vpn-android.url"
 -    );
 -    androidVPNAppLink.addEventListener("click", () => {
--      document.sendTelemetryEvent("click", "vpn_app_link_android");
+-      document.sendTelemetryEvent("clickVpnAppLinkAndroid");
 -    });
 -    let iosVPNAppLink = document.getElementById("vpn-app-store-link");
 -    iosVPNAppLink.href = RPMGetStringPref(
 -      "browser.contentblocking.report.vpn-ios.url"
 -    );
 -    iosVPNAppLink.addEventListener("click", () => {
--      document.sendTelemetryEvent("click", "vpn_app_link_ios");
+-      document.sendTelemetryEvent("clickVpnAppLinkIos");
 -    });
  
      const vpnBanner = this.doc.querySelector(".vpn-banner");

helpers/DATA/firefox/patch_changes/003-disable_sponsored_topsites_and_keep_weather_widget_static.patch

@@ -0,0 +1,54 @@
+diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js
+index 52a520fd..81cc685d 100644
+--- a/browser/app/profile/firefox.js
++++ b/browser/app/profile/firefox.js
+@@ -1718,19 +1718,19 @@
+ pref("browser.topsites.component.enabled", false);
+ pref("browser.topsites.useRemoteSetting", true);
+ // Fetch sponsored Top Sites from Mozilla Tiles Service (Contile)
+-pref("browser.topsites.contile.enabled", true);
+-pref("browser.topsites.contile.endpoint", "https://contile.services.mozilla.com/v1/tiles");
++pref("browser.topsites.contile.enabled", false);
++pref("browser.topsites.contile.endpoint", "");
+
+ // Whether to enable the Share-of-Voice feature for Sponsored Topsites via Contile.
+-pref("browser.topsites.contile.sov.enabled", true);
++pref("browser.topsites.contile.sov.enabled", false);
+
+ // The base URL for the Quick Suggest anonymizing proxy. To make a request to
+ // the proxy, include a campaign ID in the path.
+-pref("browser.partnerlink.attributionURL", "https://topsites.services.mozilla.com/cid/");
+-pref("browser.partnerlink.campaign.topsites", "amzn_2020_a1");
++pref("browser.partnerlink.attributionURL", "");
++pref("browser.partnerlink.campaign.topsites", "");
+
+ // Activates preloading of the new tab url.
+-pref("browser.newtab.preload", true);
++pref("browser.newtab.preload", false);
+
+ pref("browser.preonboarding.onTrainRolloutPopulation",  0);
+
+ // Mozilla Ad Routing Service (MARS) unified ads service
+-pref("browser.newtabpage.activity-stream.unifiedAds.tiles.enabled", true);
+-pref("browser.newtabpage.activity-stream.unifiedAds.spocs.enabled", true);
+-pref("browser.newtabpage.activity-stream.unifiedAds.endpoint", "https://ads.mozilla.org/");
++pref("browser.newtabpage.activity-stream.unifiedAds.tiles.enabled", false);
++pref("browser.newtabpage.activity-stream.unifiedAds.spocs.enabled", false);
++pref("browser.newtabpage.activity-stream.unifiedAds.endpoint", "");
+ pref("browser.newtabpage.activity-stream.unifiedAds.adsFeed.enabled", false);
+ pref("browser.newtabpage.activity-stream.unifiedAds.adsFeed.tiles.enabled", false);
+
+ // Weather widget for newtab
+-pref("browser.newtabpage.activity-stream.showWeather", true);
++pref("browser.newtabpage.activity-stream.showWeather", false);
+ pref("browser.newtabpage.activity-stream.weather.query", "");
+ pref("browser.newtabpage.activity-stream.weather.display", "simple");
+
++pref("browser.newtabpage.activity-stream.images.smart", true);
+
+ // enable location search for newtab weather widget
+-pref("browser.newtabpage.activity-stream.weather.locationSearchEnabled", true);
++pref("browser.newtabpage.activity-stream.weather.locationSearchEnabled", false);
+
+ // List of regions that get weather by default.
+ pref("browser.newtabpage.activity-stream.discoverystream.region-weather-config", "US,CA")

helpers/DATA/firefox/patch_changes/005-apply_custom_urls.patch

@@ -0,0 +1,53 @@
+# WIP - Help needed
+
+URL customizations requires to comprehend the scope to handle the documentation for this
+and other projects heavily customizing and rebranding Firefox like Abrowser does.
+
+This patch documents how to handle custom URLs to point to a desired page (initially).
+
+It replaces,
+
+* is="moz-support-link"
+* support-page="..."
+
+to customize the default URL, making sure there is an id for l10n field,
+
+* data-l10n-id="..."
+
+so the corresponding message is displayed as it seems to be linked on some cases
+with is="" and support-page="..."
+
+Cheers!
+
+diff --git a/browser/components/preferences/privacy.inc.xhtml b/browser/components/preferences/privacy.inc.xhtml_
+index 77ea8f5d..62c3ce8e 100644
+--- a/browser/components/preferences/privacy.inc.xhtml
++++ b/browser/components/preferences/privacy.inc.xhtml
+@@ -372,10 +372,7 @@
+           support-page="global-privacy-control" />
+     </hbox>
+     <hbox id="doNotTrackBox" flex="1" align="center" hidden="true">
+-      <html:a is="moz-support-link"
+-          id="doNotTrackRemoval"
+-          support-page="how-do-i-turn-do-not-track-feature"
+-          data-l10n-id="do-not-track-removal" />
++      <html:a class="learnMore" href="https://trisquel.info/en/wiki/abrowser-help" target="_blank"/>
+     </hbox>
+   </vbox>
+ </groupbox>
+@@ -388,11 +385,10 @@
+     <vbox flex="1">
+       <description class="description-with-side-element description-deemphasized" flex="1">
+         <html:span id="totalSiteDataSize"></html:span>
+-        <html:a is="moz-support-link"
+-                id="siteDataLearnMoreLink"
+-                data-l10n-id="sitedata-learn-more"
+-                support-page="storage-permissions"
+-        />
++        <html:a id="doNotTrackLearnMoreLink"
++            href="https://trisquel.info/en/wiki/abrowser-help"
++            data-l10n-id="do-not-track-learn-more"
++            target="_blank"/>
+       </description>
+       <hbox flex="1" id="deleteOnCloseNote" class="info-box-container smaller-font-size">
+         <hbox class="info-icon-container">

helpers/DATA/firefox/patch_changes/006-remova_mailto_handlers_correctly.patch

@@ -0,0 +1,204 @@
+diff --git a/uriloader/exthandler/HandlerList.sys.mjs b/uriloader/exthandler/HandlerList.sys.mjs
+index e95d627..beef04d 100644
+--- a/uriloader/exthandler/HandlerList.sys.mjs
++++ b/uriloader/exthandler/HandlerList.sys.mjs
+@@ -8,198 +8,7 @@ export const kHandlerList = {
+   default: {
+     schemes: {
+       mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  cs: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Seznam",
+-            uriTemplate: "https://email.seznam.cz/newMessageScreen?mailto=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  "es-CL": {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "Outlook",
+-            uriTemplate:
+-              "https://outlook.live.com/default.aspx?rru=compose&to=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  "ja-JP-mac": {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Yahoo!メール",
+-            uriTemplate: "https://mail.yahoo.co.jp/compose/?To=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  ja: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Yahoo!メール",
+-            uriTemplate: "https://mail.yahoo.co.jp/compose/?To=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  kk: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Яндекс.Почта",
+-            uriTemplate: "https://mail.yandex.ru/compose?mailto=%s",
+-          },
+-          {
+-            name: "Mail.Ru",
+-            uriTemplate: "https://e.mail.ru/cgi-bin/sentmsg?mailto=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  ltg: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "inbox.lv mail",
+-            uriTemplate: "https://mail.inbox.lv/compose?to=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  lv: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "inbox.lv mail",
+-            uriTemplate: "https://mail.inbox.lv/compose?to=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  pl: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Poczta Interia.pl",
+-            uriTemplate: "https://poczta.interia.pl/mh/?mailto=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  ru: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Яндекс.Почту",
+-            uriTemplate: "https://mail.yandex.ru/compose?mailto=%s",
+-          },
+-          {
+-            name: "Mail.Ru",
+-            uriTemplate: "https://e.mail.ru/cgi-bin/sentmsg?mailto=%s",
+-          },
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  uk: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "Outlook",
+-            uriTemplate:
+-              "https://outlook.live.com/default.aspx?rru=compose&to=%s",
+-          },
+-        ],
+-      },
+-    },
+-  },
+-  uz: {
+-    schemes: {
+-      mailto: {
+-        handlers: [
+-          {
+-            name: "Gmail",
+-            uriTemplate: "https://mail.google.com/mail/?extsrc=mailto&url=%s",
+-          },
+-          {
+-            name: "Mail.Ru",
+-            uriTemplate: "https://e.mail.ru/cgi-bin/sentmsg?mailto=%s",
+-          },
+-        ],
++        handlers: [],
+       },
+     },
+   },

helpers/DATA/firefox/patch_changes/007-disable_remote_settings_antifeature.patch

@@ -0,0 +1,96 @@
+diff --git a/services/settings/RemoteSettingsClient.sys.mjs b/services/settings/RemoteSettingsClient.sys.mjs
+index 7e98e6d..7716e41 100644
+--- a/services/settings/RemoteSettingsClient.sys.mjs
++++ b/services/settings/RemoteSettingsClient.sys.mjs
+@@ -229,13 +229,8 @@ class AttachmentDownloader extends Downloader {
+    * @see Downloader.download
+    */
+   async download(record, options) {
+-    await lazy.UptakeTelemetry.report(
+-      TELEMETRY_COMPONENT,
+-      lazy.UptakeTelemetry.STATUS.DOWNLOAD_START,
+-      {
+-        source: this._client.identifier,
+-      }
+-    );
++    console.warn("Function 'download' disabled in Abrowser due privacy concerns.");
++    return null;
+     try {
+       // Explicitly await here to ensure we catch a network error.
+       return await super.download(record, options);
+diff --git a/services/settings/Utils.sys.mjs b/services/settings/Utils.sys.mjs
+index 12fef6c..c52b65e 100644
+--- a/services/settings/Utils.sys.mjs
++++ b/services/settings/Utils.sys.mjs
+@@ -409,6 +409,8 @@ export var Utils = {
+    * @param {Object} filters
+    */
+   async fetchLatestChanges(serverUrl, options = {}) {
++    console.warn("Function 'fetchLatestChanges' disabled in Abrowser due privacy concerns.");
++    return null;
+     const { expectedTimestamp, lastEtag = "", filters = {} } = options;
+ 
+     let url = serverUrl + Utils.CHANGES_PATH;
+diff --git a/toolkit/components/telemetry/app/TelemetryUtils.sys.mjs b/toolkit/components/telemetry/app/TelemetryUtils.sys.mjs
+index 803d52a1..1a3ef5ba 100644
+--- a/toolkit/components/telemetry/app/TelemetryUtils.sys.mjs
++++ b/toolkit/components/telemetry/app/TelemetryUtils.sys.mjs
+@@ -124,6 +124,11 @@ export var TelemetryUtils = {
+    * Takes a date and returns it truncated to a date with daily precision.
+    */
+   truncateToDays(date) {
++  console.warn("Function 'truncateToDays' called with:", date);
++  if (!date || !(date instanceof Date)) {
++    console.warn("Function 'truncateToDays' disabled in Abrowser due to privacy concerns. Received invalid or undefined date.");
++    return null; // Retorna null para evitar errores posteriores
++  }
+     return new Date(
+       date.getFullYear(),
+       date.getMonth(),
+@@ -172,6 +172,10 @@ export var TelemetryUtils = {
+    * @return {Object} The Date object representing the next midnight.
+    */
+   getNextMidnight(date) {
++  if (!date || !(date instanceof Date)) {
++    console.warn("Function 'getNextMidnight' disabled in Abrowser due to privacy concerns.");
++    return null;
++  }
+     let nextMidnight = new Date(this.truncateToDays(date));
+     nextMidnight.setDate(nextMidnight.getDate() + 1);
+     return nextMidnight;
+@@ -185,6 +189,10 @@ export var TelemetryUtils = {
+    *                  is not within the midnight tolerance.
+    */
+   getNearestMidnight(date, tolerance) {
++  if (!date || !(date instanceof Date)) {
++    console.warn("Function 'getNearestMidnight' disabled in Abrowser due to privacy concerns.");
++    return null;
++  }
+     let lastMidnight = this.truncateToDays(date);
+     if (this.areTimesClose(date.getTime(), lastMidnight.getTime(), tolerance)) {
+       return lastMidnight;
+diff --git a/toolkit/components/telemetry/app/TelemetryScheduler.sys.mjs b/toolkit/components/telemetry/app/TelemetryScheduler.sys.mjs
+index 539447a..43d846b 100644
+--- a/toolkit/components/telemetry/app/TelemetryScheduler.sys.mjs
++++ b/toolkit/components/telemetry/app/TelemetryScheduler.sys.mjs
+@@ -183,8 +183,20 @@ export var TelemetryScheduler = {
+   },
+
+   _sentPingToday(pingTime, nowDate) {
++    // Validar 'nowDate' antes de usarlo
++    if (!nowDate || !(nowDate instanceof Date)) {
++      console.warn("Invalid 'nowDate' passed to _sentPingToday. Function disabled in Abrowser due to privacy concerns.");
++      return false; // Devolvemos 'false' para evitar errores
++    }
++
+     // This is today's date and also the previous midnight (0:00).
+     const todayDate = TelemetryUtils.truncateToDays(nowDate);
++
++    if (!todayDate) {
++      console.warn("TelemetryUtils.truncateToDays returned null. Skipping _sentPingToday.");
++      return false;
++    }
++
+     // We consider a ping sent for today if it occured after or at 00:00 today.
+     return pingTime >= todayDate.getTime();
+   },

helpers/DATA/firefox/patch_changes/008-aboutRights_removal_fix.patch

@@ -0,0 +1,26 @@
+diff --git a/browser/base/content/aboutDialog.xhtml b/browser/base/content/aboutDialog.xhtml
+index c6498081..a8db34ad 100644
+--- a/browser/base/content/aboutDialog.xhtml
++++ b/browser/base/content/aboutDialog.xhtml
+@@ -138,7 +138,7 @@
+     <vbox id="bottomBox">
+       <hbox pack="center">
+         <label is="text-link" class="bottom-link" useoriginprincipal="true" href="about:license" data-l10n-id="bottomLinks-license"/>
+-        <label is="text-link" class="bottom-link" href="https://www.mozilla.org/about/legal/terms/firefox/" data-l10n-id="bottom-links-terms"/>
++        <label is="text-link" class="bottom-link" href="https://trisquel.info/legal" data-l10n-id="bottom-links-terms"/>
+         <label is="text-link" class="bottom-link" href="https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&#38;utm_medium=firefox-desktop&#38;utm_campaign=about-dialog" data-l10n-id="bottom-links-privacy"/>
+       </hbox>
+       <description id="trademark" data-l10n-id="trademarkInfo"></description>
+diff --git a/browser/components/about/AboutRedirector.cpp b/browser/components/about/AboutRedirector.cpp
+index d1fe0148..ce5d1f42 100644
+--- a/browser/components/about/AboutRedirector.cpp
++++ b/browser/components/about/AboutRedirector.cpp
+@@ -90,7 +90,7 @@ static const RedirEntry kRedirMap[] = {
+     {"profiling",
+      "chrome://devtools/content/performance-new/aboutprofiling/index.xhtml",
+      nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::IS_SECURE_CHROME_UI},
+-    {"rights", "https://www.mozilla.org/about/legal/terms/firefox/",
++    {"rights", "https://trisquel.info/legal",
+      nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
+          nsIAboutModule::URI_MUST_LOAD_IN_CHILD},
+     {"robots", "chrome://browser/content/aboutRobots.xhtml",

helpers/DATA/firefox/patch_changes/009-remove_ubunfox_suggest_webext-ublock-origin.patch

@@ -0,0 +1,24 @@
+diff --git a/debian/control.in b/debian/control.in
+index dd3c8daa..911d9667 100644
+--- a/debian/control.in
++++ b/debian/control.in
+@@ -52,8 +52,7 @@ Architecture: any
+ Depends: lsb-release,
+ 	${misc:Depends},
+ 	${shlibs:Depends}
+-Recommends: xul-ext-ubufox,
+-	${support:Recommends},
++Recommends: ${support:Recommends},
+ 	libcanberra0,
+ 	libdbusmenu-glib4,
+ 	libdbusmenu-gtk3-4
+@@ -61,7 +60,8 @@ Provides: www-browser,
+ 	iceweasel, firefox,
+ 	gnome-www-browser,
+ 	${app:Provides}
+-Suggests: fonts-lyx,
++Suggests: webext-ublock-origin,
++	fonts-lyx,
+ 	${support:Suggests}
+ Breaks: ${transitional:Breaks}
+ Replaces: ${transitional:Replaces}

helpers/DATA/firefox/patch_changes/010-remove_theme_recommendation_and_saas_forge.patch

@@ -0,0 +1,23 @@
+diff --git a/toolkit/mozapps/extensions/content/aboutaddons.html b/toolkit/mozapps/extensions/content/aboutaddons.html
+index 77702576..35cf6593 100644
+--- a/toolkit/mozapps/extensions/content/aboutaddons.html
++++ b/toolkit/mozapps/extensions/content/aboutaddons.html
+@@ -799,18 +799,6 @@
+       <footer is="recommended-footer" class="view-footer"></footer>
+     </template>
+ 
+-    <template name="recommended-themes-footer">
+-      <p data-l10n-id="recommended-theme-1" class="theme-recommendation">
+-        <a data-l10n-name="link" target="_blank"></a>
+-      </p>
+-      <div class="amo-link-container view-footer-item">
+-        <button
+-          class="primary"
+-          action="open-amo"
+-          data-l10n-id="find-more-themes"
+-        ></button>
+-      </div>
+-    </template>
+ 
+    <template name="recommended-themes-section">
+      <h2

helpers/DATA/firefox/patch_changes/012-fix_wrong_directory_on_home_dir_for_abrowser.patch

@@ -0,0 +1,14 @@
+diff --git a/toolkit/xre/nsXREDirProvider.cpp b/toolkit/xre/nsXREDirProvider.cpp
+index 9c94cb88..0c19fad9 100644
+--- a/toolkit/xre/nsXREDirProvider.cpp
++++ b/toolkit/xre/nsXREDirProvider.cpp
+@@ -1232,7 +1232,8 @@ nsresult nsXREDirProvider::AppendProfilePath(nsIFile* aFile, bool aLocal) {
+   if (gAppData->profile) {
+     profile = gAppData->profile;
+   } else {
+-    appName = gAppData->name;
++    // For Abrowser compatibility: force use of ~/.mozilla/abrowser
++    appName.AssignLiteral("abrowser");
+     vendor = gAppData->vendor;
+   }
+ 

helpers/DATA/firefox/patch_changes/013-remove_finish_setup_third_party_services.patch

@@ -0,0 +1,98 @@
+diff --git a/browser/components/aboutwelcome/modules/AboutWelcomeDefaults.sys.mjs b/browser/components/aboutwelcome/modules/AboutWelcomeDefaults.sys.mjs
+index ba47adb6..c4b29ec4 100644
+--- a/browser/components/aboutwelcome/modules/AboutWelcomeDefaults.sys.mjs
++++ b/browser/components/aboutwelcome/modules/AboutWelcomeDefaults.sys.mjs
+@@ -704,7 +704,7 @@ const MR_ABOUT_WELCOME_DEFAULT = {
+           action: {
+             type: "OPEN_URL",
+             data: {
+-              args: "https://addons.mozilla.org/en-US/firefox/collections/4757633/b4d5649fb087446aa05add5f0258c3/?page=1&collection_sort=-popularity",
++              args: "https://gnuzilla.gnu.org/",
+               where: "tabshifted",
+             },
+             navigate: true,
+@@ -750,49 +750,6 @@ const MR_ABOUT_WELCOME_DEFAULT = {
+       },
+       targeting: "isFxASignedIn",
+     },
+-    {
+-      id: "AW_ACCOUNT_LOGIN",
+-      content: {
+-        fullscreen: true,
+-        position: "split",
+-        split_narrow_bkg_position: "-228px",
+-        image_alt_text: {
+-          string_id: "mr2022-onboarding-gratitude-image-alt",
+-        },
+-        background:
+-          "url('chrome://activity-stream/content/data/content/assets/fox-doodle-waving-laptop.svg') center center / 80% no-repeat var(--mr-screen-background-color)",
+-        progress_bar: true,
+-        logo: {},
+-        title: {
+-          string_id: "onboarding-sign-up-title",
+-        },
+-        subtitle: {
+-          string_id: "onboarding-sign-up-description",
+-        },
+-        secondary_button: {
+-          label: {
+-            string_id: "mr2-onboarding-start-browsing-button-label",
+-          },
+-          style: "secondary",
+-          action: {
+-            navigate: true,
+-          },
+-        },
+-        primary_button: {
+-          label: {
+-            string_id: "onboarding-sign-up-button",
+-          },
+-          action: {
+-            data: {
+-              entrypoint: "newuser-onboarding-desktop",
+-            },
+-            type: "FXA_SIGNIN_FLOW",
+-            navigate: true,
+-          },
+-        },
+-      },
+-      targeting: "!isFxASignedIn",
+-    },
+   ],
+ };
+ 
+diff --git a/browser/components/asrouter/modules/FeatureCalloutMessages.sys.mjs b/browser/components/asrouter/modules/FeatureCalloutMessages.sys.mjs
+index 29d2ca46..41b65ac4 100644
+--- a/browser/components/asrouter/modules/FeatureCalloutMessages.sys.mjs
++++ b/browser/components/asrouter/modules/FeatureCalloutMessages.sys.mjs
+@@ -885,7 +885,7 @@ const MESSAGES = () => {
+                   dismiss: true,
+                   type: "OPEN_URL",
+                   data: {
+-                    args: "https://addons.mozilla.org/en-US/firefox/collections/4757633/36d285535db74c6986abbeeed3e214/?page=1&collection_sort=added",
++                    args: "https://gnuzilla.gnu.org/",
+                     where: "tabshifted",
+                   },
+                 },
+diff --git a/browser/components/asrouter/modules/OnboardingMessageProvider.sys.mjs b/browser/components/asrouter/modules/OnboardingMessageProvider.sys.mjs
+index abc6db68..0c86955f 100644
+--- a/browser/components/asrouter/modules/OnboardingMessageProvider.sys.mjs
++++ b/browser/components/asrouter/modules/OnboardingMessageProvider.sys.mjs
+@@ -1226,7 +1226,7 @@ const BASE_MESSAGES = () => [
+                         {
+                           type: "OPEN_URL",
+                           data: {
+-                            args: "https://addons.mozilla.org/en-US/firefox/collections/4757633/b4d5649fb087446aa05add5f0258c3/?page=1&collection_sort=-popularity",
++                            args: "https://gnuzilla.gnu.org/",
+                             where: "current",
+                           },
+                         },
+@@ -1430,7 +1430,7 @@ const BASE_MESSAGES = () => [
+                         {
+                           type: "OPEN_URL",
+                           data: {
+-                            args: "https://addons.mozilla.org/en-US/firefox/collections/4757633/b4d5649fb087446aa05add5f0258c3/?page=1&collection_sort=-popularity",
++                            args: "https://gnuzilla.gnu.org/",
+                             where: "current",
+                           },
+                         },

helpers/DATA/firefox/patch_changes/014-remove_support_firefox_mission_on_abrowser.patch

@@ -0,0 +1,138 @@
+diff --git a/browser/components/preferences/home.inc.xhtml b/browser/components/preferences/home.inc.xhtml
+index c0094fe0..08856c78 100644
+--- a/browser/components/preferences/home.inc.xhtml
++++ b/browser/components/preferences/home.inc.xhtml
+@@ -101,15 +101,6 @@
+   <vbox id="trending-searches" />
+   <vbox id="topsites" />
+   <vbox id="topstories" />
+-  <vbox id="support-firefox" />
+-
+-  <html:moz-box-item class="mission-message">
+-    <html:span data-l10n-id="home-prefs-mission-message" />
+-    <html:a is="moz-support-link"
+-            support-page="sponsor-privacy"
+-            data-l10n-id="home-prefs-mission-message-learn-more-link" />
+-  </html:moz-box-item>
+-
+   <vbox id="highlights" />
+ </groupbox>
+ </html:template>
+diff --git a/browser/extensions/newtab/lib/AboutPreferences.sys.mjs b/browser/extensions/newtab/lib/AboutPreferences.sys.mjs
+index 0d43919b..f2e0fbd0 100644
+--- a/browser/extensions/newtab/lib/AboutPreferences.sys.mjs
++++ b/browser/extensions/newtab/lib/AboutPreferences.sys.mjs
+@@ -120,37 +120,6 @@ const PREFS_FOR_SETTINGS = () => [
+     ),
+     eventSource: "TOP_STORIES",
+   },
+-  {
+-    id: "support-firefox",
+-    pref: {
+-      feed: "showSponsoredCheckboxes",
+-      titleString: "home-prefs-support-firefox-header",
+-      nestedPrefs: [
+-        {
+-          name: "showSponsoredTopSites",
+-          titleString: "home-prefs-shortcuts-by-option-sponsored",
+-          eventSource: "SPONSORED_TOP_SITES",
+-        },
+-        {
+-          name: "showSponsored",
+-          titleString: "home-prefs-recommended-by-option-sponsored-stories",
+-          eventSource: "POCKET_SPOCS",
+-          shouldHidePref: !Services.prefs.getBoolPref(
+-            "browser.newtabpage.activity-stream.feeds.system.topstories",
+-            true
+-          ),
+-          shouldDisablePref: !Services.prefs.getBoolPref(
+-            "browser.newtabpage.activity-stream.feeds.section.topstories",
+-            true
+-          ),
+-        },
+-      ],
+-    },
+-    shouldHidePref: !Services.prefs.getBoolPref(
+-      "browser.newtabpage.activity-stream.system.showSponsoredCheckboxes",
+-      false
+-    ),
+-  },
+ ];
+ 
+ export class AboutPreferences {
+@@ -351,41 +320,8 @@ export class AboutPreferences {
+       }
+     });
+ 
+-    // Special cases to like the nested prefs with another pref,
+-    // so we can disable it real time.
+-    if (id === "support-firefox") {
+-      function setupSupportFirefoxSubCheck(triggerPref, subPref) {
+-        const subCheckFullName = `browser.newtabpage.activity-stream.${triggerPref}`;
+-        const subCheckPref = Preferences.get(subCheckFullName);
+-
+-        subCheckPref?.on("change", () => {
+-          const showSponsoredFullName = `browser.newtabpage.activity-stream.${subPref}`;
+-          const showSponsoredSubcheck = subChecks.find(
+-            subcheck =>
+-              subcheck.getAttribute("preference") === showSponsoredFullName
+-          );
+-          if (showSponsoredSubcheck) {
+-            showSponsoredSubcheck.disabled = !Services.prefs.getBoolPref(
+-              subCheckFullName,
+-              true
+-            );
+-          }
+-        });
+-      }
+-
+-      setupSupportFirefoxSubCheck("feeds.section.topstories", "showSponsored");
+-      setupSupportFirefoxSubCheck("feeds.topsites", "showSponsoredTopSites");
+-    }
+-
+     pref.on("change", () => {
+       subChecks.forEach(subcheck => {
+-        // Update child preferences for the "Support Firefox" checkbox group
+-        // so that they're turned on and off at the same time.
+-        if (id === "support-firefox") {
+-          const subPref = Preferences.get(subcheck.getAttribute("preference"));
+-          subPref.value = pref.value;
+-        }
+-
+         // Disable any nested checkboxes if the parent pref is not enabled.
+         subcheck.disabled = !pref._value;
+       });
+diff --git a/browser/locales/en-US/browser/preferences/preferences.ftl b/browser/locales/en-US/browser/preferences/preferences.ftl
+index 269eca10..4c35b53f 100644
+--- a/browser/locales/en-US/browser/preferences/preferences.ftl
++++ b/browser/locales/en-US/browser/preferences/preferences.ftl
+@@ -749,11 +749,7 @@ home-prefs-trending-search-header =
+ home-prefs-trending-search-description = Popular and frequently searched topics
+ 
+ # "Support" here means to help sustain or contribute to something, especially through funding or sponsorship.
+-home-prefs-support-firefox-header =
+-    .label = Support { -brand-product-name }
+-
+-home-prefs-mission-message = Our sponsors support our mission to build a better web
+-home-prefs-mission-message-learn-more-link = Find out how
++## Removed by Abrowser customization process.
+ 
+ # Variables:
+ #   $num (number) - Number of rows displayed
+diff --git a/browser/themes/shared/preferences/preferences.css b/browser/themes/shared/preferences/preferences.css
+index 9c8155e5..4718341f 100644
+--- a/browser/themes/shared/preferences/preferences.css
++++ b/browser/themes/shared/preferences/preferences.css
+@@ -1541,12 +1541,3 @@ richlistitem .text-link:hover {
+ .search-header:has(.section-heading) {
+   margin: 0;
+ }
+-
+-/* Styles for the "sponsors support our mission" message and link on the Home tab */
+-.mission-message {
+-  margin-block-start: var(--space-large);
+-
+-  > a {
+-    font-size: var(--font-size-small);
+-  }
+-}

helpers/DATA/firefox/patch_changes/015-set_higher_priority_than_chromium_based_ones.patch

@@ -0,0 +1,17 @@
+diff --git a/debian/firefox.postinst.in b/debian/firefox.postinst.in
+index 4cb73f02..44e9261a 100644
+--- a/debian/firefox.postinst.in
++++ b/debian/firefox.postinst.in
+@@ -36,10 +36,10 @@ finish_rm_conffile() {
+ 
+ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-remove" ] ; then
+     update-alternatives --install /usr/bin/gnome-www-browser \
+-        gnome-www-browser /usr/bin/$MOZ_APP_NAME 40
++        gnome-www-browser /usr/bin/$MOZ_APP_NAME 240
+ 
+     update-alternatives --install /usr/bin/x-www-browser \
+-        x-www-browser /usr/bin/$MOZ_APP_NAME 40
++        x-www-browser /usr/bin/$MOZ_APP_NAME 240
+ fi
+ 
+ if [ "$1" = "configure" ] ; then

helpers/DATA/firefox/process-json-files.py

@@ -1,6 +1,9 @@
 #! /usr/bin/python3
-
-#    Copyright (C) 2020, 2021  grizzlyuser <grizzlyuser@protonmail.com>
+#    Copyright (C) 2024  Luis Guzmán <ark@switnet.org>
+#    Copyright (C) 2020, 2021, 2022, 2023, 2024 grizzlyuser <grizzlyuser@protonmail.com>
+#    Based on: https://gitlab.trisquel.org/trisquel/wrapage-helpers/-/blob/81881d89b2bf7d502dd14fcccdb471fec6f6b206/helpers/DATA/firefox/reprocess-search-config.py
+#    Below is the notice from the original author:
+#
 #    Copyright (C) 2020, 2021  Ruben Rodriguez <ruben@trisquel.info>
 #
 #    This program is free software; you can redistribute it and/or modify
@@ -23,6 +26,7 @@ import time
 import copy
 import argparse
 import pathlib
+import logging
 from collections import namedtuple
 from jsonschema import validate
 
@@ -41,12 +45,42 @@ parser.add_argument(
     type=int,
     default=2,
     help='indent for pretty printing of output files')
+parser.add_argument(
+    '-l',
+    '--loglevel',
+    choices=logging._nameToLevel.keys(),
+    default=logging.INFO,
+    help='logging level')
 arguments = parser.parse_args()
 
+logging.basicConfig(level=arguments.loglevel)
+logger = logging.getLogger(str(pathlib.Path(__file__).name))
+
 File = namedtuple('File', ['path', 'content'])
 
 
-class RemoteSettings:
+class JsonProcessor:
+    @classmethod
+    def process(cls):
+        parsed_jsons = []
+        for json_path in cls.JSON_PATHS:
+            logger.info('Reading input: ' + str(json_path) + '...')
+            with json_path.open(encoding='utf-8') as file:
+                parsed_jsons.append(File(json_path, json.load(file)))
+
+        parsed_schema = None
+        if hasattr(cls, "SCHEMA_PATH"):
+            logger.info('Reading schema: ' + str(json_path) + '...')
+            with cls.SCHEMA_PATH.open() as file:
+                parsed_schema = json.load(file)
+
+        processed = cls.process_parsed(parsed_jsons, parsed_schema)
+        with processed.path.open('w') as file:
+            json.dump(processed.content, file, indent=arguments.indent)
+            logger.info('Wrote: ' + str(processed.path))
+
+
+class RemoteSettings(JsonProcessor):
     DUMPS_PATH_RELATIVE = 'services/settings/dumps'
     DUMPS_PATH_ABSOLUTE = arguments.MAIN_PATH / DUMPS_PATH_RELATIVE
 
@@ -75,11 +109,12 @@ class RemoteSettings:
 
     @classmethod
     def now(cls):
-        return int(round(time.time() / 10 ** 6))
+        return int(round(time.time() * 1000))
 
     @classmethod
     def process_raw(cls, unwrapped_jsons, parsed_schema):
         timestamps, result = [], []
+
         for collection in unwrapped_jsons:
             should_modify_collection = cls.should_modify_collection(collection)
             for record in collection.content:
@@ -110,13 +145,23 @@ class RemoteSettings:
         return File(cls.OUTPUT_PATH, result)
 
     @classmethod
-    def process(cls, parsed_jsons, parsed_schema):
+    def process_parsed(cls, parsed_jsons, parsed_schema):
         return cls.wrap(
             cls.process_raw(
                 cls.unwrap(parsed_jsons),
                 parsed_schema))
 
 
+class EmptyRemoteSettings(RemoteSettings):
+    @classmethod
+    def should_drop_record(cls, search_engine):
+        return True
+
+    @classmethod
+    def process_record(cls, record):
+        return record
+
+
 class Changes(RemoteSettings):
     JSON_PATHS = tuple(RemoteSettings.DUMPS_PATH_ABSOLUTE.glob('*/*.json'))
     OUTPUT_PATH = RemoteSettings.DUMPS_PATH_ABSOLUTE / 'monitor/changes'
@@ -132,7 +177,7 @@ class Changes(RemoteSettings):
         changes = []
 
         for collection in unwrapped_jsons:
-            if collection.path not in (RemoteSettings.DUMPS_PATH_ABSOLUTE / 'main/example.json', RemoteSettings.DUMPS_PATH_ABSOLUTE / 'main/search-config-v2.json'):
+            if collection.path != RemoteSettings.DUMPS_PATH_ABSOLUTE / 'main/example.json':
                 latest_change = {}
                 latest_change[cls._LAST_MODIFIED_KEY_NAME] = cls.get_collection_timestamp(
                     collection)
@@ -145,61 +190,116 @@ class Changes(RemoteSettings):
         return File(cls.OUTPUT_PATH, changes)
 
 
-class SearchConfig(RemoteSettings):
+class SearchConfigV2(RemoteSettings):
     JSON_PATHS = (
         RemoteSettings.DUMPS_PATH_ABSOLUTE /
-        'main/search-config.json',
+        'main/search-config-v2.json',
     )
     SCHEMA_PATH = arguments.MAIN_PATH / \
-        'toolkit/components/search/schema/search-config-schema.json'
+        'toolkit/components/search/schema/search-config-v2-schema.json'
     OUTPUT_PATH = JSON_PATHS[0]
 
-    _DUCKDUCKGO_SEARCH_ENGINE_ID = 'ddg@search.mozilla.org'
+    _DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER = 'ddg'
 
     @classmethod
-    def should_drop_record(cls, search_engine):
-        return search_engine['webExtension']['id'] not in (
-            cls._DUCKDUCKGO_SEARCH_ENGINE_ID, 'wikipedia@search.mozilla.org',
-            'trisquel@search.mozilla.org', 'trisquel-packages@@search.mozilla.org',
-            'qwant@search.mozilla.org', 'ecosia@search.mozilla.org')
+    def should_drop_record(cls, record):
+        if record['recordType'] != 'engine':
+            return False
+
+        identifier = record['identifier']
+        excluded_identifiers = ['ecosia', 'qwant', 'trisquel', 'trisquel-packages']
+
+        return (
+            identifier != cls._DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER and
+            not (identifier.startswith('wikipedia') or identifier in excluded_identifiers)
+        )
 
     @classmethod
-    def process_record(cls, search_engine):
-        [search_engine.pop(key, None)
-         for key in ['extraParams', 'telemetryId']]
+    def process_record(cls, record):
+        if record['recordType'] == 'defaultEngines':
+            return cls.process_default_engines(record)
+        elif record['recordType'] == 'engine':
+            return cls.process_engine(record)
+        elif record['recordType'] == 'engineOrders':
+            return cls.process_engine_orders(record)
+        else:
+            return record
 
-        general_specifier = {}
-        for specifier in search_engine['appliesTo'].copy():
-            if 'application' in specifier:
-                if 'distributions' in specifier['application']:
-                    search_engine['appliesTo'].remove(specifier)
-                    continue
-                specifier['application'].pop('extraParams', None)
+    @classmethod
+    def process_default_engines(cls, default_engines):
+        default_engines['globalDefault'] = cls._DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER
+        default_engines['specificDefaults'] = []
+        return default_engines
 
-            if 'included' in specifier and 'everywhere' in specifier[
-                    'included'] and specifier['included']['everywhere']:
-                if search_engine['webExtension']['id'] == cls._DUCKDUCKGO_SEARCH_ENGINE_ID:
-                    specifier['default'] = 'yes'
-                general_specifier = specifier
+    @classmethod
+    def process_engine(cls, engine):
+        engine['base'].pop('partnerCode', None)
+        engine['base']['urls']['search'].pop('params', None)
 
-        if not general_specifier:
-            general_specifier = {'included': {'everywhere': True}}
-            search_engine['appliesTo'].insert(0, general_specifier)
-        if search_engine['webExtension']['id'] == cls._DUCKDUCKGO_SEARCH_ENGINE_ID:
-            general_specifier['default'] = 'yes'
+        if engine['identifier'] == cls._DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER:
+            engine['base']['name'] += ' HTML'
+            engine['base']['urls']['search']['base'] = 'https://html.duckduckgo.com/html'
 
-        return search_engine
+        allRegions_prefixes = ['ecosia', 'qwant', 'trisquel']
+
+        if any(engine['identifier'].startswith(prefix) for prefix in allRegions_prefixes) or \
+           engine['identifier'] == cls._DUCKDUCKGO_SEARCH_ENGINE_IDENTIFIER:
+            engine['variants'] = [{'environment': {'allRegionsAndLocales': True}}]
+
+        return engine
+
+    @classmethod
+    def process_engine_orders(cls, engine_orders):
+        engine_orders['orders'] = []
+        return engine_orders
+
+class SearchConfigOverridesV2(EmptyRemoteSettings):
+    JSON_PATHS = (
+        RemoteSettings.DUMPS_PATH_ABSOLUTE /
+        'main/search-config-overrides-v2.json',
+    )
+    SCHEMA_PATH = arguments.MAIN_PATH / \
+        'toolkit/components/search/schema/search-config-overrides-v2-schema.json'
+    OUTPUT_PATH = JSON_PATHS[0]
 
 
-class TippyTopSites:
+class SearchDefaultOverrideAllowlist(EmptyRemoteSettings):
+    JSON_PATHS = (
+        RemoteSettings.DUMPS_PATH_ABSOLUTE /
+        'main/search-default-override-allowlist.json',
+    )
+    SCHEMA_PATH = arguments.MAIN_PATH / \
+        'toolkit/components/search/schema/search-default-override-allowlist-schema.json'
+    OUTPUT_PATH = JSON_PATHS[0]
+
+
+class SearchTelemetryV2(EmptyRemoteSettings):
+    JSON_PATHS = (
+        RemoteSettings.DUMPS_PATH_ABSOLUTE /
+        'main/search-telemetry-v2.json',
+    )
+    SCHEMA_PATH = arguments.MAIN_PATH / \
+        'browser/components/search/schema/search-telemetry-v2-schema.json'
+    OUTPUT_PATH = JSON_PATHS[0]
+
+
+class UrlClassifierSkipUrls(EmptyRemoteSettings):
+    JSON_PATHS = (
+        RemoteSettings.DUMPS_PATH_ABSOLUTE /
+        'main/url-classifier-skip-urls.json',
+    )
+    OUTPUT_PATH = JSON_PATHS[0]
+
+
+class TippyTopSites(JsonProcessor):
     JSON_PATHS = (
         arguments.MAIN_PATH /
-        'browser/components/newtab/data/content/tippytop/top_sites.json',
+        'browser/components/topsites/content/tippytop/top_sites.json',
         arguments.BRANDING_PATH /
         'tippytop/top_sites.json')
 
     @classmethod
-    def process(cls, parsed_jsons, parsed_schema):
+    def process_parsed(cls, parsed_jsons, parsed_schema):
         tippy_top_sites_main = parsed_jsons[0]
         tippy_top_sites_branding = parsed_jsons[1]
         result = tippy_top_sites_branding.content + \
@@ -224,7 +324,7 @@ class TopSites(RemoteSettings):
 
     @classmethod
     def should_drop_record(cls, site):
-        return site['url'] != 'https://www.wikipedia.org/'
+        return True
 
     @classmethod
     def process_record(cls, site):
@@ -234,19 +334,15 @@ class TopSites(RemoteSettings):
 
 # To reflect the latest timestamps, Changes class should always come after
 # all other RemoteSettings subclasses
-processors = (SearchConfig, Changes)
+processors = (
+    SearchConfigV2,
+    SearchConfigOverridesV2,
+    SearchDefaultOverrideAllowlist,
+    SearchTelemetryV2,
+    UrlClassifierSkipUrls,
+    TopSites,
+    Changes,
+    TippyTopSites)
 
 for processor in processors:
-    parsed_jsons = []
-    for json_path in processor.JSON_PATHS:
-        with json_path.open(encoding='utf-8') as file:
-            parsed_jsons.append(File(json_path, json.load(file)))
-
-    parsed_schema = None
-    if hasattr(processor, "SCHEMA_PATH"):
-        with processor.SCHEMA_PATH.open() as file:
-            parsed_schema = json.load(file)
-
-    processed = processor.process(parsed_jsons, parsed_schema)
-    with processed.path.open('w') as file:
-        json.dump(processed.content, file, indent=arguments.indent)
+    processor.process()

helpers/DATA/firefox/rollback_ddg_firefox_partnership_codes.patch

@@ -1,24 +0,0 @@
-More info related to the change: https://hg.mozilla.org/mozilla-central/rev/5079bb7577182734823d6e4a3c468115d45a9dd9
-
---- a/browser/components/search/extensions/ddg/manifest.json	2023-04-06 23:48:16.983734806 -0600
-+++ b/browser/components/search/extensions/ddg/manifest.json	2023-04-06 23:54:27.848103496 -0600
-@@ -21,7 +21,7 @@
-       "name": "DuckDuckGo",
-       "search_url": "https://duckduckgo.com/",
-       "search_form": "https://duckduckgo.com/",
--      "search_url_get_params": "t=ffab&q={searchTerms}",
-+      "search_url_get_params": "q={searchTerms}",
-       "suggest_url": "https://ac.duckduckgo.com/ac/",
-       "suggest_url_get_params": "q={searchTerms}&type=list"
-     }
---- a/browser/components/search/extensions/ddg-html/manifest.json	2023-04-06 23:48:16.987734810 -0600
-+++ b/browser/components/search/extensions/ddg-html/manifest.json	2023-04-06 23:55:19.080158907 -0600
-@@ -21,7 +21,7 @@
-       "name": "DuckDuckGo (HTML)",
-       "search_url": "https://html.duckduckgo.com/html/",
-       "search_form": "https://html.duckduckgo.com/html/",
--      "search_url_get_params": "t=ffab&q={searchTerms}",
-+      "search_url_get_params": "q={searchTerms}",
-       "suggest_url": "https://ac.duckduckgo.com/ac/",
-       "suggest_url_get_params": "q={searchTerms}&type=list"
-     }

helpers/DATA/firefox/search-custom/services/settings/dumps/main/top-sites.json

@@ -0,0 +1,61 @@
+{
+  "data": [
+    {
+      "url": "https://trisquel.info/",
+      "order": 0,
+      "title": "Trisquel",
+      "id": "ec7f4843-6be5-5e86-870a-1c8383500a4b",
+      "last_modified": 1715345084783
+    },
+    {
+      "url": "https://packages.trisquel.org/",
+      "order": 1,
+      "title": "Trisquel Packages",
+      "id": "27a9b035-0b8b-4472-97cb-b1866aba0740",
+      "last_modified": 1715345084786
+    },
+    {
+      "url": "https://www.gnu.org/",
+      "order": 2,
+      "title": "GNU",
+      "id": "1baee931-751c-5993-b6fe-d86fbf78f9b0",
+      "last_modified": 1715345084789
+    },
+    {
+      "url": "https://www.fsf.org/",
+      "order": 3,
+      "title": "FSF",
+      "id": "fcc60dd8-4d97-5aca-8e5d-784652c75818",
+      "last_modified": 1715345084792
+    },
+    {
+      "url": "https://directory.fsf.org/",
+      "order": 4,
+      "title": "FSF Directory",
+      "id": "abe5bfb2-9487-5697-9f27-e0b782dfe006",
+      "last_modified": 1715345084796
+    },
+    {
+      "url": "https://libreplanet.org/",
+      "order": 5,
+      "title": "LibrePlanet",
+      "id": "e3d2cf88-a4dc-5d2e-9f9a-f3ea241d17d8",
+      "last_modified": 1715345084800
+    },
+    {
+      "url": "https://www.wikipedia.org/",
+      "order": 6,
+      "title": "Wikipedia",
+      "id": "02c295f5-54a8-5d29-8d1f-b619216b20c0",
+      "last_modified": 1715345084803
+    },
+    {
+      "url": "https://h-node.org/",
+      "order": 7,
+      "title": "h-node",
+      "id": "c426481f-8c3f-53b8-b23a-431a91a1c7b4",
+      "last_modified": 1715345084807
+    }
+  ],
+  "timestamp": 1715345084810
+}

helpers/DATA/firefox/search-custom/tippytop/top_sites.json

@@ -0,0 +1,52 @@
+[
+  {
+    "domains": ["duckduckgo.com"],
+    "image_url": "images/duckduckgo-com@2x.svg",
+    "favicon_url": "favicons/duckduckgo-com.ico"
+  },
+  {
+    "domains": ["trisquel.info"],
+    "image_url": "images/trisquel.png",
+    "favicon_url": "favicons/trisquel.ico"
+  },
+  {
+    "domains": ["packages.trisquel.org"],
+    "image_url": "images/trisquel-packages.png",
+    "favicon_url": "favicons/trisquel-packages.ico"
+  },
+  {
+    "domains": ["gnu.org"],
+    "image_url": "images/gnu.png",
+    "favicon_url": "favicons/gnu.ico"
+  },
+  {
+    "domains": ["fsf.org"],
+    "image_url": "images/fsf.png",
+    "favicon_url": "favicons/fsf.ico"
+  },
+  {
+    "domains": ["directory.fsf.org"],
+    "image_url": "images/directory.png",
+    "favicon_url": "favicons/fsf.ico"
+  },
+  {
+    "domains": ["libreplanet.org"],
+    "image_url": "images/libreplanet.png",
+    "favicon_url": "favicons/libreplanet.ico"
+  },
+  {
+    "domains": ["fsfe.org"],
+    "image_url": "images/fsfe.png",
+    "favicon_url": "favicons/fsfe.ico"
+  },
+  {
+    "domains": ["wikipedia.org"],
+    "image_url": "images/wikipedia.png",
+    "favicon_url": "favicons/wikipedia.ico"
+  },
+  {
+    "domains": ["h-node.org"],
+    "image_url": "images/hnode.png",
+    "favicon_url": "favicons/hnode.ico"
+  }
+]

helpers/DATA/firefox/searchplugins/trisquel-packages-v2.json

@@ -0,0 +1,30 @@
+        {
+        "base": {
+            "aliases": [
+              "packages",
+              "p"
+            ],
+            "classification": "unknown",
+            "name": "Trisquel Packages",
+            "urls": {
+                "search": {
+                    "base": "https://packages.trisquel.org/search",
+                    "params": [],
+                    "searchTermParamName": "keywords"
+                }
+            }
+        },
+        "id": "b5fd21a8-e369-477f-a3f2-b47a370f9030",
+        "identifier": "trisquel-packages",
+        "last_modified": 1678,
+        "recordType": "engine",
+        "schema": "defaultEngines",
+        "variants": [
+            {
+                "environment": {
+                    "allRegionsAndLocales": true
+                },
+                "optional": false
+            }
+        ]
+    },

helpers/DATA/firefox/searchplugins/trisquel-packages.json

@@ -1,15 +0,0 @@
-    {
-      "schema": 1674147734592,
-      "appliesTo": [
-        {
-          "included": {
-            "everywhere": true
-          }
-        }
-      ],
-      "webExtension": {
-        "id": "trisquel-packages@search.mozilla.org"
-      },
-      "id": "b5fd21a8-e369-477f-a3f2-b47a370f9030",
-      "last_modified": 1678
-    },

helpers/DATA/firefox/searchplugins/trisquel-v2.json

@@ -0,0 +1,30 @@
+        {
+        "base": {
+            "aliases": [
+              "trisquel",
+              "t"
+            ],
+            "classification": "unknown",
+            "name": "Trisquel",
+            "urls": {
+                "search": {
+                    "base": "https://trisquel.info/search/node",
+                    "params": [],
+                    "searchTermParamName": "q"
+                }
+            }
+        },
+        "id": "b99ed276-9557-4492-8bbb-d59826381893",
+        "identifier": "trisquel",
+        "last_modified": 1678,
+        "recordType": "engine",
+        "schema": "defaultEngines",
+        "variants": [
+            {
+                "environment": {
+                    "allRegionsAndLocales": true
+                },
+                "optional": false
+            }
+        ]
+    },

helpers/DATA/firefox/searchplugins/trisquel.json

@@ -1,15 +0,0 @@
-    {
-      "schema": 1674147734535,
-      "appliesTo": [
-        {
-          "included": {
-            "everywhere": true
-          }
-        }
-      ],
-      "webExtension": {
-        "id": "trisquel@search.mozilla.org"
-      },
-      "id": "b99ed276-9557-4492-8bbb-d59826381893",
-      "last_modified": 1678
-    },

helpers/DATA/firefox/settings.js

@@ -1,4 +1,3 @@
-
 // Release notes and vendor URLs
 pref("app.releaseNotesURL", "https://trisquel.info/en/wiki/abrowser-help");
 pref("app.vendorURL", "https://trisquel.info/en/wiki/abrowser-help");
@@ -63,7 +62,7 @@ pref("general.useragent.compatMode.abrowser",true);
 pref ("browser.startup.homepage_override.mstone", "ignore");
 
 // Preferences for the Get Add-ons panel
-pref ("extensions.webservice.discoverURL", "https://gnuzilla.gnu.org/mozzarella/");
+pref ("extensions.webservice.discoverURL", "https://gnuzilla.gnu.org/");
 pref ("extensions.getAddons.search.url", "https://trisquel.info");
 
 // Help URL
@@ -75,8 +74,8 @@ pref ("plugins.update.url", "https://trisquel.info/en/wiki/abrowser-help");
 pref ("browser.customizemode.tip0.learnMoreUrl", "https://trisquel.info/en/wiki/abrowser-help");
 
 // Dictionary download preference
-pref("browser.dictionaries.download.url", "http://dictionaries.mozdev.org/");
-pref("browser.search.searchEnginesURL", "http://mycroft.mozdev.org/");
+pref("browser.dictionaries.download.url", "https://addons.mozilla.org/%LOCALE%/firefox/language-tools/");
+pref("browser.search.searchEnginesURL", "https://mycroftproject.com/");
 // Enable Spell Checking In All Text Fields
 pref("layout.spellcheckDefault", 2);
 
@@ -117,6 +116,7 @@ pref("network.http.sendRefererHeader", 2);
 pref("dom.event.clipboardevents.enabled",false);
 pref("network.prefetch-next", false);
 pref("network.dns.disablePrefetch", true);
+pref("network.dns.disablePrefetchFromHTTPS", true);
 pref("network.http.sendSecureXSiteReferrer", false);
 pref("toolkit.telemetry.enabled", false);
 // Do not tell what plugins do we have enabled: https://mail.mozilla.org/pipermail/firefox-dev/2013-November/001186.html
@@ -126,6 +126,7 @@ pref("plugin.state.flash", 1);
 pref("browser.newtabpage.directory.source", "");
 pref("browser.newtabpage.directory.ping", "");
 pref("browser.newtabpage.introShown", true);
+pref("browser.newtabpage.activity-stream.unifiedAds.endpoint","");
 // Disable home snippets
 pref("browser.aboutHomeSnippets.updateUrl", "");
 // Always ask before restoring the browsing session
@@ -152,6 +153,7 @@ pref("toolkit.telemetry.firstShutdownPing.enabled", false);
 pref("toolkit.telemetry.bhrPing.enabled", false);
 pref("browser.ping-centre.telemetry", false);
 pref("dom.security.unexpected_system_load_telemetry_enabled", false);
+pref("network.connectivity-service.enabled", false);
 
 // Canvas fingerprint protection
 // Disabled, as it breaks things and does little improvements to fingerprinting
@@ -202,6 +204,10 @@ pref("media.gmp-manager.url", "");
 pref("media.gmp-provider.enabled", false);
 // Don't install openh264 codec
 pref("media.gmp-gmpopenh264.enabled", false);
+// Disable Widevine
+pref("media.gmp-widevinecdm.enabled", false);
+// Disable eme codecs
+pref("media.eme.enabled", false);
 
 //Disable middle click content load
 //Avoid loading urls by mistake 
@@ -246,9 +252,13 @@ pref("browser.onboarding.enabled", false);
 pref("browser.newtabpage.activity-stream.default.sites", "https://trisquel.info/,https://packages.trisquel.org,https://www.gnu.org/,https://www.fsf.org/,https://directory.fsf.org,https://libreplanet.org/,https://fsfe.org,https://www.wikipedia.org/wiki/,https://www.h-node.org/");
 pref("browser.newtabpage.activity-stream.showTopSites",true);
 pref("browser.newtabpage.activity-stream.feeds.section.topstories",false);
+pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false);
+pref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
+pref("browser.newtabpage.activity-stream.discoverystream.endpoints", "");
 pref("browser.newtabpage.activity-stream.feeds.snippets",false);
 pref("browser.newtabpage.activity-stream.disableSnippets", true);
-user_pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "");
+pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "");
+pref("browser.newtabpage.activity-stream.showSponsoredCheckboxes", false);
 
 // Enable xrender
 //pref("gfx.xrender.enabled",true);
@@ -256,7 +266,6 @@ user_pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "");
 // Disable push notifications
 pref("dom.webnotifications.enabled",false);
 pref("dom.webnotifications.serviceworker.enabled",false);
-pref("dom.push.enabled",false);
 
 // Disable services server
 pref("services.settings.server", "");
@@ -268,14 +277,13 @@ pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
 pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
 pref("extensions.htmlaboutaddons.discover.enabled", false);
 pref("extensions.htmlaboutaddons.recommendations.enabled", false);
-//pref("browser.newtabpage.activity-stream.asrouterExperimentEnabled", false);
+pref("extensions.getAddons.cache.enabled", false);
 pref("extensions.getAddons.get.url", "");
-pref("extensions.getAddons.link.url", "https://gnuzilla.gnu.org/mozzarella/");
+pref("extensions.getAddons.link.url", "https://gnuzilla.gnu.org/");
 pref("extensions.getAddons.langpacks.url", "");
 pref("extensions.getAddons.discovery.api_url", "");
 pref("extensions.recommendations.privacyPolicyUrl", "https://trisquel.info/legal");
-pref("extensions.getAddons.search.browseURL", "https://gnuzilla.gnu.org/mozzarella/search.php?q=%TERMS%");
-
+pref("extensions.getAddons.search.browseURL", "https://gnuzilla.gnu.org/search.php?q=%TERMS%");
 
 // Disable pingback on first run
 pref("browser.newtabpage.activity-stream.fxaccounts.endpoint", "");
@@ -284,3 +292,32 @@ pref("browser.newtabpage.activity-stream.fxaccounts.endpoint", "");
 // Disable Normandy (remote settings changer for AB testing)
 pref("app.normandy.enabled", false);
 pref("app.normandy.api_url", "");
+
+// Disable Adwaita theme by default.
+pref("widget.gtk.libadwaita-colors.enabled", false);
+
+
+// High level search data collection
+pref("browser.search.serpEventTelemetry.enabled",false);
+
+// Disable Privacy-Preserving Attribution submition
+pref("dom.private-attribution.submission.enabled", false);
+
+// Disable Machine Learning
+pref("browser.ml.chat.enabled", false);
+// Hide from UI
+pref("browser.ml.chat.hideFromLabs", true);
+pref("browser.ml.chat.hideLabsShortcuts", true);
+
+// Disable tab hover preview
+pref("browser.tabs.hoverPreview.enabled", false);
+
+// Disable DAP telemetry servers & experiments
+pref("toolkit.telemetry.dap.leader.url", "");
+pref("toolkit.telemetry.dap.helper.url", "");
+pref("messaging-system.rsexperimentloader.enabled", false);
+
+// Disable DoH as third party service, users can restore it at will.
+pref("network.trr.mode", 5);
+pref("doh-rollout.enabled", false);
+pref("doh-rollout.provider-steering.enabled", false);

helpers/DATA/firefox/trisquel-search-icons/b5fd21a8-trisquel-packages.json

@@ -0,0 +1,17 @@
+{
+  "schema": 40960,
+  "imageSize": 48,
+  "attachment": {
+    "hash": "0b077376b224b66159130f587371d67f97454fd692296c449590a9123591c9f6",
+    "size": 3441,
+    "filename": "trisquel-packages-48-firefox.png",
+    "location": "main-workspace/search-config-icons/b5fd21a8-e369-477f-a3f2-b47a370f9030.png",
+    "mimetype": "image/png"
+  },
+  "engineIdentifiers": [
+    "trisquel-packages"
+  ],
+  "filter_expression": "env.appinfo.ID == \"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\"",
+  "id": "b5fd21a8-e369-477f-a3f2-b47a370f9030",
+  "last_modified": 1734316560
+}

helpers/DATA/firefox/trisquel-search-icons/b99ed276-trisquel.json

@@ -0,0 +1,17 @@
+{
+  "schema": 45056,
+  "imageSize": 48,
+  "attachment": {
+    "hash": "93bc9a505442520b44ae5ffb880979943826308bcc051b966e1cbd67dbc64125",
+    "size": 4493,
+    "filename": "trisquel-48-firefox.png",
+    "location": "main-workspace/search-config-icons/b99ed276-9557-4492-8bbb-d59826381893",
+    "mimetype": "image/png"
+  },
+  "engineIdentifiers": [
+    "trisquel"
+  ],
+  "filter_expression": "env.appinfo.ID == \"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\"",
+  "id": "b99ed276-9557-4492-8bbb-d59826381893",
+  "last_modified": 1734316560
+}

helpers/DATA/firefox/trisquel-search-icons/update_mozbuild.py

@@ -0,0 +1,64 @@
+#! /usr/bin/python3
+#
+# Script to add trisquel's icons on search engine options.
+#
+#    Copyright (C) 2024 Luis Guzmán <ark@switnet.org>
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 2 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+
+# File path
+moz_build_path = "services/settings/dumps/main/moz.build"
+
+# New entries to add
+new_entries = [
+    "search-config-icons/b99ed276-9557-4492-8bbb-d59826381893",
+    "search-config-icons/b99ed276-9557-4492-8bbb-d59826381893.meta.json",
+    "search-config-icons/b5fd21a8-e369-477f-a3f2-b47a370f9030",
+    "search-config-icons/b5fd21a8-e369-477f-a3f2-b47a370f9030.meta.json",
+]
+
+# Read the moz.build file
+with open(moz_build_path, "r") as file:
+    lines = file.readlines()
+
+# Locate the section for `search-config-icons`
+start_idx = None
+for idx, line in enumerate(lines):
+    if "FINAL_TARGET_FILES.defaults.settings.main[\"search-config-icons\"] += [" in line:
+        start_idx = idx
+        break
+
+if start_idx is None:
+    raise RuntimeError("Could not find the 'search-config-icons' section in moz.build")
+
+# Extract existing entries
+start_idx += 1
+end_idx = start_idx
+while end_idx < len(lines) and lines[end_idx].strip() != "]":
+    end_idx += 1
+
+current_entries = [line.strip().strip(",") for line in lines[start_idx:end_idx]]
+
+# Combine and sort all entries
+all_entries = sorted(set(current_entries + [f'"{entry}"' for entry in new_entries]))
+
+# Replace the section in moz.build
+lines[start_idx:end_idx] = [f"        {entry},\n" for entry in all_entries]
+
+# Write the updated content back to the file
+with open(moz_build_path, "w") as file:
+    file.writelines(lines)
+
+print("> Added trisquel's search engine icons to 'moz.build'")

helpers/DATA/gnome-boxes/001_add_trisquel_gnome-boxes_logo.patch

@@ -0,0 +1,29 @@
+diff --git a/data/osinfo/meson.build b/data/osinfo/meson.build
+index acf27962..158af16b 100644
+--- a/data/osinfo/meson.build
++++ b/data/osinfo/meson.build
+@@ -16,7 +16,8 @@ osinfo_db = [
+   ['popos-17.10.xml', 'gnome-boxes/osinfo/os/system76.com'],
+   ['rhel-8.0.xml', 'gnome-boxes/osinfo/os/redhat.com'],
+   ['rocky-8.4.xml', 'gnome-boxes/osinfo/os/rockylinux.org'],
+-  ['silverblue-28.xml', 'gnome-boxes/osinfo/os/fedoraproject.org']
++  ['silverblue-28.xml', 'gnome-boxes/osinfo/os/fedoraproject.org'],
++  ['trisquel-9.xml', 'gnome-boxes/osinfo/os/trisquel.info']
+ ]
+ 
+ foreach os: osinfo_db
+diff --git a/data/osinfo/trisquel-11.xml b/data/osinfo/trisquel-11.xml
+new file mode 100644
+index 00000000..ce9b4b36
+--- /dev/null
++++ b/data/osinfo/trisquel-9.xml
+@@ -0,0 +1,9 @@
++<libosinfo version="0.0.1">
++
++  <!-- Please read https://gitlab.gnome.org/GNOME/gnome-boxes-logos/-/raw/master/README.md for any questions about usage of product logos in Boxes. !-->
++
++  <os id="http://trisquel.info/trisquel/9">
++    <logo>https://gitlab.gnome.org/GNOME/gnome-boxes-logos/-/raw/master/logos/trisquel.svg</logo>
++  </os>
++
++</libosinfo>

helpers/DATA/gnome-software/rm_snap_fwup_support.patch

@@ -0,0 +1,86 @@
+diff --git a/debian/control b/debian/control
+index 2ea9e66..91f61fc 100644
+--- a/debian/control
++++ b/debian/control
+@@ -62,9 +62,8 @@ Depends: appstream,
+          ${misc:Depends},
+          ${shlibs:Depends}
+ Conflicts: sessioninstaller
+-Recommends: fwupd [linux-any], ${plugin:Recommends}
++Recommends: ${plugin:Recommends}
+ Suggests: apt-config-icons-hidpi,
+-          gnome-software-plugin-flatpak [amd64 arm64 armel armhf i386 mips mipsel mips64el ppc64el s390x hppa powerpc powerpcspe ppc64],
+           ${plugin:Suggests}
+ Description: Software Center for GNOME
+  Software lets you install and update applications and system extensions.
+@@ -106,26 +106,6 @@ Description: Flatpak support for GNOME Software
+  .
+  This package contains the Flatpak plugin.
+ 
+-Package: gnome-software-plugin-snap
+-Architecture: amd64 arm64 armel armhf i386 ppc64el s390x
+-Depends: gnome-software (= ${binary:Version}),
+-         snapd [amd64 arm64 armel armhf i386 ppc64el],
+-         ${misc:Depends},
+-         ${shlibs:Depends}
+-Recommends: snapd [s390x]
+-Breaks: gnome-software (<< 3.22.3)
+-Replaces: gnome-software (<< 3.22.3)
+-Description: Snap support for GNOME Software
+- Software lets you install and update applications and system extensions.
+- .
+- Software uses a plugin architecture to separate the frontend from the
+- technologies that are used underneath. Currently, a PackageKit plugin provides
+- data from a number of traditional packaging systems, such as rpm or apt. An
+- appdata plugin provides additional metadata from locally installed data in the
+- appdata format.
+- .
+- This package contains the Snap plugin.
+-
+ Package: gnome-software-dev
+ Section: libdevel
+ Architecture: any
+diff --git a/debian/rules b/debian/rules
+index f0bb2394..58b4bc70 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -30,11 +30,11 @@ ifeq ($(DEB_HOST_ARCH_OS), linux)
+ 	GS_CONFIGURE_FLAGS += -Dgudev=true
+ 	
+ 	# Enable fwupd support on Linux
+-	GS_CONFIGURE_FLAGS += -Dfwupd=true
++	GS_CONFIGURE_FLAGS += -Dfwupd=false
+ 
+ 	# Enable snap support on supported architectures
+ 	ifneq (,$(filter $(DEB_HOST_ARCH), amd64 arm64 armel armhf i386 ppc64el s390x))
+-		GS_CONFIGURE_FLAGS += -Dsnap=true
++		GS_CONFIGURE_FLAGS += -Dsnap=false
+ 	endif
+ endif
+ 
+@@ -42,9 +42,9 @@ DISTRO_ID = debian
+ FREE_REPOS = \'@DISTRO@-*-main\'
+ FREE_URL = https:\/\/www.debian.org\/social_contract\#guidelines
+ ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
+-	DISTRO_ID = ubuntu
+-	FREE_REPOS = \'@DISTRO@-*-main\', \'@DISTRO@-*-universe\'
+-	FREE_URL = https:\/\/www.ubuntu.com\/about\/about-ubuntu\/licensing
++	DISTRO_ID = trisquel
++	FREE_REPOS = \'@DISTRO@-*-main\'
++	FREE_URL = https:\/\/trisquel.info\/legal
+ else ifeq (yes,$(shell dpkg-vendor --derives-from Tanglu && echo yes))
+ 	DISTRO_ID = tanglu
+ else ifeq (yes,$(shell dpkg-vendor --derives-from PureOS && echo yes))
+@@ -87,11 +87,7 @@ override_dh_shlibdeps:
+ override_dh_auto_test:
+ 
+ override_dh_gencontrol:
+-ifeq ($(shell dpkg-vendor --query vendor),Ubuntu)
+-	dh_gencontrol -- -Vplugin:Recommends='gnome-software-plugin-snap [linux-any]'
+-else
+-	dh_gencontrol -- -Vplugin:Suggests='gnome-software-plugin-snap [linux-any]'
+-endif
++	dh_gencontrol
+ 
+ override_dh_clean:
+ 	rm -f debian/gnome-software.gsettings-override

helpers/DATA/gnupg2/001-reduce_gpg-wks-server_dependency_to_match_later_releases.patch

@@ -0,0 +1,35 @@
+diff --git a/debian/control b/debian/control
+index c6a9778..ca0b1f0 100644
+--- a/debian/control
++++ b/debian/control
+@@ -254,8 +254,6 @@ Depends:
+  gpg-agent (>= ${source:Version}),
+  gpg-wks-client (<< ${source:Version}.1~),
+  gpg-wks-client (>= ${source:Version}),
+- gpg-wks-server (<< ${source:Version}.1~),
+- gpg-wks-server (>= ${source:Version}),
+  gpgsm (<< ${source:Version}.1~),
+  gpgsm (>= ${source:Version}),
+  gpgv (<< ${source:Version}.1~),
+@@ -265,6 +263,8 @@ Depends:
+ Recommends:
+  ${shlibs:Recommends},
+ Suggests:
++ gpg-wks-server (<< ${source:Version}.1~),
++ gpg-wks-server (>= ${source:Version}),
+  parcimonie,
+  xloadimage,
+ Breaks:
+diff --git a/debian/control b/debian/control
+index ca0b1f0..dc1d5cd 100644
+--- a/debian/control
++++ b/debian/control
+@@ -279,6 +279,8 @@ Breaks:
+  python-apt (<= 1.1.0~beta4),
+  python-gnupg (<< 0.3.8-3),
+  python3-apt (<= 1.1.0~beta4),
++Conflicts:
++ gpg-wks-server (<= 2.2.27-3ubuntu2.3+11.0trisquel0),
+ Replaces:
+  gnupg2 (<< 2.1.11-7+exp1),
+ Description: GNU privacy guard - a free PGP replacement

helpers/DATA/guix/cve/0001-etc-news-add-news-entry-for-build-user-takeover-vuln.patch

@@ -0,0 +1,57 @@
+From 532996c5908fb14cc8d102865280fb203c075c9c Mon Sep 17 00:00:00 2001
+From: Reepca Russelstein <reepca@russelstein.xyz>
+Date: Sun, 20 Oct 2024 17:32:23 -0500
+Subject: [PATCH] etc: news: add news entry for build user takeover
+ vulnerability fix.
+
+* etc/news.scm: add entry about build user takeover vulnerability.
+---
+ etc/news.scm | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/etc/news.scm b/etc/news.scm
+index a90f92a9ff..3fb53a9849 100644
+--- a/etc/news.scm
++++ b/etc/news.scm
+@@ -33,6 +33,38 @@
+ (channel-news
+  (version 0)
+ 
++ (entry (commit "5966e0fdc78771c562e0f484a22f381a77908be0")
++        (title
++         (en "Daemon vulnerability allowing takeover of build users fixed"))
++        (body
++         (en "A vulnerability allowing a local user to execute arbitrary code
++as any of the build users has been identified and fixed.  Most notably, this
++allows any local user to alter the result of any local build, even if it
++happens inside a container.  The only requirements to exploit this
++vulnerability are the ability to start a derivation build and the ability to
++run arbitrary code with access to the store in the root PID namespace on the
++machine that build occurs on.  This largely limits the vulnerability to
++multi-user systems.
++
++This vulnerability is caused by the fact that @command{guix-daemon} does not
++change ownership and permissions on the outputs of failed builds when it moves
++them to the store, and is also caused by there being a window of time between
++when it moves outputs of successful builds to the store and when it changes
++their ownership and permissions.  Because of this, a build can create a binary
++with both setuid and setgid bits set and have it become visible to the outside
++world once the build ends.  At that point any process that can access the
++store can execute it and gain the build user's privileges.  From there any
++process owned by that build user can be manipulated via procfs and signals at
++will, allowing the attacker to control the output of its builds.
++
++You are advised to upgrade @command{guix-daemon}.  Run @command{info \"(guix)
++Upgrading Guix\"}, for info on how to do that.  Additionally, if there is any
++risk that a builder may have already created these setuid binaries (for
++example on accident), run @command{guix gc} to remove all failed build
++outputs.
++
++See @uref{https://issues.guix.gnu.org/73919} for more information on this
++vulnerability.")))
+  (entry (commit "2161820ebbbab62a5ce76c9101ebaec54dc61586")
+         (title
+          (en "Risk of local privilege escalation during user account creation")
+-- 
+2.45.2
+

helpers/DATA/guix/cve/0001-nix-build-sanitize-failed-build-outputs-prior-to-exp.patch

@@ -0,0 +1,83 @@
+From e936861263d9bafdfbe395c12526f2dc48ac17d7 Mon Sep 17 00:00:00 2001
+Message-ID: <e936861263d9bafdfbe395c12526f2dc48ac17d7.1729457080.git.reepca@russelstein.xyz>
+From: Reepca Russelstein <reepca@russelstein.xyz>
+Date: Sun, 20 Oct 2024 15:36:06 -0500
+Subject: [PATCH 1/2] nix: build: sanitize failed build outputs prior to
+ exposing them.
+
+The only thing keeping a rogue builder and a local user from collaborating to
+usurp control over the builder's user during the build is the fact that
+whatever files the builder may produce are not accessible to any other users
+yet.  If we're going to make them accessible, we should probably do some
+sanity checking to ensure that sort of collaborating can't happen.
+
+Currently this isn't happening when failed build outputs are moved from the
+chroot as an aid to debugging.
+
+* nix/libstore/build.cc (secureFilePerms): new function.
+  (DerivationGoal::buildDone): use it.
+
+Change-Id: I9dce1e3d8813b31cabd87a0e3219bf9830d8be96
+---
+ nix/libstore/build.cc | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
+index d23c0944a4..67ebfe2f14 100644
+--- a/nix/libstore/build.cc
++++ b/nix/libstore/build.cc
+@@ -1301,6 +1301,34 @@ void replaceValidPath(const Path & storePath, const Path tmpPath)
+ MakeError(NotDeterministic, BuildError)
+ 
+ 
++/* Recursively make the file permissions of a path safe for exposure to
++   arbitrary users, but without canonicalising its permissions, timestamp, and
++   user.  Throw an exception if a file type that isn't explicitly known to be
++   safe is found. */
++static void secureFilePerms(Path path)
++{
++  struct stat st;
++  if (lstat(path.c_str(), &st)) return;
++
++  switch(st.st_mode & S_IFMT) {
++  case S_IFLNK:
++    return;
++
++  case S_IFDIR:
++    for (auto & i : readDirectory(path)) {
++      secureFilePerms(path + "/" + i.name);
++    }
++    /* FALLTHROUGH */
++
++  case S_IFREG:
++    chmod(path.c_str(), (st.st_mode & ~S_IFMT) & ~(S_ISUID | S_ISGID | S_IWOTH));
++    break;
++
++  default:
++    throw Error(format("file `%1%' has an unsupported type") % path);
++  }
++}
++
+ void DerivationGoal::buildDone()
+ {
+     trace("build done");
+@@ -1372,9 +1400,15 @@ void DerivationGoal::buildDone()
+                build failures. */
+             if (useChroot && buildMode == bmNormal)
+                 foreach (PathSet::iterator, i, missingPaths)
+-                    if (pathExists(chrootRootDir + *i))
++                    if (pathExists(chrootRootDir + *i)) {
++                      try {
++                        secureFilePerms(chrootRootDir + *i);
+                         rename((chrootRootDir + *i).c_str(), i->c_str());
++                      } catch(Error & e) {
++                        printMsg(lvlError, e.msg());
++                      }
++                    }
+ 
+             if (diskFull)
+                 printMsg(lvlError, "note: build failure may have been caused by lack of free disk space");
+
+-- 
+2.45.2
+

helpers/DATA/guix/cve/0002-nix-build-sanitize-successful-build-outputs-prior-to.patch

@@ -0,0 +1,64 @@
+From d096d653cc69118e05f49247ab312d0096b16656 Mon Sep 17 00:00:00 2001
+Message-ID: <d096d653cc69118e05f49247ab312d0096b16656.1729457080.git.reepca@russelstein.xyz>
+In-Reply-To: <e936861263d9bafdfbe395c12526f2dc48ac17d7.1729457080.git.reepca@russelstein.xyz>
+References: <e936861263d9bafdfbe395c12526f2dc48ac17d7.1729457080.git.reepca@russelstein.xyz>
+From: Reepca Russelstein <reepca@russelstein.xyz>
+Date: Sun, 20 Oct 2024 15:39:02 -0500
+Subject: [PATCH 2/2] nix: build: sanitize successful build outputs prior to
+ exposing them.
+
+There is currently a window of time between when the build outputs are exposed
+and when their metadata is canonicalized.
+
+* nix/libstore/build.cc (DerivationGoal::registerOutputs): wait until after
+  metadata canonicalization to move successful build outputs to the store.
+
+Change-Id: Ia995136f3f965eaf7b0e1d92af964b816f3fb276
+---
+ nix/libstore/build.cc | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
+index 67ebfe2f14..43a8a37184 100644
+--- a/nix/libstore/build.cc
++++ b/nix/libstore/build.cc
+@@ -2369,15 +2369,6 @@ void DerivationGoal::registerOutputs()
+         Path actualPath = path;
+         if (useChroot) {
+             actualPath = chrootRootDir + path;
+-            if (pathExists(actualPath)) {
+-                /* Move output paths from the chroot to the store. */
+-                if (buildMode == bmRepair)
+-                    replaceValidPath(path, actualPath);
+-                else
+-                    if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
+-                        throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
+-            }
+-            if (buildMode != bmCheck) actualPath = path;
+         } else {
+             Path redirected = redirectedOutputs[path];
+             if (buildMode == bmRepair
+@@ -2463,6 +2454,20 @@ void DerivationGoal::registerOutputs()
+         canonicalisePathMetaData(actualPath,
+             buildUser.enabled() && !rewritten ? buildUser.getUID() : -1, inodesSeen);
+ 
++        if (useChroot) {
++          if (pathExists(actualPath)) {
++            /* Now that output paths have been canonicalized (in particular
++               there are no setuid files left), move them outside of the
++               chroot and to the store. */
++            if (buildMode == bmRepair)
++              replaceValidPath(path, actualPath);
++            else
++              if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
++                throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
++          }
++          if (buildMode != bmCheck) actualPath = path;
++        }
++
+         /* For this output path, find the references to other paths
+            contained in it.  Compute the SHA-256 NAR hash at the same
+            time.  The hash is stored in the database so that we can
+-- 
+2.45.2
+

helpers/DATA/guix/cve/CVE-2024-27297_4a67c00ad02fbe7a7f5796c4c4dc2c0ad70f0472.patch

@@ -0,0 +1,378 @@
+From 4a67c00ad02fbe7a7f5796c4c4dc2c0ad70f0472 Mon Sep 17 00:00:00 2001
+From: Vagrant Cascadian <vagrant@debian.org>
+Date: Tue, 12 Mar 2024 09:18:23 -0700
+Subject: [PATCH] debian/patches: guix-daemon: Protect against file descriptor
+ escape when building fixed-output derivations (CVE-2024-27297). (Closes:
+ #1066113)
+
+---
+ ...gainst-FD-escape-when-building-fixed.patch | 232 ++++++++++++++++++
+ ...hortcoming-in-previous-security-fix-.patch | 106 ++++++++
+ debian/patches/series                         |   2 +
+ 3 files changed, 340 insertions(+)
+ create mode 100644 debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+ create mode 100644 debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+
+diff --git a/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch b/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+new file mode 100644
+index 0000000000..e6e02cf206
+--- /dev/null
++++ b/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+@@ -0,0 +1,232 @@
++From 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
++Date: Mon, 11 Mar 2024 10:59:42 +0100
++Subject: [PATCH 01/36] daemon: Protect against FD escape when building
++ fixed-output derivations (CVE-2024-27297).
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++This fixes a security issue (CVE-2024-27297) whereby a fixed-output
++derivation build process could open a writable file descriptor to its
++output, send it to some outside process for instance over an abstract
++AF_UNIX socket, which would then allow said process to modify the file
++in the store after it has been marked as “valid”.
++
++Vulnerability discovered by puck <https://github.com/puckipedia>.
++
++Nix security advisory:
++https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
++
++Nix fix:
++https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9
++
++* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
++a file descriptor.  Rewrite the ‘Path’ variant accordingly.
++(copyFile, copyFileRecursively): New functions.
++* nix/libutil/util.hh (copyFileRecursively): New declaration.
++* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
++is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
++
++Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4
++
++Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
++Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
++---
++ nix/libstore/build.cc |  16 ++++++
++ nix/libutil/util.cc   | 112 ++++++++++++++++++++++++++++++++++++++++--
++ nix/libutil/util.hh   |   6 +++
++ 3 files changed, 129 insertions(+), 5 deletions(-)
++
++diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
++index 461fcbc584..e2adee118b 100644
++--- a/nix/libstore/build.cc
+++++ b/nix/libstore/build.cc
++@@ -1382,6 +1382,22 @@ void DerivationGoal::buildDone()
++                 % drvPath % statusToString(status));
++         }
++ 
+++	if (fixedOutput) {
+++	    /* Replace the output, if it exists, by a fresh copy of itself to
+++               make sure that there's no stale file descriptor pointing to it
+++               (CVE-2024-27297).  */
+++	    foreach (DerivationOutputs::iterator, i, drv.outputs) {
+++		if (pathExists(i->second.path)) {
+++		    Path pivot = i->second.path + ".tmp";
+++		    copyFileRecursively(i->second.path, pivot, true);
+++		    int err = rename(pivot.c_str(), i->second.path.c_str());
+++		    if (err != 0)
+++			throw SysError(format("renaming `%1%' to `%2%'")
+++				       % pivot % i->second.path);
+++		}
+++	    }
+++	}
+++
++         /* Compute the FS closure of the outputs and register them as
++            being valid. */
++         registerOutputs();
++diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
++index 82eac72120..493f06f357 100644
++--- a/nix/libutil/util.cc
+++++ b/nix/libutil/util.cc
++@@ -215,14 +215,11 @@ bool isLink(const Path & path)
++ }
++ 
++ 
++-DirEntries readDirectory(const Path & path)
+++static DirEntries readDirectory(DIR *dir)
++ {
++     DirEntries entries;
++     entries.reserve(64);
++ 
++-    AutoCloseDir dir = opendir(path.c_str());
++-    if (!dir) throw SysError(format("opening directory `%1%'") % path);
++-
++     struct dirent * dirent;
++     while (errno = 0, dirent = readdir(dir)) { /* sic */
++         checkInterrupt();
++@@ -230,11 +227,29 @@ DirEntries readDirectory(const Path & path)
++         if (name == "." || name == "..") continue;
++         entries.emplace_back(name, dirent->d_ino, dirent->d_type);
++     }
++-    if (errno) throw SysError(format("reading directory `%1%'") % path);
+++    if (errno) throw SysError(format("reading directory"));
++ 
++     return entries;
++ }
++ 
+++DirEntries readDirectory(const Path & path)
+++{
+++    AutoCloseDir dir = opendir(path.c_str());
+++    if (!dir) throw SysError(format("opening directory `%1%'") % path);
+++    return readDirectory(dir);
+++}
+++
+++static DirEntries readDirectory(int fd)
+++{
+++    /* Since 'closedir' closes the underlying file descriptor, duplicate FD
+++       beforehand.  */
+++    int fdcopy = dup(fd);
+++    if (fdcopy < 0) throw SysError("dup");
+++
+++    AutoCloseDir dir = fdopendir(fdcopy);
+++    if (!dir) throw SysError(format("opening directory from file descriptor `%1%'") % fd);
+++    return readDirectory(dir);
+++}
++ 
++ unsigned char getFileType(const Path & path)
++ {
++@@ -364,6 +379,93 @@ void deletePath(const Path & path, unsigned long long & bytesFreed, size_t linkT
++     _deletePath(path, bytesFreed, linkThreshold);
++ }
++ 
+++static void copyFile(int sourceFd, int destinationFd)
+++{
+++    struct stat st;
+++    if (fstat(sourceFd, &st) == -1) throw SysError("statting file");
+++
+++    ssize_t result = copy_file_range(sourceFd, NULL, destinationFd, NULL, st.st_size, 0);
+++    if (result < 0 && errno == ENOSYS) {
+++	for (size_t remaining = st.st_size; remaining > 0; ) {
+++	    unsigned char buf[8192];
+++	    size_t count = std::min(remaining, sizeof buf);
+++
+++	    readFull(sourceFd, buf, count);
+++	    writeFull(destinationFd, buf, count);
+++	    remaining -= count;
+++	}
+++    } else {
+++	if (result < 0)
+++	    throw SysError(format("copy_file_range `%1%' to `%2%'") % sourceFd % destinationFd);
+++	if (result < st.st_size)
+++	    throw SysError(format("short write in copy_file_range `%1%' to `%2%'")
+++			   % sourceFd % destinationFd);
+++    }
+++}
+++
+++static void copyFileRecursively(int sourceroot, const Path &source,
+++				int destinationroot, const Path &destination,
+++				bool deleteSource)
+++{
+++    struct stat st;
+++    if (fstatat(sourceroot, source.c_str(), &st, AT_SYMLINK_NOFOLLOW) == -1)
+++	throw SysError(format("statting file `%1%'") % source);
+++
+++    if (S_ISREG(st.st_mode)) {
+++	AutoCloseFD sourceFd = openat(sourceroot, source.c_str(),
+++				      O_CLOEXEC | O_NOFOLLOW | O_RDONLY);
+++	if (sourceFd == -1) throw SysError(format("opening `%1%'") % source);
+++
+++	AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(),
+++					   O_CLOEXEC | O_CREAT | O_WRONLY | O_TRUNC,
+++					   st.st_mode);
+++	if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
+++
+++	copyFile(sourceFd, destinationFd);
+++    } else if (S_ISLNK(st.st_mode)) {
+++	char target[st.st_size + 1];
+++	ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
+++	if (result != st.st_size) throw SysError("reading symlink target");
+++	target[st.st_size] = '\0';
+++	int err = symlinkat(target, destinationroot, destination.c_str());
+++	if (err != 0)
+++	    throw SysError(format("creating symlink `%1%'") % destination);
+++    } else if (S_ISDIR(st.st_mode)) {
+++	int err = mkdirat(destinationroot, destination.c_str(), 0755);
+++	if (err != 0)
+++	    throw SysError(format("creating directory `%1%'") % destination);
+++
+++	AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(),
+++					   O_CLOEXEC | O_RDONLY | O_DIRECTORY);
+++	if (err != 0)
+++	    throw SysError(format("opening directory `%1%'") % destination);
+++
+++	AutoCloseFD sourceFd = openat(sourceroot, source.c_str(),
+++				      O_CLOEXEC | O_NOFOLLOW | O_RDONLY);
+++	if (sourceFd == -1)
+++	    throw SysError(format("opening `%1%'") % source);
+++
+++        if (deleteSource && !(st.st_mode & S_IWUSR)) {
+++	    /* Ensure the directory writable so files within it can be
+++	       deleted.  */
+++            if (fchmod(sourceFd, st.st_mode | S_IWUSR) == -1)
+++                throw SysError(format("making `%1%' directory writable") % source);
+++        }
+++
+++        for (auto & i : readDirectory(sourceFd))
+++	    copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
+++				deleteSource);
+++    } else throw Error(format("refusing to copy irregular file `%1%'") % source);
+++
+++    if (deleteSource)
+++	unlinkat(sourceroot, source.c_str(),
+++		 S_ISDIR(st.st_mode) ? AT_REMOVEDIR : 0);
+++}
+++
+++void copyFileRecursively(const Path &source, const Path &destination, bool deleteSource)
+++{
+++    copyFileRecursively(AT_FDCWD, source, AT_FDCWD, destination, deleteSource);
+++}
++ 
++ static Path tempName(Path tmpRoot, const Path & prefix, bool includePid,
++     int & counter)
++diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
++index 880b0e93b2..058f5f8446 100644
++--- a/nix/libutil/util.hh
+++++ b/nix/libutil/util.hh
++@@ -102,6 +102,12 @@ void deletePath(const Path & path);
++ void deletePath(const Path & path, unsigned long long & bytesFreed,
++     size_t linkThreshold = 1);
++ 
+++/* Copy SOURCE to DESTINATION, recursively.  Throw if SOURCE contains a file
+++   that is not a regular file, symlink, or directory.  When DELETESOURCE is
+++   true, delete source files once they have been copied.  */
+++void copyFileRecursively(const Path &source, const Path &destination,
+++    bool deleteSource = false);
+++
++ /* Create a temporary directory. */
++ Path createTempDir(const Path & tmpRoot = "", const Path & prefix = "nix",
++     bool includePid = true, bool useGlobalCounter = true, mode_t mode = 0755);
++-- 
++2.39.2
++
+diff --git a/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch b/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+new file mode 100644
+index 0000000000..0d0b6bd22f
+--- /dev/null
++++ b/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+@@ -0,0 +1,106 @@
++From ff1251de0bc327ec478fc66a562430fbf35aef42 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
++Date: Tue, 12 Mar 2024 11:53:35 +0100
++Subject: [PATCH 32/36] daemon: Address shortcoming in previous security fix
++ for CVE-2024-27297.
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.
++
++Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
++ways: (1) it didn’t have any effet for fixed-output derivations
++performed in a chroot, which is the case for all of them except those
++using “builtin:download” and “builtin:git-download”, and (2) it did not
++preserve ownership when copying, leading to “suspicious ownership or
++permission […] rejecting this build output” errors.
++
++* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
++‘chrootRootDir’ when copying ‘drv.outputs’.
++* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
++calls to preserve file ownership; this is necessary for chrooted
++fixed-output derivation builds.
++* nix/libutil/util.hh: Update comment.
++
++Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
++---
++ nix/libstore/build.cc | 11 ++++++-----
++ nix/libutil/util.cc   |  4 ++++
++ nix/libutil/util.hh   |  7 ++++---
++ 3 files changed, 14 insertions(+), 8 deletions(-)
++
++diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
++index e2adee118b..d23c0944a4 100644
++--- a/nix/libstore/build.cc
+++++ b/nix/libstore/build.cc
++@@ -1387,13 +1387,14 @@ void DerivationGoal::buildDone()
++                make sure that there's no stale file descriptor pointing to it
++                (CVE-2024-27297).  */
++ 	    foreach (DerivationOutputs::iterator, i, drv.outputs) {
++-		if (pathExists(i->second.path)) {
++-		    Path pivot = i->second.path + ".tmp";
++-		    copyFileRecursively(i->second.path, pivot, true);
++-		    int err = rename(pivot.c_str(), i->second.path.c_str());
+++		Path output = chrootRootDir + i->second.path;
+++		if (pathExists(output)) {
+++		    Path pivot = output + ".tmp";
+++		    copyFileRecursively(output, pivot, true);
+++		    int err = rename(pivot.c_str(), output.c_str());
++ 		    if (err != 0)
++ 			throw SysError(format("renaming `%1%' to `%2%'")
++-				       % pivot % i->second.path);
+++				       % pivot % output);
++ 		}
++ 	    }
++ 	}
++diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
++index 493f06f357..578d657293 100644
++--- a/nix/libutil/util.cc
+++++ b/nix/libutil/util.cc
++@@ -422,6 +422,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
++ 	if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
++ 
++ 	copyFile(sourceFd, destinationFd);
+++	fchown(destinationFd, st.st_uid, st.st_gid);
++     } else if (S_ISLNK(st.st_mode)) {
++ 	char target[st.st_size + 1];
++ 	ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
++@@ -430,6 +431,8 @@ static void copyFileRecursively(int sourceroot, const Path &source,
++ 	int err = symlinkat(target, destinationroot, destination.c_str());
++ 	if (err != 0)
++ 	    throw SysError(format("creating symlink `%1%'") % destination);
+++	fchownat(destinationroot, destination.c_str(),
+++		 st.st_uid, st.st_gid, AT_SYMLINK_NOFOLLOW);
++     } else if (S_ISDIR(st.st_mode)) {
++ 	int err = mkdirat(destinationroot, destination.c_str(), 0755);
++ 	if (err != 0)
++@@ -455,6 +458,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
++         for (auto & i : readDirectory(sourceFd))
++ 	    copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
++ 				deleteSource);
+++	fchown(destinationFd, st.st_uid, st.st_gid);
++     } else throw Error(format("refusing to copy irregular file `%1%'") % source);
++ 
++     if (deleteSource)
++diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
++index 058f5f8446..377aac0684 100644
++--- a/nix/libutil/util.hh
+++++ b/nix/libutil/util.hh
++@@ -102,9 +102,10 @@ void deletePath(const Path & path);
++ void deletePath(const Path & path, unsigned long long & bytesFreed,
++     size_t linkThreshold = 1);
++ 
++-/* Copy SOURCE to DESTINATION, recursively.  Throw if SOURCE contains a file
++-   that is not a regular file, symlink, or directory.  When DELETESOURCE is
++-   true, delete source files once they have been copied.  */
+++/* Copy SOURCE to DESTINATION, recursively, preserving ownership.  Throw if
+++   SOURCE contains a file that is not a regular file, symlink, or directory.
+++   When DELETESOURCE is true, delete source files once they have been
+++   copied.  */
++ void copyFileRecursively(const Path &source, const Path &destination,
++     bool deleteSource = false);
++ 
++-- 
++2.39.2
++
+diff --git a/debian/patches/series b/debian/patches/series_
+index 5d506e57..0b8879d1 100644
+--- a/debian/patches/series
++++ b/debian/patches/series_
+@@ -40,3 +40,5 @@ lsb-init-functions
+ guix-daemon-openrc-fixes
+ tests-Ensure-test-OpenPGP-keys-never-expire.patch
+ use-c-utf8-locale
++security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
++security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+-- 
+GitLab
+

helpers/DATA/guix/guix-1.3.0.4-to-1.3.0-5.patch

@@ -0,0 +1,157 @@
+diff --git a/debian/control b/debian/control
+index f5080c40..24f545ae 100644
+--- a/debian/control
++++ b/debian/control
+@@ -44,7 +44,9 @@ Depends: ${misc:Depends}, ${shlibs:Depends},
+  guile-sqlite3 (>= 0.1.3-2~),
+  guile-zlib (>= 0.1.0),
+  libssh-dev,
+-Recommends: nscd,
++Recommends: ca-certificates,
++ less,
++ nscd,
+  systemd,
+ Description: GNU Guix functional package manager
+  Guix is an advanced distribution of the GNU operating system
+diff --git a/debian/patches/series b/debian/patches/series
+index 2151eca4..5d506e57 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -38,3 +38,5 @@ lsb-init-functions
+ 0030-Disable-gexp-derivation-allowed-references-test-when.patch
+ 0031-Disable-substitue-deduplication-test-when-network-is.patch
+ guix-daemon-openrc-fixes
++tests-Ensure-test-OpenPGP-keys-never-expire.patch
++use-c-utf8-locale
+diff --git a/guix/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch b/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch
+new file mode 100644
+index 00000000..3d23bd95
+--- /dev/null
++++ b/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch
+@@ -0,0 +1,62 @@
++From 3ae7632ca0a1edca9d8c3c766efb0dcc8aa5da37 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
++Date: Wed, 18 May 2022 23:20:21 +0200
++Subject: [PATCH] tests: Ensure test OpenPGP keys never expire.
++
++All these keys had expiration dates.  'tests/keys/ed25519.pub' expired
++on 2022-04-24.
++
++Fixes <https://issues.guix.gnu.org/55506>.
++
++* tests/keys/ed25519.pub, tests/keys/ed25519-2.pub,
++tests/keys/ed25519-3.pub: Remove expiration date.
++---
++ tests/keys/ed25519-2.pub | 11 +++++------
++ tests/keys/ed25519-3.pub | 10 +++++-----
++ tests/keys/ed25519.pub   | 10 +++++-----
++ 3 files changed, 15 insertions(+), 16 deletions(-)
++
++Adjusted to apply to older locations present in 1.3.0.
++
++diff --git a/tests/ed25519bis.key b/tests/ed25519bis.key
++index f5329105d5..ef050e3845 100644
++--- a/tests/ed25519bis.key
+++++ b/tests/ed25519bis.key
++@@ -1,10 +1,9 @@
++ -----BEGIN PGP PUBLIC KEY BLOCK-----
++ 
++ mDMEXtVsNhYJKwYBBAHaRw8BAQdAnLsYdh3BpeK1xDguJE80XW2/MSmqeeP6pbQw
++-8jAw0OG0IkNoYXJsaWUgR3VpeCA8Y2hhcmxpZUBleGFtcGxlLm9yZz6IlgQTFggA
++-PhYhBKBDaY1jer75FlruS4IkDtyrgNqDBQJe1Ww2AhsDBQkDwmcABQsJCAcCBhUK
++-CQgLAgQWAgMBAh4BAheAAAoJEIIkDtyrgNqDM6cA/idDdoxo9SU+witdTXt24APH
++-yRzHbX9Iyh4dZNIek9JwAP9E0BwSvDHB4LY9z4RWf2hJp3dm/yZ/jEpK+w4BGN4J
++-Ag==
++-=JIU0
+++8jAw0OG0IkNoYXJsaWUgR3VpeCA8Y2hhcmxpZUBleGFtcGxlLm9yZz6IkAQTFggA
+++OAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBKBDaY1jer75FlruS4IkDtyr
+++gNqDBQJihWJtAAoJEIIkDtyrgNqDbs0BAPOaGSYf3pX3DReEe1zbxxVQrolX9/AZ
+++VP0AOt0TAgkzAP0Sr7G1NuCtjWWGK1WmlyTFPhOWLhNriKgZFkBZrGypAw==
+++=pdTB
++ -----END PGP PUBLIC KEY BLOCK-----
++diff --git a/tests/ed25519.key b/tests/ed25519.key
++index f6bf906783..5a2fccc9f9 100644
++--- a/tests/ed25519.key
+++++ b/tests/ed25519.key
++@@ -2,9 +2,9 @@
++ 
++ mDMEXqNaoBYJKwYBBAHaRw8BAQdArviKtelb4g0I3zx9xyDS40Oz8i1/LRXqppG6
++ b23Hdim0KEVkIFR3by1GaWZ0eSA8bHVkbyt0ZXN0LWVjY0BjaGJvdWliLm9yZz6I
++-lgQTFggAPhYhBETTHiGvcTj5tjIoCncfScv6rgctBQJeo1qgAhsDBQkDwmcABQsJ
++-CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHcfScv6rgctq4MA/1R9G0roEwrHwmTd
++-DHxt211eLqupwXE0Z7xY2FH6DHk9AP4owEefBU7jQprSAzBS+c6gdS3SCCKKqAh6
++-ToZ4LmbKAw==
++-=FXMK
+++kAQTFggAOAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBETTHiGvcTj5tjIo
+++CncfScv6rgctBQJihWH6AAoJEHcfScv6rgctfPMBAPv+yPmEgM+J6D1nZjXsO4zW
++++4e3y2Ez+QxgI2tn8Z2xAQDBUWyyu0X+8dguGmVlsaiQdkazaUSpexvIhh9zONYw
+++Bg==
+++=s4Vp
++ -----END PGP PUBLIC KEY BLOCK-----
++-- 
++2.30.2
++
+diff --git a/guix/debian/patches/use-c-utf8-locale b/debian/patches/use-c-utf8-locale
+new file mode 100644
+index 00000000..6f69c0fa
+--- /dev/null
++++ b/debian/patches/use-c-utf8-locale
+@@ -0,0 +1,58 @@
++Use the C.UTF-8 locale for guix-daemon and guix-publish.
++
++https://bugs.debian.org/1012536
++
++Index: guix/etc/guix-daemon.service.in
++===================================================================
++--- guix.orig/etc/guix-daemon.service.in
+++++ guix/etc/guix-daemon.service.in
++@@ -7,7 +7,7 @@ Description=Build daemon for GNU Guix
++ 
++ [Service]
++ ExecStart=/usr/bin/guix-daemon --build-users-group=_guixbuild
++-Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
+++Environment=LC_ALL=C.UTF-8
++ RemainAfterExit=yes
++ StandardOutput=syslog
++ StandardError=syslog
++Index: guix/etc/init.d/guix-daemon.in
++===================================================================
++--- guix.orig/etc/init.d/guix-daemon.in
+++++ guix/etc/init.d/guix-daemon.in
++@@ -35,8 +35,7 @@ start)
++       -a \
++       -e "/var/log/guix-daemon-stderr.log" \
++       -o "/var/log/guix-daemon-stdout.log" \
++-      -E GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale \
++-      -E LC_ALL=en_US.utf8 \
+++      -E LC_ALL=C.UTF-8 \
++       -p "/var/run/guix-daemon.pid" \
++       /usr/bin/guix-daemon \
++       --build-users-group=_guixbuild
++Index: guix/etc/openrc/guix-daemon.in
++===================================================================
++--- guix.orig/etc/openrc/guix-daemon.in
+++++ guix/etc/openrc/guix-daemon.in
++@@ -17,8 +17,7 @@
++ # You should have received a copy of the GNU General Public License
++ # along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
++ 
++-export GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale
++-export LC_ALL=en_US.utf8
+++export LC_ALL=C.UTF-8
++ command="/usr/bin/guix-daemon"
++ command_args="--build-users-group=_guixbuild"
++ command_background="yes"
++Index: guix/etc/guix-publish.service.in
++===================================================================
++--- guix.orig/etc/guix-publish.service.in
+++++ guix/etc/guix-publish.service.in
++@@ -10,7 +10,7 @@ After=guix-daemon.service
++ 
++ [Service]
++ ExecStart=/usr/bin/guix publish --user=nobody --port=8181
++-Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
+++Environment=LC_ALL=C.UTF-8
++ RemainAfterExit=yes
++ StandardOutput=syslog
++ StandardError=syslog

helpers/DATA/hplip/patch_changes/000-add_trisquel_distro_definition_distros_password.patch

@@ -0,0 +1,313 @@
+diff --git a/installer/distros.dat b/installer/distros.dat
+index 80588920..66bb81a1 100644
+--- a/installer/distros.dat
++++ b/installer/distros.dat
+@@ -94,7 +94,7 @@
+ # ****************************************
+ 
+ [distros]
+-distros=unknown,mepis,debian,suse,mandriva,fedora,redhat,rhel,slackware,gentoo,redflag,ubuntu,xandros,freebsd,linspire,ark,pclinuxos,centos,igos,linuxmint,linpus,gos,boss,lfs,manjarolinux,zorin,mxlinux,elementary
++distros=unknown,mepis,debian,suse,mandriva,fedora,redhat,rhel,slackware,gentoo,redflag,ubuntu,xandros,freebsd,linspire,ark,pclinuxos,centos,igos,linuxmint,linpus,gos,boss,lfs,manjarolinux,zorin,mxlinux,elementary,trisquel
+ 
+ # ****************************************
+ 
+@@ -18946,3 +18946,287 @@ packages=automake1.11
+ packages=epm
+ 
+ # ****************************************
++
++[trisquel]
++index=99
++versions=11.0.1,12.0
++display_name=Trisquel GNU/Linux
++alt_names=trisquel,Trisquel GNU/Linux
++display=1
++notes=
++package_mgrs=dpkg,apt-get,synaptic,update-manager,adept,aptitude,adept-updater
++package_mgr_cmd=sudo apt-get install --assume-yes $packages_to_install
++pre_depend_cmd=sudo dpkg --configure -a,sudo apt-get install --yes --force-yes -f,sudo apt-get update
++post_depend_cmd=
++hp_libs_remove_cmd= sudo apt-get remove libhpmud0 libsane-hpaio printer-driver-postscript-hp
++hplip_remove_cmd=sudo aptitude remove --assume-yes hplip hpijs
++su_sudo=sudo
++ppd_install=ppd
++udev_mode_fix=1
++ppd_dir=
++fix_ppd_symlink=0
++drv_dir=/usr/share/cups/drv/HP
++
++# ****************************************
++
++[trisquel:11.0.1]
++code_name=aramo
++supported=1
++scan_supported=1
++fax_supported=1
++pcard_supported=1
++network_supported=1
++parallel_supported=1
++usb_supported=1
++packaged_version=3.21.12
++release_date=01/01/2022
++notes=
++ppd_install=drv
++udev_mode_fix=1
++ppd_dir=/usr/share/ppd/HP
++fix_ppd_symlink=0
++drv_dir=/usr/share/cups/drv/HP
++ui_toolkit=qt5
++native_cups=1
++acl_rules=1
++
++libdir_path=/usr/lib
++
++[trisquel:11.0.1:cups]
++packages=libcups2
++
++[trisquel:11.0.1:cups-devel]
++packages=libcups2-dev,cups-bsd,cups-client
++
++[trisquel:11.0.1:gcc]
++packages=build-essential
++
++[trisquel:11.0.1:gs]
++packages=ghostscript
++
++[trisquel:11.0.1:libcrypto]
++packages=openssl
++
++[trisquel:11.0.1:libjpeg]
++packages=libjpeg-dev
++
++[trisquel:11.0.1:libatk-adaptor]
++packages=libatk-adaptor
++
++[trisquel:11.0.1:libgail-common]
++packages=libgail-common
++
++[trisquel:11.0.1:libnetsnmp-devel]
++packages=libsnmp-dev
++
++[trisquel:11.0.1:libpthread]
++packages=build-essential
++
++[trisquel:11.0.1:libtool]
++packages=libtool,libtool-bin
++
++[trisquel:11.0.1:libusb]
++packages=libusb-1.0-0-dev,libusb-0.1-4
++
++[trisquel:11.0.1:make]
++packages=build-essential
++
++[trisquel:11.0.1:ppdev]
++packages=
++commands=sudo modprobe ppdev,sudo cp -f /etc/modules /etc/modules.hplip,echo ppdev | sudo tee -a /etc/modules
++
++[trisquel:11.0.1:sane]
++packages=libsane
++
++[trisquel:11.0.1:sane-devel]
++packages=libsane-dev
++
++[trisquel:11.0.1:scanimage]
++packages=sane-utils
++
++[trisquel:11.0.1:xsane]
++packages=gtk2-engines-pixbuf,xsane
++
++[trisquel:11.0.1:dbus]
++packages=libdbus-1-dev
++
++[trisquel:11.0.1:cups-image]
++packages=libcupsimage2-dev
++
++[trisquel:11.0.1:cups-ddk]
++packages=cups
++
++[trisquel:11.0.1:policykit]
++packages=policykit-1,policykit-1-gnome
++
++[trisquel:11.0.1:network]
++packages=wget
++
++[trisquel:11.0.1:avahi-utils]
++packages=avahi-utils
++
++[trisquel:11.0.1:libavahi-dev]
++packages=libavahi-client-dev,libavahi-core-dev,libavahi-common-dev
++
++[trisquel:11.0.1:python3-notify2]
++packages=python3-notify2
++
++[trisquel:11.0.1:python3-pyqt5-dbus]
++packages=python3-dbus.mainloop.pyqt5
++
++[trisquel:11.0.1:python3-pyqt5]
++packages=python3-pyqt5,gtk2-engines-pixbuf
++
++[trisquel:11.0.1:python3-dbus]
++packages=python3-dbus,python3-gi
++
++[trisquel:11.0.1:python3-xml]
++packages=python3-lxml
++
++[trisquel:11.0.1:python3-devel]
++packages=python3-dev
++
++[trisquel:11.0.1:python3-pil]
++packages=python3-pil
++
++[trisquel:11.0.1:python3-reportlab]
++packages=python3-reportlab
++
++[trisquel:11.0.1:automake]
++packages=automake1.11
++
++[trisquel:11.0.1:epm]
++packages=epm
++
++# ****************************************
++
++[trisquel:12.0]
++code_name=ecne
++supported=1
++scan_supported=1
++fax_supported=1
++pcard_supported=1
++network_supported=1
++parallel_supported=1
++usb_supported=1
++packaged_version=3.23.12
++release_date=01/01/2022
++notes=
++ppd_install=drv
++udev_mode_fix=1
++ppd_dir=/usr/share/ppd/HP
++fix_ppd_symlink=0
++drv_dir=/usr/share/cups/drv/HP
++ui_toolkit=qt5
++native_cups=1
++acl_rules=1
++
++libdir_path=/usr/lib
++
++[trisquel:12.0:cups]
++packages=libcups2t64
++
++[trisquel:12.0:cups-devel]
++packages=libcups2-dev,cups-bsd,cups-client
++
++[trisquel:12.0:gcc]
++packages=build-essential
++
++[trisquel:12.0:gs]
++packages=ghostscript
++
++[trisquel:12.0:libcrypto]
++packages=openssl
++
++[trisquel:12.0:libjpeg]
++packages=libjpeg-dev
++
++[trisquel:12.0:libatk-adaptor]
++packages=libatk-adaptor
++
++[trisquel:12.0:libgail-common]
++packages=libgail-common
++
++[trisquel:12.0:libnetsnmp-devel]
++packages=libsnmp-dev
++
++[trisquel:12.0:libpthread]
++packages=build-essential
++
++[trisquel:12.0:libtool]
++packages=libtool,libtool-bin
++
++[trisquel:12.0:libusb]
++packages=libusb-1.0-0-dev,libusb-0.1-4
++
++[trisquel:12.0:make]
++packages=build-essential
++
++[trisquel:12.0:ppdev]
++packages=
++commands=sudo modprobe ppdev,sudo cp -f /etc/modules /etc/modules.hplip,echo ppdev | sudo tee -a /etc/modules
++
++[trisquel:12.0:sane]
++packages=libsane1
++
++[trisquel:12.0:sane-devel]
++packages=libsane-dev
++
++[trisquel:12.0:scanimage]
++packages=sane-utils
++
++[trisquel:12.0:xsane]
++packages=gtk2-engines-pixbuf,xsane
++
++[trisquel:12.0:dbus]
++packages=libdbus-1-dev
++
++[trisquel:12.0:cups-image]
++packages=libcupsimage2-dev
++
++[trisquel:12.0:cups-ddk]
++packages=cups
++
++[trisquel:12.0:policykit]
++packages=policykit-1,policykit-1-gnome
++
++[trisquel:12.0:network]
++packages=wget
++
++[trisquel:12.0:avahi-utils]
++packages=avahi-utils
++
++[trisquel:12.0:libavahi-dev]
++packages=libavahi-client-dev,libavahi-core-dev,libavahi-common-dev
++
++[trisquel:12.0:python3-notify2]
++packages=python3-notify2
++
++[trisquel:12.0:python3-pyqt5-dbus]
++packages=python3-dbus.mainloop.pyqt5
++
++[trisquel:12.0:python3-pyqt5]
++packages=python3-pyqt5,gtk2-engines-pixbuf
++
++[trisquel:12.0:python3-dbus]
++packages=python3-dbus,python3-gi
++
++[trisquel:12.0:python3-xml]
++packages=python3-lxml
++
++[trisquel:12.0:python3-devel]
++packages=python3-dev
++
++[trisquel:12.0:python3-pil]
++packages=python3-pil
++
++[trisquel:12.0:python3-reportlab]
++packages=python3-reportlab
++
++[trisquel:12.0:automake]
++packages=automake1.11
++
++[trisquel:12.0:epm]
++packages=epm
++
++# ****************************************
+diff --git a/base/password.py b/base/password.py
+index a76d4048..b0c6fe20 100644
+--- a/base/password.py
++++ b/base/password.py
+@@ -63,6 +63,7 @@ AUTH_TYPES = {'mepis': 'su',
+               'debiangnu/linux' : 'su',
+               'mxlinux' : 'su',
+               'elementaryos' : 'sudo',
++              'trisquel' : 'sudo',
+               }
+ 
+ 

helpers/DATA/hplip/patch_changes/001-enable_distro_name_dectection.patch

@@ -0,0 +1,16 @@
+diff --git a/installer/core_install.py b/installer/core_install.py
+index 1c8af23e..9595b2c7 100644
+--- a/installer/core_install.py
++++ b/installer/core_install.py
+@@ -644,6 +644,11 @@ class CoreInstall(object):
+         ld = distro.linux_distribution(full_distribution_name=False)
+         name = ld[0]
+         ver = ld[1]
++        # Ensure variable exists (used below for MX detection)
++        try:
++            distro_release_name = distro.name(pretty=True) or ""
++        except Exception:
++            distro_release_name = ""
+ 
+         found = True
+ 

helpers/DATA/libmateweather/patch_changes/003-weather_server_uri_update_138.patch

@@ -0,0 +1,38 @@
+From 4e54f44dab4efa8c216b26ea7188b99c94882ba4 Mon Sep 17 00:00:00 2001
+From: Victor Kareh <vkareh@redhat.com>
+Date: Thu, 18 Sep 2025 11:40:55 -0400
+Subject: [PATCH] metar: Update AviationWeather URL
+
+According to their website: "The AviationWeather Data API has been
+redeveloped in 2025."
+
+Also they put 'METAR' (or 'SPECI') onto the beginning of data to make it
+ICAO compliant, so we add code to parse that.
+
+Fixes #135
+---
+ libmateweather/weather-metar.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libmateweather/weather-metar.c b/libmateweather/weather-metar.c
+index 7bc24fc9..4698a077 100644
+--- a/libmateweather/weather-metar.c
++++ b/libmateweather/weather-metar.c
+@@ -510,7 +510,7 @@ metar_finish (SoupSession *session, SoupMessage *msg, gpointer data)
+ 
+     loc = info->location;
+ 
+-    searchkey = g_strdup_printf ("<raw_text>%s", loc->code);
++    searchkey = g_strdup_printf ("<raw_text>METAR %s", loc->code);
+     p = strstr (msg->response_body->data, searchkey);
+     g_free (searchkey);
+     if (p) {
+@@ -550,7 +550,7 @@ metar_start_open (WeatherInfo *info)
+     }
+ 
+     msg = soup_form_request_new (
+-        "GET", "https://www.aviationweather.gov/cgi-bin/data/dataserver.php",
++        "GET", "https://aviationweather.gov/api/data/dataserver",
+         "dataSource", "metars",
+         "requestType", "retrieve",
+         "format", "xml",

helpers/DATA/linux-hwe-6.5/deblob-check

@@ -7058,6 +7058,9 @@ set_except () {
     # New in 6.6-rc, 6.5.9, 6.1.60, 5.15.137, 5.10.199.
     blobname 'gsl1680-\(bush-bush-windows-tablet\|positivo-c4128b\)\.fw' drivers/platform/x86/otuchscreen_dmi.c
 
+    # Trisquel changes for HWE 6.5
+    blobname 'qcom[/]prog_firehose_sdx6x\.elf' drivers/bus/mhi/host/pci_generic.c
+
     ;;
 
   */*freedo*.patch | */*logo*.patch)

helpers/DATA/linux-hwe-6.5/silent-accept-firmware.patch

@@ -229,20 +229,21 @@ diff --color -Nru a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c b/drivers/gpu/drm/amd/
  		for (i = 0; i < adev->sdma.num_instances; i++)
  			amdgpu_ucode_release(&adev->sdma.instance[i].fw);
  	}
-diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
-index 49d34c7..376ccc3 100644
---- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
-+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
-@@ -4011,8 +4011,7 @@ static int gfx_v10_0_init_microcode(struct amdgpu_device *adev)
- 			goto out;
- 		if (err)
- 			dev_dbg(adev->dev,
--				"gfx10: amdgpu_ucode_request() failed \"%s\"\n",
--				fw_name);
-+				"gfx10: amdgpu_ucode_request() failed \n");
- 		rlc_hdr = (const struct rlc_firmware_header_v2_0 *)adev->gfx.rlc_fw->data;
- 		version_major = le16_to_cpu(rlc_hdr->header.header_version_major);
- 		version_minor = le16_to_cpu(rlc_hdr->header.header_version_minor);
+# removed starting at
+#diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+#index 49d34c7..376ccc3 100644
+#--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+#+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+#@@ -4011,8 +4011,7 @@ static int gfx_v10_0_init_microcode(struct amdgpu_device *adev)
+# 			goto out;
+# 		if (err)
+# 			dev_dbg(adev->dev,
+#-				"gfx10: amdgpu_ucode_request() failed \"%s\"\n",
+#-				fw_name);
+#+				"gfx10: amdgpu_ucode_request() failed \n");
+# 		rlc_hdr = (const struct rlc_firmware_header_v2_0 *)adev->gfx.rlc_fw->data;
+# 		version_major = le16_to_cpu(rlc_hdr->header.header_version_major);
+# 		version_minor = le16_to_cpu(rlc_hdr->header.header_version_minor);
 diff --color -Nru a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
 --- a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c	2022-07-31 16:03:01.000000000 -0500
 +++ b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c	2023-03-09 19:48:18.700813841 -0600
@@ -1973,3 +1974,88 @@ index bd4c4174..9beeb2e6 100644
  
  	return request_firmware_nowait(THIS_MODULE, 1, drv->firmware_name,
  				       drv->trans->dev,
+diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c
+index f9d2740a..37f4b0c3 100644
+--- a/drivers/bluetooth/hci_intel.c
++++ b/drivers/bluetooth/hci_intel.c
+@@ -701,8 +701,7 @@ static int intel_setup(struct hci_uart *hu)
+ 
+ 	err = request_firmware(&fw, fwname, &hdev->dev);
+ 	if (err < 0) {
+-		bt_dev_err(hdev, "Failed to load Intel firmware file (%d)",
+-			   err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 
+diff --git a/drivers/bluetooth/hci_nokia.c b/drivers/bluetooth/hci_nokia.c
+index 97da0b2b..f8c38d91 100644
+--- a/drivers/bluetooth/hci_nokia.c
++++ b/drivers/bluetooth/hci_nokia.c
+@@ -344,8 +344,7 @@ static int nokia_setup_fw(struct hci_uart *hu)
+ 
+ 	err = request_firmware(&fw, fwname, dev);
+ 	if (err < 0) {
+-		dev_err(dev, "%s: Failed to load Nokia firmware file (%d)",
+-			hu->hdev->name, err);
++		dev_err(dev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 
+diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
+index f9b77a17..147d9fff 100644
+--- a/drivers/bluetooth/btintel.c
++++ b/drivers/bluetooth/btintel.c
+@@ -2049,12 +2049,11 @@ static int btintel_download_fw(struct hci_dev *hdev,
+ 			return 0;
+ 		}
+ 
+-		bt_dev_err(hdev, "Failed to load Intel firmware file (%d)",
+-			   err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 
+-	bt_dev_info(hdev, "Found device firmware: %s", fwname);
++	bt_dev_info(hdev, "Found device firmware");
+ 
+ 	if (fw->size < 644) {
+ 		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
+@@ -2238,13 +2237,12 @@ static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev,
+ 			return 0;
+ 		}
+ 
+-		bt_dev_err(hdev, "Failed to load Intel firmware file (%d)",
+-			   err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 
+ 		return err;
+ 	}
+ 
+-	bt_dev_info(hdev, "Found device firmware: %s", fwname);
++	bt_dev_info(hdev, "Found device firmware");
+ 
+ 	if (fw->size < 644) {
+ 		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
+diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
+index 809762d6..fe2545ce 100644
+--- a/drivers/bluetooth/btmtk.c
++++ b/drivers/bluetooth/btmtk.c
+@@ -69,7 +69,7 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
+ 
+ 	err = request_firmware(&fw, fwname, &hdev->dev);
+ 	if (err < 0) {
+-		bt_dev_err(hdev, "Failed to load firmware file (%d)", err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 
+@@ -181,7 +181,7 @@ int btmtk_setup_firmware(struct hci_dev *hdev, const char *fwname,
+ 
+ 	err = request_firmware(&fw, fwname, &hdev->dev);
+ 	if (err < 0) {
+-		bt_dev_err(hdev, "Failed to load firmware file (%d)", err);
++		bt_dev_err(hdev, "Failed to load firmware file");
+ 		return err;
+ 	}
+ 

helpers/DATA/linux-hwe-6.5/udeb/d-i.patch

@@ -1,8 +1,8 @@
 diff --git a/debian/rules b/debian/rules
-index fe52711..b2d1921 100755
+index 661286bd..e828a0ac 100755
 --- a/debian/rules
 +++ b/debian/rules
-@@ -134,12 +134,19 @@ clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.
+@@ -128,12 +128,19 @@ clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.
  	dh_testroot
  	dh_clean
  
@@ -12,7 +12,7 @@ index fe52711..b2d1921 100755
 +	rm -f $(DEBIAN)/d-i/firmware/$(arch)/kernel-image
 +
  	# normal build junk
- 	rm -rf $(DEBIAN)/abi/$(release)-$(revision)
+ 	rm -rf $(DEBIAN)/abi
  	rm -rf $(builddir)
  	rm -f $(stampdir)/stamp-*
  	rm -rf debian/linux-*/
@@ -22,14 +22,15 @@ index fe52711..b2d1921 100755
  	cp $(DEBIAN)/changelog debian/changelog
  
  	# Install the copyright information.
-@@ -184,7 +191,6 @@ $(DEBIAN)/control.stub: 				\
- 		$(DROOT)/scripts/control-create		\
- 		$(control_files)			\
- 		debian/canonical-revoked-certs.pem	\
--		$(DROOT)/control.d/flavour-module.stub	\
- 		$(DEBIAN)/changelog			\
- 		$(wildcard $(DEBIAN)/control.d/* $(DEBIAN)/sub-flavours/*.vars)
- 	for i in $(control_files); do                                           \
+#removed at 6.5.0-27.28~22.04.1
+#@@ -184,7 +191,6 @@ $(DEBIAN)/control.stub: 				\
+# 		$(DROOT)/scripts/control-create		\
+# 		$(control_files)			\
+# 		debian/canonical-revoked-certs.pem	\
+#-		$(DROOT)/control.d/flavour-module.stub	\
+# 		$(DEBIAN)/changelog			\
+# 		$(wildcard $(DEBIAN)/control.d/* $(DEBIAN)/sub-flavours/*.vars)
+# 	for i in $(control_files); do                                           \
 @@ -211,7 +217,14 @@ $(DEBIAN)/control.stub: 				\
  
  .PHONY: debian/control

helpers/DATA/linux-hwe-6.5/udeb/disable_zstd_module_compression.patch

@@ -0,0 +1,15 @@
+diff --git a/debian/rules.d/0-common-vars.mk b/debian/rules.d/0-common-vars.mk_
+index bc873563..d6692ca1 100644
+--- a/debian/rules.d/0-common-vars.mk
++++ b/debian/rules.d/0-common-vars.mk_
+@@ -197,8 +197,9 @@ do_dtbs=false
+ do_fips_checks=false
+ 
+ # ZSTD compressed kernel modules
++ifeq ($(filter $(series),jammy aramo),)
+ do_zstd_ko=true
+-ifeq ($(series),jammy)
++else
+ do_zstd_ko=
+ endif
+ 

helpers/DATA/linux-hwe-6.8/001-revert_iwlwifi_clear_firmware1.patch

@@ -0,0 +1,21 @@
+reverts https://lore.kernel.org/all/iwlwifi.20211210110539.1f742f0eb58a.I1315f22f6aa632d94ae2069f85e1bca5e734dce0@changeid/
+
+--- b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1597,8 +1597,15 @@
+ 	 * else from proceeding if the module fails to load
+ 	 * or hangs loading.
+ 	 */
++	if (load_module) {
+-	if (load_module)
+ 		request_module("%s", op->name);
++#ifdef CONFIG_IWLWIFI_OPMODE_MODULAR
++		if (err)
++			IWL_ERR(drv,
++				"failed to load module %s (error %d), is dynamic loading enabled?\n",
++				op->name, err);
++#endif
++	}
+ 	failure = false;
+ 	goto free;
+ 

helpers/DATA/linux-hwe-6.8/002-revert_iwlwifi_clear_firmware2.patch

@@ -0,0 +1,40 @@
+reverts https://lore.kernel.org/all/iwlwifi.20211210110539.1f742f0eb58a.I1315f22f6aa632d94ae2069f85e1bca5e734dce0@changeid/
+
+--- b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -130,9 +130,6 @@
+ 
+ 	for (i = 0; i < IWL_UCODE_TYPE_MAX; i++)
+ 		iwl_free_fw_img(drv, drv->fw.img + i);
+-
+-	/* clear the data for the aborted load case */
+-	memset(&drv->fw, 0, sizeof(drv->fw));
+ }
+ 
+ static int iwl_alloc_fw_desc(struct iwl_drv *drv, struct fw_desc *desc,
+@@ -1429,7 +1426,6 @@
+ 	int i;
+ 	bool load_module = false;
+ 	bool usniffer_images = false;
+-	bool failure = true;
+ 
+ 	fw->ucode_capa.max_probe_length = IWL_DEFAULT_MAX_PROBE_LENGTH;
+ 	fw->ucode_capa.standard_phy_calibration_size =
+@@ -1699,7 +1695,6 @@
+ 				op->name, err);
+ #endif
+ 	}
+-	failure = false;
+ 	goto free;
+ 
+  try_again:
+@@ -1715,9 +1710,6 @@
+ 	complete(&drv->request_firmware_complete);
+ 	device_release_driver(drv->trans->dev);
+  free:
+-	if (failure)
+-		iwl_dealloc_ucode(drv);
+-
+ 	if (pieces) {
+ 		for (i = 0; i < ARRAY_SIZE(pieces->img); i++)
+ 			kfree(pieces->img[i].sec);

helpers/DATA/linux-hwe-6.8/003-revert_iwlwifi_clear_firmware3.patch

@@ -0,0 +1,13 @@
+reverts https://lore.kernel.org/all/iwlwifi.20211210110539.1f742f0eb58a.I1315f22f6aa632d94ae2069f85e1bca5e734dce0@changeid/
+
+diff -ru source.orig/drivers/net/wireless/intel/iwlwifi/iwl-drv.c source/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+--- source.orig/drivers/net/wireless/intel/iwlwifi/iwl-drv.c	2022-05-13 16:10:11.883295769 -0400
++++ source/drivers/net/wireless/intel/iwlwifi/iwl-drv.c	2022-05-13 20:13:06.568151229 -0400
+@@ -1605,7 +1605,6 @@
+ 	complete(&drv->request_firmware_complete);
+ 	device_release_driver(drv->trans->dev);
+ 	/* drv has just been freed by the release */
+-	failure = false;
+  free:
+ 	if (pieces) {
+ 		for (i = 0; i < ARRAY_SIZE(pieces->img); i++)

helpers/DATA/linux-hwe-6.8/004-enable_blobless_activation_radeon.patch

@@ -0,0 +1,227 @@
+Based on https://libreplanet.org/wiki/Group:Hardware/research/gpu/radeon
+
+diff -ru a/drivers/gpu/drm/radeon/btc_dpm.c b/drivers/gpu/drm/radeon/btc_dpm.c
+--- a/drivers/gpu/drm/radeon/btc_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/btc_dpm.c	2023-02-13 15:50:41.218608376 -0500
+@@ -2437,7 +2437,6 @@
+ 	ret = rv770_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("rv770_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 	ret = cypress_get_table_locations(rdev);
+ 	if (ret) {
+diff -ru a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c
+--- a/drivers/gpu/drm/radeon/ci_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/ci_dpm.c	2023-02-13 15:53:38.591724496 -0500
+@@ -5157,7 +5157,6 @@
+ 	ret = ci_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("ci_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 	ret = ci_process_firmware_header(rdev);
+ 	if (ret) {
+diff -ru a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c
+--- a/drivers/gpu/drm/radeon/cik.c	2023-02-13 15:21:35.174999782 -0500
++++ b/drivers/gpu/drm/radeon/cik.c	2023-02-13 15:47:37.149601121 -0500
+@@ -8285,7 +8285,6 @@
+ 		r = ci_mc_load_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load MC firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -8591,7 +8590,6 @@
+ 			r = cik_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	} else {
+@@ -8601,7 +8599,6 @@
+ 			r = cik_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	}
+@@ -8668,7 +8665,6 @@
+ 	 */
+ 	if (!rdev->mc_fw && !(rdev->flags & RADEON_IS_IGP)) {
+ 		DRM_ERROR("radeon: MC ucode required for NI+.\n");
+-		return -EINVAL;
+ 	}
+ 
+ 	return 0;
+diff -ru a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c
+--- a/drivers/gpu/drm/radeon/cypress_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/cypress_dpm.c	2023-02-13 15:50:25.130869935 -0500
+@@ -1862,7 +1862,6 @@
+ 	ret = rv770_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("rv770_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 
+ 	ret = cypress_get_table_locations(rdev);
+diff -ru a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
+--- a/drivers/gpu/drm/radeon/evergreen.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/evergreen.c	2023-02-13 15:47:50.457384749 -0500
+@@ -5018,7 +5018,6 @@
+ 		r = ni_mc_load_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load MC firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -5235,7 +5234,6 @@
+ 			r = ni_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	} else {
+@@ -5243,7 +5241,6 @@
+ 			r = r600_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	}
+@@ -5289,7 +5286,6 @@
+ 	if (ASIC_IS_DCE5(rdev)) {
+ 		if (!rdev->mc_fw && !(rdev->flags & RADEON_IS_IGP)) {
+ 			DRM_ERROR("radeon: MC ucode required for NI+.\n");
+-			return -EINVAL;
+ 		}
+ 	}
+ 
+diff -ru a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c
+--- a/drivers/gpu/drm/radeon/ni.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/ni.c	2023-02-13 15:46:45.402442454 -0500
+@@ -2163,7 +2163,6 @@
+ 		r = ni_mc_load_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load MC firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -2390,7 +2389,6 @@
+ 			r = ni_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	} else {
+@@ -2398,7 +2396,6 @@
+ 			r = ni_init_microcode(rdev);
+ 			if (r) {
+ 				DRM_ERROR("Failed to load firmware!\n");
+-				return r;
+ 			}
+ 		}
+ 	}
+@@ -2453,7 +2450,6 @@
+ 	 */
+ 	if (!rdev->mc_fw && !(rdev->flags & RADEON_IS_IGP)) {
+ 		DRM_ERROR("radeon: MC ucode required for NI+.\n");
+-		return -EINVAL;
+ 	}
+ 
+ 	return 0;
+diff -ru a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
+--- a/drivers/gpu/drm/radeon/r100.c	2023-02-13 15:21:35.174999782 -0500
++++ b/drivers/gpu/drm/radeon/r100.c	2023-02-13 15:49:15.548001277 -0500
+@@ -1134,7 +1134,6 @@
+ 		r = r100_cp_init_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+diff -ru a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
+--- a/drivers/gpu/drm/radeon/r600.c	2023-02-13 15:21:35.174999782 -0500
++++ b/drivers/gpu/drm/radeon/r600.c	2023-02-13 15:46:07.291062125 -0500
+@@ -3299,7 +3299,6 @@
+ 		r = r600_init_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+diff -ru a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c
+--- a/drivers/gpu/drm/radeon/rv770.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/rv770.c	2023-02-13 15:26:54.385808292 -0500
+@@ -1966,7 +1966,6 @@
+ 		r = r600_init_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+diff -ru a/drivers/gpu/drm/radeon/rv770_dpm.c b/drivers/gpu/drm/radeon/rv770_dpm.c
+--- a/drivers/gpu/drm/radeon/rv770_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/rv770_dpm.c	2023-02-13 15:50:13.591057564 -0500
+@@ -1948,12 +1948,10 @@
+ 	ret = rv770_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("rv770_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 	ret = rv770_init_smc_table(rdev, boot_ps);
+ 	if (ret) {
+ 		DRM_ERROR("rv770_init_smc_table failed\n");
+-		return ret;
+ 	}
+ 
+ 	rv770_program_response_times(rdev);
+diff -ru a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c
+--- a/drivers/gpu/drm/radeon/si.c	2023-02-13 15:21:35.178999717 -0500
++++ b/drivers/gpu/drm/radeon/si.c	2023-02-13 15:47:00.042204445 -0500
+@@ -6619,7 +6619,6 @@
+ 		r = si_mc_load_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load MC firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -6867,7 +6866,6 @@
+ 		r = si_init_microcode(rdev);
+ 		if (r) {
+ 			DRM_ERROR("Failed to load firmware!\n");
+-			return r;
+ 		}
+ 	}
+ 
+@@ -6926,7 +6924,6 @@
+ 	 */
+ 	if (!rdev->mc_fw) {
+ 		DRM_ERROR("radeon: MC ucode required for NI+.\n");
+-		return -EINVAL;
+ 	}
+ 
+ 	return 0;
+diff -ru a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c
+--- a/drivers/gpu/drm/radeon/si_dpm.c	2021-10-31 16:53:10.000000000 -0400
++++ b/drivers/gpu/drm/radeon/si_dpm.c	2023-02-13 15:53:00.844338238 -0500
+@@ -6366,7 +6366,6 @@
+ 	ret = si_upload_firmware(rdev);
+ 	if (ret) {
+ 		DRM_ERROR("si_upload_firmware failed\n");
+-		return ret;
+ 	}
+ 	ret = si_process_firmware_header(rdev);
+ 	if (ret) {

helpers/DATA/linux-hwe-6.8/005-removal_of_external_recommendation_for_firmware.patch

@@ -0,0 +1,29 @@
+Removal of references to external repositories we can't manage what kind of firmware is pointed to.
+The only firmware we can confirm to work with is the one contained on the packge source code.
+
+diff --git a/drivers/net/wireless/atmel/at76c50x-usb.c b/drivers/net/wireless/atmel/at76c50x-usb.c
+index 447b51cf..898b83af 100644
+--- a/drivers/net/wireless/atmel/at76c50x-usb.c
++++ b/drivers/net/wireless/atmel/at76c50x-usb.c
+@@ -1619,8 +1619,6 @@ static struct fwentry *at76_load_firmware(struct usb_device *udev,
+ 	if (ret < 0) {
+ 		dev_err(&udev->dev, "firmware %s not found!\n",
+ 			fwe->fwname);
+-		dev_err(&udev->dev,
+-			"you may need to download the firmware from http://developer.berlios.de/projects/at76c503a/\n");
+ 		goto exit;
+ 	}
+ 
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index f3b50528..1860f2b7 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -2445,8 +2445,6 @@ int snd_sof_load_topology(struct snd_soc_component *scomp, const char *file)
+ 	if (ret < 0) {
+ 		dev_err(scomp->dev, "error: tplg request firmware %s failed err: %d\n",
+ 			file, ret);
+-		dev_err(scomp->dev,
+-			"you may need to download the firmware from https://github.com/thesofproject/sof-bin/\n");
+ 		return ret;
+ 	}
+ 

helpers/DATA/linux-hwe-6.8/check.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+files=`find -type f`
+while read -r line
+do
+    ./deblob-check $line
+done <<< "$files"

helpers/DATA/linux-hwe-6.8/udeb/000-d-i.patch

@@ -0,0 +1,61 @@
+diff --git a/debian/rules b/debian/rules
+index 43eae8d5..c81721bc 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -136,11 +136,18 @@ clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.
+ 	dh_testroot
+ 	dh_clean
+ 
++	# d-i stuff
++	rm -rf $(DEBIAN)/d-i-$(arch)
++	# Generated on the fly.
++	rm -f $(DEBIAN)/d-i/firmware/$(arch)/kernel-image
++
+ 	# normal build junk
+ 	rm -rf $(DEBIAN)/abi
+ 	rm -rf $(builddir) $(stampdir)
+ 	rm -rf debian/linux-*/
+ 
++	# This gets rid of the d-i packages in control
++	cp -f $(DEBIAN)/control.stub $(DROOT)/control
+ 	cp $(DEBIAN)/changelog debian/changelog
+ 
+ 	# Install the copyright information.
+@@ -213,7 +221,14 @@ $(DEBIAN)/control.stub: 				\
+ 
+ .PHONY: debian/control
+ debian/control: $(DEBIAN)/control.stub
++	echo "# placebo control.stub for kernel-wedge flow change" >debian/control.stub
+ 	cp $(DEBIAN)/control.stub debian/control
++	# append udeb packages
++	export KW_DEFCONFIG_DIR=$(DEBIAN)/d-i && \
++	export KW_CONFIG_DIR=$(DEBIAN)/d-i && \
++	LANG=C kernel-wedge gen-control $(release)-$(abinum) | \
++		grep-dctrl -FArchitecture $(arch) \
++		>>$(CURDIR)/debian/control
+ 
+ debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/certs/*-all.pem) $(wildcard $(DEBIAN)/certs/*-$(arch).pem)
+ 	for cert in $(sort $(notdir $^));					\
+diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
+index fe66f8a0..e934f797 100644
+--- a/debian/rules.d/2-binary-arch.mk
++++ b/debian/rules.d/2-binary-arch.mk
+@@ -145,10 +145,14 @@ endif
+ 	install -m600 $(builddir)/build-$*/System.map \
+ 		$(pkgdir)/boot/System.map-$(abi_release)-$*
+ 
+-ifeq ($(do_dtbs),true)
+-	$(kmake) O=$(builddir)/build-$* $(conc_level) dtbs_install \
+-		INSTALL_DTBS_PATH=$(pkgdir)/lib/firmware/$(abi_release)-$*/device-tree
+-endif
++	if [ "$(filter true,$(do_dtbs))" ]; then \
++		$(kmake) O=$(builddir)/build-$* $(conc_level) dtbs_install \
++			INSTALL_DTBS_PATH=$(pkgdir)/lib/firmware/$(abi_release)-$*/device-tree; \
++		( cd $(pkgdir)/lib/firmware/$(abi_release)-$*/ && find device-tree -print ) | \
++		while read dtb_file; do \
++			echo "$$dtb_file ?" >> $(DEBIAN)/d-i/firmware/$(arch)/kernel-image; \
++		done; \
++	fi
+ 
+ ifeq ($(no_dumpfile),)
+ 	makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \

helpers/DATA/linux-hwe-6.8/udeb/001-disable_zstd_module_compression.patch

@@ -0,0 +1,20 @@
+Debian doesn't use zstd compression for kernel modules by default, and
+kernel-wedge does not currently support this compression. It is recommended
+to continue using XZ compression to maintain compatibility with udeb
+packages in Trisquel, at least while this changes.
+
+diff --git a/debian/rules.d/0-common-vars.mk b/debian/rules.d/0-common-vars.mk
+index d832106b..4afdd290 100644
+--- a/debian/rules.d/0-common-vars.mk
++++ b/debian/rules.d/0-common-vars.mk
+@@ -154,6 +154,10 @@ do_zstd_ko=true
+ ifeq ($(series),jammy)
+ do_zstd_ko=
+ endif
++# Trisquel use udebs, so it disable zstd by default.
++ifeq (yes,$(shell dpkg-vendor --is Trisquel && echo yes))
++do_zstd_ko=
++endif
+ 
+ # Support parallel=<n> in DEB_BUILD_OPTIONS (see #209008)
+ #

helpers/DATA/linux-hwe-6.8/udeb/5-udebs.mk

@@ -6,7 +6,7 @@ ifeq ($(disable_d_i),)
 		do-binary-udebs
 endif
 
-do-binary-udebs: linux_udeb_name=$(shell if echo $(src_pkg_name)|egrep -q '(linux-lts|linux-hwe)'; then echo $(src_pkg_name); else echo linux; fi)
+do-binary-udebs: linux_udeb_name=$(shell if echo $(src_pkg_name)|egrep -q '(linux-lts|linux-hwe|linux-[0-9]+\.[0-9]+)'; then echo $(src_pkg_name); else echo linux; fi)
 do-binary-udebs: debian/control
 	@echo Debug: $@
 	dh_testdir