<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<atom:link href="https://dev1galaxy.org/extern.php?action=feed&amp;fid=25&amp;type=rss" rel="self" type="application/rss+xml" />
		<title><![CDATA[Dev1 Galaxy Forum / Freedom Hacks]]></title>
		<link>https://dev1galaxy.org/index.php</link>
		<description><![CDATA[The most recent topics at Dev1 Galaxy Forum.]]></description>
		<lastBuildDate>Tue, 23 Jun 2026 19:28:41 +0000</lastBuildDate>
		<generator>FluxBB</generator>
		<item>
			<title><![CDATA[The Absurdist Comedy]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7605&amp;action=new</link>
			<description><![CDATA[<p><span class="bbc">about:support</span></p><div class="codebox"><pre><code>Name 	Firefox Developer Edition
Version 	154.0a1 	
Update Channel 	aurora
User Agent 	Mozilla/5.0 (X11; Linux x86_64; rv:154.0) Gecko/20100101 Firefox/154.0
Profile Directory 	~/.firefox-dev/qxls80vg.dev-edition-default-1</code></pre></div><p>If User Agent is not set correctly with:</p><div class="codebox"><pre><code>imply_option(&quot;MOZ_APP_UA_NAME&quot;, &quot;Firefox&quot;)</code></pre></div><p>You can set it with override in <span class="bbc">about:config</span></p><div class="codebox"><pre><code>general.useragent.override      Mozilla/5.0 (X11; Linux x86_64; rv:154.0) Gecko/20100101 Firefox/154.0	</code></pre></div><div class="codebox"><pre><code>imply_option(&quot;MOZ_APP_PROFILE&quot;, &quot;firefox-dev&quot;)</code></pre></div><p><span class="bbc">MOZ_APP_PROFILE=firefox-dev</span> means User Profile Directory&#160; &#160; &#160;</p><div class="codebox"><pre><code>$HOME/.firefox-dev</code></pre></div><p>for user settings.</p><p><span class="bbc">firefox/browser/moz.configure</span> is a secret configuration file.</p>]]></description>
			<author><![CDATA[dummy@example.com (igorzwx)]]></author>
			<pubDate>Tue, 23 Jun 2026 19:28:41 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7605&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[The exclusive mode of ALSA]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=8053&amp;action=new</link>
			<description><![CDATA[<h5>The exclusive mode of ALSA</h5><p>With <span class="bbc">plughw:0,0</span> or default, the audio path is:</p><div class="codebox"><pre><code>Application → ALSA Library → Plugin Layer → Kernel PCM Core → Hardware Driver → Hardware </code></pre></div><p>The ALSA path with <span class="bbc">hw:0,0</span> is:</p><div class="codebox"><pre><code>Application → ALSA Library → Kernel PCM Core → Hardware Driver → Hardware </code></pre></div><p>When using <span class="bbc">hw:0,0</span>, the ALSA library bypasses the plugin layer (software format/rate/channel conversion) but still goes through the kernel PCM core for buffer management, period handling, and synchronization before reaching the hardware driver. </p><p>Usually, &quot;exclusive mode&quot; refers to exclusive device access control by one applications (this is what the word exclusive is supposed to mean). Such exclusive device access prevents multiple applications from simultaneously using the same hardware resource. In the Linux kernel&#039;s technical documentation, &quot;exclusive&quot; has a specific meaning: preventing multiple applications from simultaneously using the same hardware resource. </p><p>ALSA permits &quot;exclusive full duplex&quot;: </p><div class="codebox"><pre><code>$ arecord -f cd -D hw:0,0 | aplay -V mono -D hw:0,0  
Recording WAVE &#039;stdin&#039; : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo
Playing WAVE &#039;stdin&#039; : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo
#####################   +                          | 46%

$ arecord -f cd -D hw:1,0 | aplay -V mono -D hw:1,0 
Recording WAVE &#039;stdin&#039; : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo
Playing WAVE &#039;stdin&#039; : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo
##################################################+| MAX

$ arecord -f cd -D hw:PCH,0 | aplay -V mono -D hw:PCH,0 
Recording WAVE &#039;stdin&#039; : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo
Playing WAVE &#039;stdin&#039; : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo
####################                             + | 97% </code></pre></div><p><span class="bbc">arecord</span> opens <span class="bbc">hw:0,0</span> for capture<br /><span class="bbc">aplay</span> opens <span class="bbc">hw:0,0</span> for playback<br />Both processes have the the same device open simultaneously in &quot;exclusive mode&quot;.</p><p>The active meter indicates that the full duplex works and audio data is actively flowing through the pipeline in real-time.</p><p>Thus, two applications, <span class="bbc">arecord</span> and <span class="bbc">aplay</span>, have exclusive access to the same device simultaneously. It works with Intel HDA codecs, USB soundcards, etc.</p><p>OSS4 with software mixer <span class="bbc">vmix</span> disabled does not support &quot;exclusive full duplex&quot; for Intel HDA codecs</p><div class="codebox"><pre><code>$ ./fulldup

Using audio engine 0=HD Audio play front for duplex

/dev/dsp doesn&#039;t support one device based full duplex scheme
Please use the two device scheme.

$ file /dev/dsp
/dev/dsp: symbolic link to /dev/oss/oss_hdaudio0/pcm0 </code></pre></div><p>ALSA is more advanced in this sense. In advanced Monty Python reality, the word exclusive has a flexible meaning. It may mean anything you want.</p>]]></description>
			<author><![CDATA[dummy@example.com (igorzwx)]]></author>
			<pubDate>Sun, 21 Jun 2026 01:45:27 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=8053&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[Do ALSA users really need fftrate?]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=8049&amp;action=new</link>
			<description><![CDATA[<p>Bypassing the hardware resampler in Intel HDA codecs with a software real-time fftrate codec to resample everything to 192kHz 32-bit is a solid architectural strategy. It works at the userspace level on top of ALSA and avoids potential quality issues in codec hardware SRC implementations.</p><p><strong>HDA Codec Resampling in the Kernel</strong></p><p>The Linux kernel&#039;s HDA subsystem does have hardware sample rate converter (SRC) capabilities managed by codec drivers. For example, the Creative CA0132 driver documentation shows that HDA codecs have dedicated SRC ports (0x80–0xbf) for sample rate conversion within the codec&#039;s internal routing.</p><p><strong>Kernel-Level Format Handling</strong></p><p>The kernel handles PCM format conversion through the <span class="bbc">snd_hdac_stream_format()</span> function, which converts channel count, sample format, and sample rate into the HDA format value used by the hardware.</p><p><strong>Hardware-Specific Workarounds</strong></p><p>Some codecs have hardware-specific sample rate limitations that require kernel-level workarounds. For instance, the ALC269 driver has a fixup for the Lenovo Ideapad that forces analog I/O to 44.1kHz due to a hardware problem.</p><p><strong>The fftrate project</strong></p><p>The software resampling approach of the fftrate project bypasses these kernel-level hardware resamplers entirely by:<br />1.&#160; Accepting audio at any rate from the application.<br />2.&#160; Resampling to 192kHz 32-bit in userspace.<br />3.&#160; Sending the already-resampled audio to ALSA at a fixed rate.</p><p>This avoids potential quality issues or bugs in the codec&#039;s hardware SRC implementation. The kernel ALSA driver simply sees a constant 192kHz 32-bit stream and passes it through without additional resampling.</p><p><strong>Dialectical conclusion</strong></p><p>There is a belief that fftrate may cure deafness, though it hasn&#039;t been verified by scientific methods. Give it a chance. It may (or may not) work.</p><div class="quotebox"><blockquote><div><p><strong>NOTE:</strong> The claim that fftrate can &quot;cure deafness&quot; is a metaphorical exaggeration common in audiophile circles, not a medical fact. There is no scientific evidence that software resampling can restore hearing loss or cure physiological deafness.</p></div></blockquote></div>]]></description>
			<author><![CDATA[dummy@example.com (igorzwx)]]></author>
			<pubDate>Thu, 18 Jun 2026 18:58:54 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=8049&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[Firefox: Dialectics of Antagonistic Security Bugs]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=8012&amp;action=new</link>
			<description><![CDATA[<h5>Firefox: Dialectics of Antagonistic Security Bugs</h5><p>Firefox with unlocked preferences is an attractive target for attacks. Unprotected security preferences can be exploited as backdoors. To lock down these backdoors, you must fix antagonistic bugs with dialectical patches.</p><p>Don&#039;t panic! Debian&#039;s Firefox ESR leverages a system-wide preference lockdown that allows administrators to enforce security policies. Ordinary users, of course, may dwell in ignorance and fear. Devuan Wiki might be difficult to consume for TikTok users.</p><div class="quotebox"><blockquote><div><p><strong>NOTE:</strong> This guide is a work in progress. Please do not post in this topic. Since the community has complained about &quot;spoon-feeding&quot;, this guide is intended for experienced Linux users. If you have any questions, please consult the Devuan Wiki, or other knowledge repositories of the sort. If you have problems with dialectical patches, study Hegel or Monty Python.</p></div></blockquote></div><div class="quotebox"><blockquote><div><p><strong>Firefox Developer Edition</strong> <br />The browser made for developers<br />All the latest developer tools in beta in addition to features like the Multi-line Console Editor and WebSocket Inspector.<br />A separate profile and path so you can easily run it alongside Release or Beta Firefox.<br />Preferences tailored for web developers: Browser and remote debugging are enabled by default, as are the dark theme and developer toolbar button.<br />_https://www.firefox.com/en-US/channel/desktop/developer</p></div></blockquote></div><p>It means:</p><div class="codebox"><pre><code>about:config 
devtools.chrome.enabled = true 
devtools.theme = dark 
browser.toolbars.bookmarks.visibility = always </code></pre></div><p>Why not close backdoors with a key?</p><div class="codebox"><pre><code>// Disable remote debugging
pref(&quot;devtools.debugger.remote-enabled&quot;, false, locked);
// Restrict connections to localhost only (default: true)
pref(&quot;devtools.debugger.force-local&quot;, true, locked);
// Disable browser chrome debugging (debugging Firefox itself). 
pref(&quot;devtools.chrome.enabled&quot;, false, locked);
// Block access to all developer tools functionality
pref(&quot;devtools.policy.disabled&quot;, true, locked); </code></pre></div><div class="quotebox"><blockquote><div><p><strong>Security Implications of Unlocked Preferences:</strong><br />1. Malicious extensions could modify security-critical preferences (like cookie behavior, remote debugging, or TLS settings)<br />2. Compromised user accounts could weaken protections through about:config<br />4. Malware could disable security features to facilitate further attacks<br />5. Social engineering could trick users into changing critical settings</p></div></blockquote></div><h5>Official Documentation: Building Firefox On Linux</h5><p>_https://firefox-source-docs.mozilla.org/setup/linux_build.html<br />_https://firefox-source-docs.mozilla.org/build/buildsystem/mozconfigs.html</p><p>PATCHES:</p><div class="codebox"><pre><code>$ cat PATCHES/0001-Set-MOZ_APP_UA_NAME-to-Firefox-for-clean-UA-strings.patch
From 8bd5afd0265356ddc323cffd8397208b5750227a Mon Sep 17 00:00:00 2001
From: Devuan &lt;devuan@devuan.cargo-cult.org&gt;
Date: Fri, 15 May 2026 23:40:28 +0200
Subject: [PATCH 1/3] Set MOZ_APP_UA_NAME to Firefox for clean UA strings

---
 browser/moz.configure | 1 +
 1 file changed, 1 insertion(+)

diff --git a/browser/moz.configure b/browser/moz.configure
index 3ea3d88b9360..0a95edc31354 100644
--- a/browser/moz.configure
+++ b/browser/moz.configure
@@ -16,6 +16,7 @@ imply_option(&quot;MOZ_APP_ID&quot;, &quot;{ec8030f7-c20a-464f-9b0e-13a3a9e97384}&quot;)
 # Include the DevTools client, not just the server (which is the default)
 imply_option(&quot;MOZ_DEVTOOLS&quot;, &quot;all&quot;)
 imply_option(&quot;BROWSER_CHROME_URL&quot;, &quot;chrome://browser/content/browser.xhtml&quot;)
+imply_option(&quot;MOZ_APP_UA_NAME&quot;, &quot;Firefox&quot;)

 with only_when(target_has_linux_kernel &amp; compile_environment):
-- 
2.39.5</code></pre></div><div class="codebox"><pre><code>$ cat PATCHES/0002-Set-MOZ_APP_PROFILE-to-Firefox-for-clean-APP_PROFILE.patch
From 252efd229f1d9dac21e053d05a5ef9ced1ca14f3 Mon Sep 17 00:00:00 2001
From: Devuan &lt;devuan@devuan.cargo-cult.org&gt;
Date: Sat, 16 May 2026 18:02:08 +0200
Subject: [PATCH 2/3] Set MOZ_APP_PROFILE to Firefox for clean APP_PROFILE
 strings

---
 browser/moz.configure | 1 +
 1 file changed, 1 insertion(+)

diff --git a/browser/moz.configure b/browser/moz.configure
index 0a95edc31354..a4a4945ddbdd 100644
--- a/browser/moz.configure
+++ b/browser/moz.configure
@@ -17,6 +17,7 @@ imply_option(&quot;MOZ_APP_ID&quot;, &quot;{ec8030f7-c20a-464f-9b0e-13a3a9e97384}&quot;)
 imply_option(&quot;MOZ_DEVTOOLS&quot;, &quot;all&quot;)
 imply_option(&quot;BROWSER_CHROME_URL&quot;, &quot;chrome://browser/content/browser.xhtml&quot;)
 imply_option(&quot;MOZ_APP_UA_NAME&quot;, &quot;Firefox&quot;)
+imply_option(&quot;MOZ_APP_PROFILE&quot;, &quot;firefox-dev&quot;)

 with only_when(target_has_linux_kernel &amp; compile_environment):
-- 
2.39.5</code></pre></div><div class="codebox"><pre class="vscroll"><code>$ cat PATCHES/0003-Fix-system-preferences-for-custom-firefox-dev-builds.patch
From 9f4226e27c3b85506873bea8e30645fb066709ae Mon Sep 17 00:00:00 2001
From: Devuan &lt;devuan@devuan.cargo-cult.org&gt;
Date: Thu, 28 May 2026 23:41:26 +0200
Subject: [PATCH 3/3] Fix system preferences for custom firefox-dev builds
 (security-critical)

This fixes two upstream bugs that prevent the system preferences security
feature from working, which is designed to lock down potential backdoors
by allowing administrators to enforce system-wide preference settings.

Bug 1: Configure option contradiction in toolkit/moz.configure
- Original code defines --disable-system-preferences but requires
  --enable-system-preferences in the when condition, creating a
  semantic contradiction that prevents the feature from being enabled
- Fixed with inline lambda pattern: when=depends(&quot;--disable-system-preferences&quot;)(lambda x: not x)

Bug 2: Dynamic app name resolution in xpcom/io/SpecialSystemDirectory.cpp
- Runtime code dynamically constructs /etc/{appname}/defaults/pref/ path
- This breaks system-wide configuration for custom builds with non-standard
  app names like firefox-dev
- Fixed by hardcoding &quot;firefox-dev&quot; to match the existing directory structure

REQUIREMENT: Users must add this line to their .mozconfig:
  ac_add_options --disable-system-preferences

This is a dialectical workaround: the --disable option actually enables
the feature due to the inverted lambda logic. Without this in .mozconfig,
the configure system will not set MOZ_SYSTEM_PREFERENCES.

Security Impact: System preferences load LAST, overriding application defaults.
This allows administrators to lock down preferences that could be exploited
as backdoors (telemetry, proxy settings, extensions, etc.). The upstream bugs
prevent this security mechanism from functioning.
---
 toolkit/moz.configure               |  4 ++--
 xpcom/io/SpecialSystemDirectory.cpp | 31 ++++++++++++++++-------------
 2 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/toolkit/moz.configure b/toolkit/moz.configure
index 2412f33b4ef5..cd230f461282 100644
--- a/toolkit/moz.configure
+++ b/toolkit/moz.configure
@@ -4232,8 +4232,8 @@ option(
     help=&quot;Disable reading preferences from /etc/firefox&quot;,
 )
 
-set_config(&quot;MOZ_SYSTEM_PREFERENCES&quot;, True, when=&quot;--enable-system-preferences&quot;)
-set_define(&quot;MOZ_SYSTEM_PREFERENCES&quot;, True, when=&quot;--enable-system-preferences&quot;)
+set_config(&quot;MOZ_SYSTEM_PREFERENCES&quot;, True, when=depends(&quot;--disable-system-preferences&quot;)(lambda x: not x))
+set_define(&quot;MOZ_SYSTEM_PREFERENCES&quot;, True, when=depends(&quot;--disable-system-preferences&quot;)(lambda x: not x))
 
 # Allow disabling the creation a legacy profile
 # ==============================================================
diff --git a/xpcom/io/SpecialSystemDirectory.cpp b/xpcom/io/SpecialSystemDirectory.cpp
index 5e80ca881c27..3d1cdf7b3fc1 100644
--- a/xpcom/io/SpecialSystemDirectory.cpp
+++ b/xpcom/io/SpecialSystemDirectory.cpp
@@ -155,20 +155,22 @@ static nsresult GetUnixHomeDir(nsIFile** aFile) {
 #  endif
 }
 
-static nsresult GetUnixSystemConfigDir(nsIFile** aFile) {
-#  if defined(ANDROID)
-  return NS_ERROR_FAILURE;
-#  else
-  nsAutoCString appName;
-  if (nsCOMPtr&lt;nsIXULAppInfo&gt; appInfo =
-          do_GetService(&quot;@mozilla.org/xre/app-info;1&quot;)) {
-    MOZ_TRY(appInfo-&gt;GetName(appName));
-  } else {
-    appName.AssignLiteral(MOZ_APP_BASENAME);
-  }
-
-  ToLowerCase(appName);
-
+static nsresult GetUnixSystemConfigDir(nsIFile** aFile) {  
+#  if defined(ANDROID)  
+  return NS_ERROR_FAILURE;  
+#  else  
+  // DIALECTICAL FIX: Hardcode firefox-dev for custom build  
+  nsAutoCString appName(&quot;firefox-dev&quot;);  
+    
+  // Original dynamic code (commented out):  
+  // if (nsCOMPtr&lt;nsIXULAppInfo&gt; appInfo =  
+  //         do_GetService(&quot;@mozilla.org/xre/app-info;1&quot;)) {  
+  //   MOZ_TRY(appInfo-&gt;GetName(appName));  
+  // } else {  
+  //   appName.AssignLiteral(MOZ_APP_BASENAME);  
+  // }  
+  // ToLowerCase(appName);  
+  
   nsDependentCString sysConfigDir;
   if (PR_GetEnv(&quot;XPCSHELL_TEST_PROFILE_DIR&quot;)) {
     const char* mozSystemConfigDir = PR_GetEnv(&quot;MOZ_SYSTEM_CONFIG_DIR&quot;);
@@ -181,6 +183,7 @@ static nsresult GetUnixSystemConfigDir(nsIFile** aFile) {
     sysConfigDir.Assign(nsLiteralCString(&quot;/app/etc&quot;));
   }
 #    endif
+
   if (sysConfigDir.IsEmpty()) {
     sysConfigDir.Assign(nsLiteralCString(&quot;/etc&quot;));
   }
-- 
2.39.5</code></pre></div><div class="codebox"><pre class="vscroll"><code>$ cat PATCHES/0004-ALSA-backend-for-Firefox-Fix-device-enumeration-and-.patch
From 3af4931724f64c30ad3a4cf9175016ca9844ca84 Mon Sep 17 00:00:00 2001
From: Devuan  &lt;devuan@devuan.cargo-cult.org&gt;
Date: Sat, 13 Jun 2026 19:58:40 +0200
Subject: [PATCH 4/4] ALSA backend for Firefox: Fix device enumeration and max 
 channel count

- Replace placeholder device enumeration with proper ALSA device
  discovery using snd_card_next() and snd_ctl_pcm_next_device() to
  report actual audio devices with their real capabilities instead of
  a single fictional default device.

- Cap max channel count at 64 to sanitize unrealistic values returned
  by snd_pcm_hw_params_get_channels_max() which can report placeholder
  values like 10000 from some drivers.

These fixes ensure Firefox and web applications receive accurate device
information instead of incorrect placeholder values.
---
 media/libcubeb/src/cubeb_alsa.c | 160 +++++++++++++++++++++++---------
 1 file changed, 114 insertions(+), 46 deletions(-)

diff --git a/media/libcubeb/src/cubeb_alsa.c b/media/libcubeb/src/cubeb_alsa.c
index be9faa490cbd..b76ec4f74b61 100644
--- a/media/libcubeb/src/cubeb_alsa.c
+++ b/media/libcubeb/src/cubeb_alsa.c
@@ -1223,6 +1223,11 @@ alsa_get_max_channel_count(cubeb * ctx, uint32_t * max_channels)
     return CUBEB_ERROR;
   }
 
+  /* Cap at reasonable maximum to filter driver placeholder values */  
+  if (*max_channels &gt; 64) {  
+    *max_channels = 64;  
+  }  
+
   alsa_stream_destroy(stm);
 
   return CUBEB_OK;
@@ -1412,61 +1417,124 @@ static int
 alsa_enumerate_devices(cubeb * context, cubeb_device_type type,
                        cubeb_device_collection * collection)
 {
-  cubeb_device_info * device = NULL;
+  cubeb_device_info * device;
+  snd_pcm_info_t * pcminfo;
+  snd_ctl_t * ctl;
+  snd_ctl_card_info_t * cardinfo;
+  int card = -1;
+  char card_name[32];
+  int err;
+  int dev;
+  snd_pcm_stream_t stream;
+
+  snd_pcm_info_alloca(&amp;pcminfo);
+  snd_ctl_card_info_alloca(&amp;cardinfo);
+
+  collection-&gt;count = 0;
+  collection-&gt;device = NULL;
+
+  if (snd_card_next(&amp;card) &lt; 0 || card &lt; 0)
+    return CUBEB_OK;
 
-  if (!context)
-    return CUBEB_ERROR;
+  while (card &gt;= 0) {
+    sprintf(card_name, &quot;hw:%d&quot;, card);
+    err = snd_ctl_open(&amp;ctl, card_name, 0);
+    if (err &lt; 0) {
+      snd_card_next(&amp;card);
+      continue;
+    }
 
-  uint32_t rate, max_channels;
-  int r;
+    err = snd_ctl_card_info(ctl, cardinfo);
+    if (err &lt; 0) {
+      snd_ctl_close(ctl);
+      snd_card_next(&amp;card);
+      continue;
+    }
 
-  r = alsa_get_preferred_sample_rate(context, &amp;rate);
-  if (r != CUBEB_OK) {
-    return CUBEB_ERROR;
-  }
+    dev = -1;
+    while (1) {
+      if (snd_ctl_pcm_next_device(ctl, &amp;dev) &lt; 0)
+        break;
+      if (dev &lt; 0)
+        break;
+
+      for (stream = 0; stream &lt; 2; stream++) {
+        if ((type &amp; CUBEB_DEVICE_TYPE_OUTPUT) &amp;&amp; stream == SND_PCM_STREAM_CAPTURE)
+          continue;
+        if ((type &amp; CUBEB_DEVICE_TYPE_INPUT) &amp;&amp; stream == SND_PCM_STREAM_PLAYBACK)
+          continue;
+
+        snd_pcm_info_set_device(pcminfo, dev);
+        snd_pcm_info_set_subdevice(pcminfo, 0);
+        snd_pcm_info_set_stream(pcminfo, stream);
+        err = snd_ctl_pcm_info(ctl, pcminfo);
+        if (err &lt; 0)
+          continue;
+
+        device = (cubeb_device_info *)calloc(1, sizeof(cubeb_device_info));
+        if (!device) {
+          snd_ctl_close(ctl);
+          return CUBEB_ERROR;
+        }
 
-  r = alsa_get_max_channel_count(context, &amp;max_channels);
-  if (r != CUBEB_OK) {
-    return CUBEB_ERROR;
+        device-&gt;device_id = strdup(snd_pcm_info_get_name(pcminfo));
+        device-&gt;friendly_name = strdup(snd_pcm_info_get_name(pcminfo));
+        device-&gt;group_id = strdup(snd_ctl_card_info_get_id(cardinfo));
+        device-&gt;vendor_name = strdup(snd_ctl_card_info_get_name(cardinfo));
+
+        device-&gt;type = (stream == SND_PCM_STREAM_PLAYBACK) ? 
+                       CUBEB_DEVICE_TYPE_OUTPUT : CUBEB_DEVICE_TYPE_INPUT;
+        device-&gt;devid = (void *)(intptr_t)(card &lt;&lt; 16 | dev);
+        device-&gt;state = CUBEB_DEVICE_STATE_ENABLED;
+        device-&gt;preferred = (dev == 0);
+        
+        device-&gt;max_channels = 8;  
+        
+        device-&gt;min_rate = 8000;   /* Conservative minimum */ 
+        device-&gt;max_rate = 192000; /* Conservative maximum */
+        device-&gt;default_format = (cubeb_device_fmt)CUBEB_SAMPLE_FLOAT32NE;
+        device-&gt;latency_lo = 0;
+        device-&gt;latency_hi = 0;
+
+        collection-&gt;count++;
+        collection-&gt;device = (cubeb_device_info *)realloc(collection-&gt;device,
+                                                         collection-&gt;count * sizeof(cubeb_device_info));
+        if (!collection-&gt;device) {
+          free((void *)device-&gt;device_id);  
+          free((void *)device-&gt;friendly_name);  
+          free((void *)device-&gt;group_id);  
+          free((void *)device-&gt;vendor_name);
+          free(device);
+          snd_ctl_close(ctl);
+          return CUBEB_ERROR;
+        }
+        collection-&gt;device[collection-&gt;count - 1] = *device;
+        free(device);
+      }
+    }
+    snd_ctl_close(ctl);
+    snd_card_next(&amp;card);
   }
 
-  char const * a_name = &quot;default&quot;;
-  device = (cubeb_device_info *)calloc(1, sizeof(cubeb_device_info));
-  assert(device);
-  if (!device)
-    return CUBEB_ERROR;
-
-  device-&gt;device_id = a_name;
-  device-&gt;devid = (cubeb_devid)device-&gt;device_id;
-  device-&gt;friendly_name = a_name;
-  device-&gt;group_id = a_name;
-  device-&gt;vendor_name = a_name;
-  device-&gt;type = type;
-  device-&gt;state = CUBEB_DEVICE_STATE_ENABLED;
-  device-&gt;preferred = CUBEB_DEVICE_PREF_ALL;
-  device-&gt;format = CUBEB_DEVICE_FMT_S16NE;
-  device-&gt;default_format = CUBEB_DEVICE_FMT_S16NE;
-  device-&gt;max_channels = max_channels;
-  device-&gt;min_rate = rate;
-  device-&gt;max_rate = rate;
-  device-&gt;default_rate = rate;
-  device-&gt;latency_lo = 0;
-  device-&gt;latency_hi = 0;
-
-  collection-&gt;device = device;
-  collection-&gt;count = 1;
-
   return CUBEB_OK;
 }
 
-static int
-alsa_device_collection_destroy(cubeb * context,
-                               cubeb_device_collection * collection)
-{
-  assert(collection-&gt;count == 1);
-  (void)context;
-  free(collection-&gt;device);
-  return CUBEB_OK;
+static int  
+alsa_device_collection_destroy(cubeb * context,  
+                               cubeb_device_collection * collection)  
+{  
+  size_t i;  
+  
+  (void)context;  
+  
+  for (i = 0; i &lt; collection-&gt;count; ++i) {  
+    free((void *)collection-&gt;device[i].device_id);  
+    free((void *)collection-&gt;device[i].friendly_name);  
+    free((void *)collection-&gt;device[i].group_id);  
+    free((void *)collection-&gt;device[i].vendor_name);  
+  }  
+  free(collection-&gt;device);  
+  return CUBEB_OK;  
 }
 
 static struct cubeb_ops const alsa_ops = {
-- 
2.39.5</code></pre></div><div class="codebox"><pre><code># Project tree:
#   BUILD/
#   ├── build_dir_ALSA-dev/     # created with ./mach build 
#   ├── debdir_ALSA-dev/        # created with ./mach install
#   ├── DEB_templates/          # 
#   │   └── make_deb.sh         # Bash script for Firefox packaging
#   ├── firefox/                # Firefox source code
#   └── PATCHES
#       ├── 0001-Set-MOZ_APP_UA_NAME-to-Firefox-for-clean-UA-strings.patch
#       ├── 0002-Set-MOZ_APP_PROFILE-to-Firefox-for-clean-APP_PROFILE.patch
#       ├── 0003-Fix-system-preferences-for-custom-firefox-dev-builds.patch 
#       └── 0004-ALSA-backend-for-Firefox-Fix-device-enumeration-and-.patch</code></pre></div><p>Create <span class="bbc">firefox/.mozconfig</span> with a text editor</p><div class="codebox"><pre><code>nano firefox/.mozconfig </code></pre></div><div class="codebox"><pre><code>$ cat firefox/.mozconfig
# The default mozconfig is located here: sourcedir/browser/config/mozconfig
. $topsrcdir/browser/config/mozconfig  
mk_add_options MOZ_MAKE_FLAGS=&quot;-j$(expr $(nproc) + 2)&quot; 
mk_add_options MOZ_OBJDIR=&quot;$(dirname $topsrcdir)&quot;/build_dir_ALSA-dev  
mk_add_options MOZ_APP_DISPLAYNAME=&quot;Firefox Developer Edition&quot;  
mk_add_options MOZ_SIMPLE_PACKAGE_NAME=firefox-dev  
ac_add_options --with-app-basename=&quot;Firefox Developer Edition&quot; 
ac_add_options --with-app-name=firefox-dev  
ac_add_options --prefix=/usr  
ac_add_options --without-sysroot  
ac_add_options --enable-audio-backends=alsa
mk_add_options MOZ_DEV_EDITION=1
mk_add_options MOZ_APP_REMOTINGNAME=firefox-dev
ac_add_options --with-branding=browser/branding/aurora   #  Firefox Developer Edition
ac_add_options --enable-update-channel=aurora
ac_add_options --disable-crashreporter   # Optional
ac_add_options --disable-system-preferences  # dialectical workaround to enable system preferences
export LDFLAGS=&quot;-Wl,--no-keep-memory&quot; </code></pre></div><p>Update the sorce code:</p><div class="codebox"><pre><code>cd firefox &amp;&amp; git pull </code></pre></div><p>Apply pathes:</p><div class="codebox"><pre><code>$ ls -1 ../PATCHES
0001-Set-MOZ_APP_UA_NAME-to-Firefox-for-clean-UA-strings.patch
0002-Set-MOZ_APP_PROFILE-to-Firefox-for-clean-APP_PROFILE.patch
0003-Fix-system-preferences-for-custom-firefox-dev-builds.patch
0004-ALSA-backend-for-Firefox-Fix-device-enumeration-and-.patch</code></pre></div><div class="codebox"><pre><code>patch -Np1 -i ../PATCHES/0001*
patch -Np1 -i ../PATCHES/0002*
patch -Np1 -i ../PATCHES/0003* 
patch -Np1 -i ../PATCHES/0004*</code></pre></div><p>Build firefox-dev</p><div class="codebox"><pre><code>./mach clobber
./mach configure</code></pre></div><div class="codebox"><pre><code>$ grep &quot;MOZ_SYSTEM_PREFERENCES&quot; ../build_dir_ALSA-dev/config.status.json
    &quot;MOZ_SYSTEM_PREFERENCES&quot;: &quot;1&quot;,
    &quot;MOZ_SYSTEM_PREFERENCES&quot;: &quot;1&quot;, </code></pre></div><div class="codebox"><pre><code>./mach build -v --priority normal </code></pre></div><div class="codebox"><pre><code>$ grep &quot;MOZ_SYSTEM_PREFERENCES&quot; ../build_dir_ALSA-dev/mozilla-config.h
#define MOZ_SYSTEM_PREFERENCES 1 </code></pre></div><p>Install to debdir </p><div class="codebox"><pre><code>DESTDIR=&quot;$(dirname $(pwd))&quot;/debdir_ALSA-dev ./mach install </code></pre></div><div class="codebox"><pre><code>$ tree -L 3 ../debdir_ALSA-dev
../debdir_ALSA-dev
└── usr
    ├── bin
    │   └── firefox-dev -&gt; /usr/lib/firefox-dev/firefox-dev
    └── lib
        └── firefox-dev </code></pre></div><div class="codebox"><pre><code>$ ../debdir_ALSA-dev/usr/lib/firefox-dev/firefox-dev
Mozilla Firefox Developer Edition 153.0a1 </code></pre></div><p>Packaging</p><div class="codebox"><pre><code>sudo apt install fakeroot</code></pre></div><div class="codebox"><pre><code>mkdir &quot;$(dirname $(pwd))&quot;/DEB_templates &amp;&amp; cd &quot;$(dirname $(pwd))&quot;/DEB_templates </code></pre></div><p>Create a script for Firefox packaging with a text editor</p><div class="codebox"><pre><code>nano make_deb.sh</code></pre></div><p>and make it executable.</p><div class="codebox"><pre class="vscroll"><code>$ cat make_deb.sh
#!/bin/bash
#
# Firefox Developer Edition Debian Package Builder
# ================================================
#
# This script creates a Debian package for Firefox Developer Edition 
# with security-hardened configuration. 
#
# NOTE: Alternatively, one may try the official Mozilla ./mach repackage deb tool, 
#       though it might be an exercise in masochism.
#
# Usage: ./make_deb.sh
# Location: Run from DEB_templates directory
#
# Project structure:
#   BUILD/
#   ├── build_dir_ALSA-dev/     # Compiled Firefox binaries created with ./mach build 
#   ├── debdir_ALSA-dev/        # Package staging directory created with ./mach install
#   ├── DEB_templates/          # This directory
#   │   └── make_deb.sh         # This script
#   └── firefox/                # Firefox source tree
#
# Output: firefox-dev-ed_&lt;version&gt;_&lt;arch&gt;.deb
#
# ==============================================================================

# Bash Strict Mode
set -euo pipefail

# -----------------------------------------------------------------------------
# Configuration
# -----------------------------------------------------------------------------
DEB_ROOT=&quot;$(dirname &quot;$(pwd)&quot;)&quot;/debdir_ALSA-dev
SHARE_DIR=&quot;$DEB_ROOT/usr/share&quot;
ETC_DIR=&quot;$DEB_ROOT/etc&quot;
LIB_DIR=&quot;$DEB_ROOT/usr/lib&quot;
PACKAGE_NAME=&quot;firefox-dev&quot;
DEB_PACKAGE_NAME=&quot;firefox-dev-ed&quot;
VERSION=&quot;153.0a1-1&quot;
ARCH=&quot;amd64&quot;

echo &quot;Creating Debian package for $PACKAGE_NAME $VERSION...&quot;

# -----------------------------------------------------------------------------
# 1. Create directory structure (FHS compliant)
# -----------------------------------------------------------------------------
install -dm755 &quot;$SHARE_DIR/$PACKAGE_NAME&quot;/{browser/{chrome/icons/default,defaults/preferences},distribution/searchplugins/common}
install -dm755 &quot;$SHARE_DIR/applications&quot;
install -dm755 &quot;$SHARE_DIR/icons/hicolor&quot;/{16x16,32x32,48x48,64x64,128x128,symbolic}/apps
install -dm755 &quot;$SHARE_DIR/doc/$PACKAGE_NAME&quot;
install -dm755 &quot;$SHARE_DIR/lintian/overrides&quot;
install -dm755 &quot;$SHARE_DIR/man/man1&quot;
install -dm755 &quot;$SHARE_DIR/mozilla/extensions&quot;
install -dm755 &quot;$ETC_DIR/$PACKAGE_NAME&quot;/defaults/pref
install -dm755 &quot;$DEB_ROOT/DEBIAN&quot;

# -----------------------------------------------------------------------------
# 2. Create system-wide configuration files
# -----------------------------------------------------------------------------
# These files contain security-hardened Firefox preferences.
# They are placed in /etc/firefox-dev/ and symlinked to the defaults/pref directory.
# This allows system administrators to easily modify defaults.

# Primary configuration file with security preferences
install -m644 &lt;(cat &lt;&lt; &#039;EOF&#039;
// Debian system-wide preferences for Firefox Developer Edition
// ============================================================
//
// This file contains security-hardened default settings for Firefox.
// System administrators can modify these values to change defaults.
//
// Syntax:
//   pref(&quot;preference.name&quot;, value);           // Default (user can override)
//   pref(&quot;preference.name&quot;, value, locked);   // Locked (user cannot override)
//
//   String values must be enclosed in double quotes.
//
// Security Configuration:
// ------------------------

// Extension updates
pref(&quot;extensions.update.enabled&quot;, true);

// Browser behavior
pref(&quot;browser.shell.checkDefaultBrowser&quot;, false);

// Media settings (disable GMP OpenH264 for privacy)
pref(&quot;media.gmp-gmpopenh264.enabled&quot;, false);

// Enhanced privacy: disable enhanced new tab page
pref(&quot;browser.newtabpage.enhanced&quot;, false, locked);

// Telemetry and data reporting (DISABLED for privacy)
pref(&quot;datareporting.healthreport.uploadEnabled&quot;, false, locked);

// URL bar: disable search suggestions for privacy
pref(&quot;browser.urlbar.suggest.searches&quot;, false, locked);

// Telemetry (DISABLED for privacy)
pref(&quot;toolkit.telemetry.enabled&quot;, false, locked);

// Media configuration for better sound quality
pref(&quot;media.webm.enabled&quot;, false, locked);
pref(&quot;media.resampling.enabled&quot;, false, locked);
pref(&quot;media.cubeb_latency_playback_ms&quot;, 160, locked);

// Region and localization (force US/English to prevent fingerprinting)
pref(&quot;browser.region.network.url&quot;, &quot;&quot;, locked);
pref(&quot;browser.region.update.enabled&quot;, false, locked);
pref(&quot;browser.region.network.scan&quot;, false, locked);
pref(&quot;privacy.spoof_english&quot;, 2, locked);
pref(&quot;intl.accept_languages&quot;, &quot;en-US, en, en-GB&quot;, locked);
pref(&quot;browser.search.region&quot;, &quot;US&quot;, locked);
pref(&quot;browser.search.geoip.url&quot;, &quot;&quot;, locked);
pref(&quot;distribution.searchplugins.defaultLocale&quot;, &quot;en-US&quot;, locked);
EOF
) &quot;$ETC_DIR/$PACKAGE_NAME/defaults/pref/firefox-dev.cfg1.js&quot;

# -----------------------------------------------------------------------------
# 4. Create desktop entry (freedesktop.org compliant)
# -----------------------------------------------------------------------------
install -m644 &lt;(cat &lt;&lt; &#039;EOF&#039;
[Desktop Entry]
Name=Firefox Developer Edition
Comment=Web Browser
Exec=/usr/lib/firefox-dev/firefox-dev %u
Icon=firefox-dev
Terminal=false
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;
StartupNotify=true
EOF
) &quot;$SHARE_DIR/applications/$PACKAGE_NAME.desktop&quot;

# -----------------------------------------------------------------------------
# 5. Create copyright file (Debian Policy compliant)
# -----------------------------------------------------------------------------
install -m644 &lt;(cat &lt;&lt; &#039;EOF&#039;
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: Firefox Developer Edition
Source: https://github.com/mozilla/firefox

License: MPL-2.0
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
 file, You can obtain one at http://mozilla.org/MPL/2.0/.
EOF
) &quot;$SHARE_DIR/doc/$PACKAGE_NAME/copyright&quot;

# -----------------------------------------------------------------------------
# 6. Create lintian override (suppress expected warnings)
# -----------------------------------------------------------------------------
install -m644 &lt;(echo &quot;$PACKAGE_NAME: binary-without-manpage&quot;) \
    &quot;$SHARE_DIR/lintian/overrides/$PACKAGE_NAME&quot;

# -----------------------------------------------------------------------------
# 7. Create man page
# -----------------------------------------------------------------------------
install -m644 &lt;(cat &lt;&lt; &#039;EOF&#039;
.TH FIREFOX-DEV 1 &quot;User Commands&quot;
.SH NAME
firefox-dev \- Mozilla Firefox Developer Edition
.SH DESCRIPTION
Firefox Developer Edition with custom ALSA support.
This build uses ALSA directly for audio output instead of PulseAudio.
.SH FILES
.I /etc/firefox-dev/firefox-dev.cfg*.js
System-wide preference files.
.SH SEE ALSO
Firefox documentation: https://developer.mozilla.org/
EOF
) &quot;$SHARE_DIR/man/man1/$PACKAGE_NAME.1&quot;
gzip -9f &quot;$SHARE_DIR/man/man1/$PACKAGE_NAME.1&quot;

# -----------------------------------------------------------------------------
# 8. Copy icons from Firefox build directory
# -----------------------------------------------------------------------------
ICON_SOURCE_DIR=&quot;$LIB_DIR/$PACKAGE_NAME/browser/chrome/icons/default&quot;
if [ -d &quot;$ICON_SOURCE_DIR&quot; ]; then
    for size in 16 32 48 64 128; do
        if [ -f &quot;$ICON_SOURCE_DIR/default${size}.png&quot; ]; then
            install -m644 &quot;$ICON_SOURCE_DIR/default${size}.png&quot; \
                &quot;$SHARE_DIR/icons/hicolor/${size}x${size}/apps/$PACKAGE_NAME.png&quot;
        fi
    done
fi

# -----------------------------------------------------------------------------
# 9. Calculate dependencies and Installed-Size
# -----------------------------------------------------------------------------
# This section uses dpkg-shlibdeps to automatically calculate library dependencies.
# A temporary debian directory is created for dependency calculation.

# Create control file template for dpkg-shlibdeps
mkdir -p debian
cat &gt; debian/control &lt;&lt; EOF
Source: ${DEB_PACKAGE_NAME}
Package: ${DEB_PACKAGE_NAME}
Depends: \${shlibs:Depends}
EOF

# Calculate dependencies using dpkg-shlibdeps
dpkg-shlibdeps -x&quot;$PACKAGE_NAME&quot; -l&quot;$DEB_ROOT&quot;/usr/lib \
    --ignore-missing-info -e $(find &quot;$DEB_ROOT&quot; -type f 2&gt;/dev/null) 2&gt;/dev/null

# Extract dependencies or use fallback
if [ -f debian/substvars ] &amp;&amp; grep -q &quot;shlibs:Depends&quot; debian/substvars; then
    DEPS=$(grep &quot;shlibs:Depends&quot; debian/substvars | sed &#039;s/shlibs:Depends=//&#039;)
else
    DEPS=&quot;libc6&quot;
fi

# Add changelog (required by dpkg-gencontrol)
cat &gt; debian/changelog &lt;&lt; EOF
${DEB_PACKAGE_NAME} (${VERSION}) unstable; urgency=medium
  * Custom build with security enhancements and ALSA support
 -- Devuan Packaging &lt;devuan@devuan.org&gt;  $(date -R)
EOF

# Add misc dependencies (required by dpkg-gencontrol)
echo &quot;misc:Depends=&quot; &gt;&gt; debian/substvars
echo &quot;misc:Pre-Depends=&quot; &gt;&gt; debian/substvars

# Create control file template for dpkg-gencontrol
cat &gt; debian/control &lt;&lt; EOF
Source: ${DEB_PACKAGE_NAME}

Package: ${DEB_PACKAGE_NAME}
Architecture: ${ARCH}
EOF

# Run dpkg-gencontrol to calculate Installed-Size
dpkg-gencontrol -p${DEB_PACKAGE_NAME} \
    -ldebian/changelog \
    -Tdebian/substvars \
    -P&quot;$DEB_ROOT&quot; \
    2&gt;/dev/null

# Extract Installed-Size
SIZE=$(sed -n &#039;s/Installed-Size: //p&#039; &quot;$DEB_ROOT/DEBIAN/control&quot;)

# Clean up temporary directory
rm -rf debian

# -----------------------------------------------------------------------------
# 10. Create DEBIAN/control file with all fields in correct Debian order
# -----------------------------------------------------------------------------

cat &gt; &quot;$DEB_ROOT/DEBIAN/control&quot; &lt;&lt; EOF
Package: ${DEB_PACKAGE_NAME}
Version: ${VERSION}
Priority: optional
Section: web
Architecture: ${ARCH}
Maintainer: Devuan Packaging &lt;devuan@devuan.org&gt;
Installed-Size: ${SIZE}
Provides: gnome-www-browser, www-browser
Depends: ${DEPS}
Conflicts: firefox-dev
Recommends: libavcodec61 | libavcodec-extra61 | libavcodec60 | libavcodec-extra60 | libavcodec59 | libavcodec-extra59 | libavcodec58 | libavcodec-extra58 | libavcodec57 | libavcodec-extra57 | libavcodec56 | libavcodec-extra56 | libavcodec55 | libavcodec-extra55 | libavcodec54 | libavcodec-extra54 | libavcodec53 | libavcodec-extra53
Suggests: fonts-stix | otf-stix, fonts-lmodern, libgssapi-krb5-2 | libkrb53, libcanberra0
Description: Firefox Developer Edition (ALSA build)
 Firefox Developer Edition is a high-performance browser for web developers,
 featuring Multi-line Console Editor and WebSocket Inspector. It runs
 side-by-side with Release, Beta, or Nightly builds using a separate Profile
 Directory and installation path.
 .
 This custom build includes:
  * Security-hardened default preferences
  * ALSA audio support (no PulseAudio dependency)
  * Pre-configured developer defaults: remote debugging enabled, dark theme,
    and developer toolbar
EOF

# -----------------------------------------------------------------------------
# 11. Generate md5sums for all installed files
# -----------------------------------------------------------------------------
cd &quot;$DEB_ROOT&quot;
install -m644 &lt;(find . -type f -not -path &#039;./DEBIAN/*&#039; -printf &#039;%P\0&#039; | \
    xargs -0 md5sum | sort -k 2) DEBIAN/md5sums

# Display package structure
echo &quot;Package structure:&quot;
tree -L 3 .

# Return to script directory
cd &quot;$(dirname &quot;$(pwd)&quot;)&quot;/DEB_templates

# -----------------------------------------------------------------------------
# 12. Build the package using dpkg-deb
# -----------------------------------------------------------------------------
echo &quot;Building Debian package...&quot;
fakeroot -- dpkg-deb -b &quot;$DEB_ROOT&quot; &quot;${DEB_PACKAGE_NAME}_${VERSION}_${ARCH}.deb&quot;

echo &quot;Package built successfully: ${DEB_PACKAGE_NAME}_${VERSION}_${ARCH}.deb&quot;</code></pre></div><p>Run <span class="bbc">make_deb.sh</span> to build Debian package</p><div class="codebox"><pre><code>$ ./make_deb.sh
Creating Debian package for firefox-dev 153.0a1-1...
Package structure:
.
├── DEBIAN
│   ├── control
│   └── md5sums
├── etc
│   └── firefox-dev
│       └── defaults
└── usr
    ├── bin
    │   └── firefox-dev -&gt; /usr/lib/firefox-dev/firefox-dev
    ├── lib
    │   └── firefox-dev
    └── share
        ├── applications
        ├── doc
        ├── firefox-dev
        ├── icons
        ├── lintian
        ├── man
        └── mozilla

17 directories, 3 files
Building Debian package...
dpkg-deb: building package &#039;firefox-dev-ed&#039; in &#039;firefox-dev-ed_153.0a1-1_amd64.deb&#039;.
Package built successfully: firefox-dev-ed_153.0a1-1_amd64.deb </code></pre></div><div class="codebox"><pre><code>$ ls -1 *deb
firefox-dev-ed_153.0a1-1_amd64.deb</code></pre></div><p>Install</p><div class="codebox"><pre><code>sudo dpkg -i firefox-dev-ed_153.0a1-1_amd64.deb </code></pre></div><div class="codebox"><pre><code>$ firefox-dev --version
Mozilla Firefox Developer Edition 153.0a1 </code></pre></div><p><strong>Hacking dependencies</strong></p><p>The <span class="bbc">DEBIAN/control</span> file is not included in <span class="bbc">DEBIAN/md5sums</span>.<br />You can edit it freely without regenerating checksums.<br />To rebuild the package, run:</p><div class="codebox"><pre><code>fakeroot -- dpkg-deb -b ../debdir_ALSA-dev firefox-dev-ed_153.0a1-1_amd64.deb</code></pre></div><p>Repackaging</p><div class="codebox"><pre><code>fakeroot -u -- dpkg-repack firefox-dev-ed
fakeroot -u dpkg-repack --generate &lt;package-name&gt; </code></pre></div><p>Example of Firefox hardened configuration:</p><div class="codebox"><pre class="vscroll"><code>$ cat /etc/firefox-dev/defaults/pref/firefox-dev.cfg5.js
// ============================================================================
// Firefox Security-Hardened Configuration
// ============================================================================
// This file locks all security-critical preferences to prevent 
// modification by users, extensions, or malicious code. 
// Place in /etc/firefox-dev/defaults/pref/
// ============================================================================

// -----------------------------------------------------------------------------
// Sandbox
// -----------------------------------------------------------------------------
// Linux Content Process Sandbox
// Level 6 = default-deny for ioctl (most restrictive)
pref(&quot;security.sandbox.content.level&quot;, 6, locked);
// Whitelist paths (empty string = no whitelist)
pref(&quot;security.sandbox.content.write_path_whitelist&quot;, &quot;&quot;, locked);
pref(&quot;security.sandbox.content.read_path_whitelist&quot;, &quot;&quot;, locked);
pref(&quot;security.sandbox.content.syscall_whitelist&quot;, &quot;&quot;, locked);

// Socket Process Sandbox
// Level 2 = default-deny for ioctl
pref(&quot;security.sandbox.socket.process.level&quot;, 2, locked);

// Sandbox Logging (disable for security)
pref(&quot;security.sandbox.logging.enabled&quot;, false, locked);

// -----------------------------------------------------------------------------
// Remote Debugging and Developer Tools
// -----------------------------------------------------------------------------
// Disable remote debugging
pref(&quot;devtools.debugger.remote-enabled&quot;, false, locked);
// Port number for the debugging server (default: 6000)
pref(&quot;devtools.debugger.remote-port&quot;, 6000, locked);
// Restrict connections to localhost only (default: true)
pref(&quot;devtools.debugger.force-local&quot;, true, locked);
// Disable browser chrome debugging (debugging Firefox itself). Debian&#039;s default: false
pref(&quot;devtools.chrome.enabled&quot;, false, locked);
// Block access to all developer tools functionality
pref(&quot;devtools.policy.disabled&quot;, true, locked);

// -----------------------------------------------------------------------------
// Cookie and Privacy Settings
// -----------------------------------------------------------------------------
// Strongest cookie privacy setting (reject trackers, partition third-party cookies)
pref(&quot;network.cookie.cookieBehavior&quot;, 5, locked);
pref(&quot;network.cookie.cookieBehavior.pbmode&quot;, 5, locked);
// Block-by-default with opt-in partitioning (more restrictive than dFPI)
pref(&quot;network.cookie.cookieBehavior.optInPartitioning&quot;, true, locked);
pref(&quot;network.cookie.cookieBehavior.optInPartitioning.pbmode&quot;, true, locked);
// Block third-party cookies from tracking protection list
pref(&quot;network.cookie.cookieBehavior.trackerCookieBlocking&quot;, true, locked);
// Prevent sync from propagating weaker settings
pref(&quot;services.sync.prefs.sync.network.cookie.cookieBehavior&quot;, false, locked);

// Global Privacy Control
pref(&quot;privacy.globalprivacycontrol.enabled&quot;, true, locked);
pref(&quot;privacy.globalprivacycontrol.functionality.enabled&quot;, true, locked);
pref(&quot;privacy.globalprivacycontrol.pbmode.enabled&quot;, true, locked);

// Disable First Party Isolation (incompatible with behavior 5)
pref(&quot;privacy.firstparty.isolate&quot;, false, locked);
pref(&quot;privacy.firstparty.isolate.block_post_message&quot;, false, locked);
pref(&quot;privacy.firstparty.isolate.restrict_opener_access&quot;, true, locked);
pref(&quot;privacy.firstparty.isolate.use_site&quot;, false, locked);

// -----------------------------------------------------------------------------
// TLS/SSL Configuration
// -----------------------------------------------------------------------------
// Minimum TLS version (1=tls1, 2=tls1.1, 3=tls1.2, 4=tls1.3)
pref(&quot;security.tls.version.min&quot;, 3, locked);
// Maximum TLS version
pref(&quot;security.tls.version.max&quot;, 4, locked);
// Disable deprecated TLS versions
pref(&quot;security.tls.version.enable-deprecated&quot;, false, locked);

// TLS Security Features
pref(&quot;security.ssl.require_safe_negotiation&quot;, true, locked);
pref(&quot;security.tls.hello_downgrade_check&quot;, true, locked);
pref(&quot;security.ssl.enable_ocsp_stapling&quot;, true, locked);
pref(&quot;security.OCSP.require&quot;, true, locked);
pref(&quot;security.OCSP.enabled&quot;, 1, locked);

// TLS 1.3 Features
pref(&quot;security.tls.enable_0rtt_data&quot;, false, locked);
pref(&quot;security.tls.enable_post_handshake_auth&quot;, true, locked);
pref(&quot;security.tls.enable_delegated_credentials&quot;, true, locked);

// Encrypted Client Hello (ECH)
pref(&quot;network.dns.echconfig.enabled&quot;, true, locked);
pref(&quot;network.dns.http3_echconfig.enabled&quot;, true, locked);

// Disable weak cipher suites
pref(&quot;security.ssl3.rsa_aes_128_sha&quot;, false, locked);
pref(&quot;security.ssl3.rsa_aes_256_sha&quot;, false, locked);
pref(&quot;security.ssl3.rsa_aes_128_gcm_sha256&quot;, false, locked);
pref(&quot;security.ssl3.rsa_aes_256_gcm_sha384&quot;, false, locked);
pref(&quot;security.ssl3.deprecated.rsa_des_ede3_sha&quot;, false, locked);

// -----------------------------------------------------------------------------
// Content Security
// -----------------------------------------------------------------------------
pref(&quot;security.block_fileuri_script_with_wrong_mime&quot;, true, locked);
pref(&quot;security.mixed_content.block_active_content&quot;, true, locked);
pref(&quot;security.mixed_content.block_display_content&quot;, true, locked);
pref(&quot;security.mixed_content.upgrade_display_content&quot;, true, locked);
pref(&quot;security.insecure_connection_text.enabled&quot;, true, locked);
pref(&quot;security.insecure_connection_text.pbmode.enabled&quot;, true, locked);
pref(&quot;security.warn_submit_secure_to_insecure&quot;, true, locked);

// HTTPS-Only Mode
//pref(&quot;dom.security.https_only_mode&quot;, true, locked);
//pref(&quot;dom.security.https_only_mode_pbm&quot;, true, locked);
//pref(&quot;dom.security.https_first&quot;, true, locked);
//pref(&quot;dom.security.https_first_pbm&quot;, true, locked);

// HTTPS-First (less aggressive than HTTPS-Only)
pref(&quot;dom.security.https_first&quot;, true, locked);
pref(&quot;dom.security.https_first_pbm&quot;, true, locked);

// -----------------------------------------------------------------------------
// Certificate and PKI Settings
// -----------------------------------------------------------------------------
pref(&quot;security.default_personal_cert&quot;, &quot;Ask Every Time&quot;, locked);
pref(&quot;security.pki.certificate_transparency.mode&quot;, 1, locked);
pref(&quot;security.ssl.errorReporting.enabled&quot;, true, locked);
pref(&quot;security.enterprise_roots.enabled&quot;, true, locked);

// -----------------------------------------------------------------------------
// Safe Browsing
// -----------------------------------------------------------------------------
pref(&quot;browser.safebrowsing.malware.enabled&quot;, true, locked);
pref(&quot;browser.safebrowsing.phishing.enabled&quot;, true, locked);
pref(&quot;browser.safebrowsing.downloads.enabled&quot;, true, locked);
pref(&quot;browser.safebrowsing.downloads.remote.block_potentially_unwanted&quot;, true, locked);
pref(&quot;browser.safebrowsing.downloads.remote.block_uncommon&quot;, true, locked);

// -----------------------------------------------------------------------------
// WebAuthn
// -----------------------------------------------------------------------------
pref(&quot;security.webauthn.always_allow_direct_attestation&quot;, false, locked);

// -----------------------------------------------------------------------------
// CSP Reporting
// -----------------------------------------------------------------------------
pref(&quot;security.csp.reporting.enabled&quot;, true, locked);

// -----------------------------------------------------------------------------
// Extension Security
// -----------------------------------------------------------------------------
//pref(&quot;xpinstall.whitelist.required&quot;, true, locked);
//pref(&quot;xpinstall.enabled&quot;, false, locked);
//pref(&quot;extensions.update.enabled&quot;, false, locked);

// -----------------------------------------------------------------------------
// Telemetry and Data Collection
// -----------------------------------------------------------------------------
pref(&quot;datareporting.healthreport.uploadEnabled&quot;, false, locked);
pref(&quot;toolkit.telemetry.enabled&quot;, false, locked);
pref(&quot;browser.newtabpage.activity-stream.feeds.telemetry&quot;, false, locked);
pref(&quot;browser.newtabpage.activity-stream.telemetry&quot;, false, locked);

// -----------------------------------------------------------------------------
// Network Security
// -----------------------------------------------------------------------------
pref(&quot;network.http.sendRefererHeader&quot;, 2, locked);
pref(&quot;privacy.resistFingerprinting&quot;, true, locked);
pref(&quot;privacy.trackingprotection.enabled&quot;, true, locked);
pref(&quot;privacy.trackingprotection.pbmode.enabled&quot;, true, locked);

// -----------------------------------------------------------------------------
// DNS over HTTPS
// -----------------------------------------------------------------------------
// pref(&quot;network.trr.mode&quot;, 3, locked);

// DoH with fallback (mode 2 instead of 3)
pref(&quot;network.trr.mode&quot;, 2, locked);

// -----------------------------------------------------------------------------
// Local Network Access
// -----------------------------------------------------------------------------
pref(&quot;network.lna.blocking&quot;, true, locked);

// -----------------------------------------------------------------------------
// Post-Quantum Cryptography
// -----------------------------------------------------------------------------
pref(&quot;security.tls.post_quantum_key_agreement.enabled&quot;, true, locked);</code></pre></div>]]></description>
			<author><![CDATA[dummy@example.com (igorzwx)]]></author>
			<pubDate>Sat, 30 May 2026 18:19:11 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=8012&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[Chasing the Fox (Caccia alla volpe)]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7620&amp;action=new</link>
			<description><![CDATA[<div class="quotebox"><cite>greenjeans wrote:</cite><blockquote><div><p>That would be a real service to the community</p></div></blockquote></div><p>A real service to the community might be to avoid annoying others with your comments and advice. Please do not post in my topics.</p><div class="quotebox"><blockquote><div><p>_https://en.wikipedia.org/wiki/Sndio<br /><strong>sndio</strong> is the software layer of the OpenBSD operating system that manages sound cards and MIDI ports. It provides an optional <strong>sound server</strong> and a documented application programming interface to access either the server or the audio and MIDI hardware in a uniform way.</p></div></blockquote></div><div class="quotebox"><blockquote><div><p>_https://man.openbsd.org/sndiod.8<br /><strong>BUGS</strong><br /><strong><span style="color: green">Resampling is low quality</span></strong>; down-sampling especially should be avoided when recording.</p><p>If -a off is used, sndiod creates sub-devices to expose first and then opens the audio hardware on demand. Technically, this allows sndiod to attempt to use one of the sub-devices it exposes as an audio device, creating a deadlock. There&#039;s nothing to prevent the user from shooting themselves in the foot by creating such a deadlock.</p></div></blockquote></div><p><strong>sndio</strong> might be perfectly suitable for semi-deaf and half-demented users.</p><p>If someone really needs <strong>sndio</strong>, he might consider forking it to integrate the fftrate resampler for higher-quality audio processing<br />_https://github.com/PetrovSE/fftrate</p><div class="quotebox"><blockquote><div><p>_https://man.openbsd.org/sndiod.8<br /><strong>BUGS</strong><br /><strong><span style="color: green">Resampling is low quality</span></strong>; down-sampling especially should be avoided when recording.</p></div></blockquote></div><p>Perhaps <strong>sndio</strong> developers engage in post-modern humor. Linux users are unlikely to notice a Monty Python situation where a &quot;bug&quot; is documented rather than fixed.</p><p>If you don’t get this kind of humor, think of post-truth, post-philosophy, and post-documentation. It’s a post-real world where absurdity is plainly documented — in man pages, wikis, and official notes — without irony. The joke isn’t hidden; it’s right there, labeled &quot;BUG&quot;. The word &quot;bug&quot; has become a post-word with a post-meaning: not a flaw to fix, but a punchline accepted as fact.</p><p>What is special about post-reality is that it can be consumed innocently — just like myth, it appears factual, not constructed. </p><div class="quotebox"><blockquote><div><p>The myth consumer takes the signification for a system of facts: myth is read as a factual system whereas it is but a semiological system.<br />Roland Barthes, <em>Myth Today.</em></p></div></blockquote></div>]]></description>
			<author><![CDATA[dummy@example.com (igorzwx)]]></author>
			<pubDate>Tue, 05 May 2026 14:17:10 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7620&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[system-config-printer-udev: 70-printers.rules]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=4819&amp;action=new</link>
			<description><![CDATA[<p>Bug report and patch posted to <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132179" rel="nofollow">https://bugs.debian.org/cgi-bin/bugrepo … ug=1132179</a>.</p>]]></description>
			<author><![CDATA[dummy@example.com (teom)]]></author>
			<pubDate>Sun, 29 Mar 2026 12:16:56 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=4819&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[How will life be without gvfs?]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7851&amp;action=new</link>
			<description><![CDATA[<p>Hello:</p><div class="quotebox"><cite>tux_99 wrote:</cite><blockquote><div><p>... don&#039;t know what&#039;s the root cause of your issues ...</p></div></blockquote></div><p>Hmm ...<br />I have <em>so</em> many, but the root cause to any of them has eluded me from an early age.</p><p>Most of them can be found in any edition of Jon Winokur&#039;s &#039;The Portable Curmudgeon&#039;.</p><div class="quotebox"><blockquote><div><p>... don&#039;t have any of those files you listed in that dbus folder ...</p></div></blockquote></div><p>That is because I have <span class="bbc">gvfs</span> installed and you do not.</p><p>I had to reinstall it.</p><p>Best,</p><p>A.</p>]]></description>
			<author><![CDATA[dummy@example.com (Altoid)]]></author>
			<pubDate>Tue, 24 Mar 2026 20:09:36 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7851&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[Needs for better modularization of installs]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7847&amp;action=new</link>
			<description><![CDATA[<div class="quotebox"><blockquote><div><p>So it does work using extracted squashfs. The errors seem just warnings. It&#039;s there in the overlay. The overlay can be mounted in main system and new initrd copied to where the the relevant bootloader can find it.</p><p>But it doesn&#039;t work using fromiso/findiso (my preferred use case) without user intervention as noted. I don&#039;t see that mentioned in live-boot&#039;s manual.</p></div></blockquote></div><p>I really appreciate that you take the time to delve into this stuff.<br />At present, I don&#039;t have the time myself, but it seems that clarifications and eventual workarounds may be helpful also to the upstream developers.</p>]]></description>
			<author><![CDATA[dummy@example.com (tyder)]]></author>
			<pubDate>Tue, 17 Mar 2026 11:54:14 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7847&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[what about "turnstile" for user services?]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7798&amp;action=new</link>
			<description><![CDATA[<p>A note for anyone holding their breath:<br /> <span class="bbc">turnstile</span> is now available on ceres<br />(debian package version 0.1.11-2)</p>]]></description>
			<author><![CDATA[dummy@example.com (ralph.ronnquist)]]></author>
			<pubDate>Sat, 07 Mar 2026 05:03:18 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7798&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[About installers]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7803&amp;action=new</link>
			<description><![CDATA[<p>I really would like people to put just a little bit of thought into how their software may reflect on them, before publishing it.</p><p>I assume you were obliquely referring to my comment, ralph.ronnquist, so I removed what is probably the part you found most objectionable.</p><p>But I have spent a great deal of my life trying to be polite and diplomatic, and I&#039;m now at the age where I think a lot of the world&#039;s problems are caused by stupid people not being properly told they&#039;re being stupid. To that end, I&#039;ve grown very fond of Linus Torvalds&#039; occasional rants about &quot;brain damage&quot; in software, because that&#039;s what it is, and it needs to be called out. Politeness implies acceptance or at least tolerance, and stupid decisions should be greeted with neither.</p><p>Stupid decisions are stupid.</p>]]></description>
			<author><![CDATA[dummy@example.com (Mercury)]]></author>
			<pubDate>Fri, 20 Feb 2026 23:42:04 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7803&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[UDisks2: Security Considerations]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7807&amp;action=new</link>
			<description><![CDATA[<p>Find some other place for chatting please.</p>]]></description>
			<author><![CDATA[dummy@example.com (ralph.ronnquist)]]></author>
			<pubDate>Sun, 15 Feb 2026 21:57:57 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7807&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[Turnstile: security considerations and potential issues]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7799&amp;action=new</link>
			<description><![CDATA[<div class="quotebox"><blockquote><div><p>Here are the key security considerations and potential issues:</p><p><strong>Socket Permissions and Access Control</strong></p><ul><li><p>The control socket uses permissive permissions (0666) allowing connections from non-root users <span class="bbc">turnstiled.cc:47</span> , but relies on platform-specific credentials checking to verify the peer&#039;s UID/GID/PID <span class="bbc">utils.cc:25-111</span> . This design requires proper implementation on each supported platform.</p></li></ul><p><strong>Privilege Separation</strong></p><ul><li><p><strong>The daemon runs as root</strong> but service managers are executed with dropped privileges after proper setup <span class="bbc">exec_utils.cc:126-145</span></p></li><li><p>Resource limits are sanitized before PAM session setup to prevent privilege escalation <span class="bbc">exec_utils.cc:106-124</span></p></li></ul><p><strong>Process Management and Timeouts</strong></p><ul><li><p>Implements a 60-second timeout for service manager startup to prevent hanging logins <span class="bbc">turnstiled.cc:55</span> <span class="bbc">turnstiled.conf.5.scd.in:93-97</span></p></li><li><p>Service managers that fail to signal readiness are terminated and runtime directories are cleaned up <span class="bbc">turnstiled.cc:1043-1054</span></p></li></ul><p><strong>Resource Management</strong></p><ul><li><p>Runtime directories are created with proper ownership and permissions</p></li><li><p>Cleanup occurs on logout unless lingering is enabled turnstiled.cc:1071-1075</p></li></ul><p><strong>Known Limitations</strong></p><ul><li><p>When integrating with <span class="bbc">polkit</span>, sessions may be treated as non-local <br />&#160; unless polkit is patched, potentially affecting authentication <span class="bbc">README.md:110-122</span></p></li><li><p>Root session management is disabled by default due to potential security implications <span class="bbc">turnstiled.conf.5.scd.in:99-104</span></p></li></ul></div></blockquote></div><div class="quotebox"><blockquote><div><ul><li><p>Running as root increases the <strong>attack surface</strong> if vulnerabilities exist in the daemon or its PAM interaction.</p></li><li><p>Although it uses a <strong>modular backend design</strong> (e.g., shell scripts to launch user services), privilege separation is minimal; the main daemon itself does not drop privileges. </p></li><li><p>There is <strong>no built-in privilege separation framework</strong>, unlike systems such as OpenSSH or systemd, which use sandboxing or process isolation. </p></li></ul><p>In practice, this means <span style="color: red"><strong>trust</strong></span> is placed in the <strong>correctness of the code and its PAM configuration</strong>, with no fine-grained containment.</p></div></blockquote></div><p><span style="color: blue"><strong>Relying on the accuracy of code described by developers as a &quot;work in progress&quot; constitutes an unusual and risky security practice, as it introduces significant vulnerabilities due to incomplete testing, lack of peer review, and potential design flaws.</strong></span><br />_https://github.com/chimera-linux/turnstile</p><div class="quotebox"><blockquote><div><p>The daemon needs to be running in some way. Usually you will spawn it as a system-wide service. <span style="color: red"><strong>It needs to be running as the superuser. </strong></span><br />_https://github.com/chimera-linux/turnstile</p></div></blockquote></div><p>Yes, the <span class="bbc">turnstiled</span> deamon must run as root. This is explicitly documented and required for its core functionality.</p><p><strong>Why Root is Required</strong></p><p>The daemon performs privileged operations that necessitate root access:</p><ol class="decimal"><li><p><strong>System Directory Management</strong>: Creates directories in <span class="bbc">/run</span> for session tracking <span class="bbc">turnstiled.cc:1276-1298</span></p></li><li><p><strong>Runtime Directory Creation</strong>: Creates and chowns <span class="bbc">XDG_RUNTIME_DIR</span> for users <span class="bbc">fs_utils.cc:55-124</span></p></li><li><p><strong>Socket Operations</strong>: Binds to system paths and sets up the control socket <span class="bbc">turnstiled.cc:890-943</span></p></li><li><p><strong>PAM Session Management</strong>: Establishes PAM sessions for users <span class="bbc">exec_utils.cc:316-322</span></p></li></ol><p><strong>Security Design</strong></p><p>While running as root, the daemon implements:</p><ul><li><p><strong>Credential verification</strong>: Only UID 0 can create sessions <span class="bbc">turnstiled.cc:297-300</span></p></li><li><p><strong>Privilege separation</strong>: Service managers run with dropped privileges <span class="bbc">exec_utils.cc:339-349</span></p></li><li><p><strong>Root checks</strong>: Verifies it&#039;s running as root before privileged operations <span class="bbc">exec_utils.cc:310</span></p></li></ul><p>The README explicitly states: &quot;It needs to be running as the superuser&quot; <span class="bbc">README.md:78-81</span> .</p><p><strong>Notes</strong></p><p>The daemon accepts connections via a permissive socket (0666) but enforces security through platform-specific credential checking, allowing the PAM module to communicate while maintaining access control <span class="bbc">turnstiled.cc:4</span>7 .</p><p>Any daemon running as root is inherently an attractive target for attackers. Turnstiled is no exception.</p><p><strong>Security Reality</strong></p><p>Turnstiled runs as root and accepts connections via a 0666 socket <span class="bbc">turnstiled.cc:47</span> , making it a high-value target. A compromise could allow session hijacking or privilege escalation.</p><p><strong>Mitigations in Place</strong></p><p>The daemon implements several security measures:</p><ol class="decimal"><li><p><strong>Credential verification</strong>: Every connection is authenticated using platform-specific methods (SO_PEERCRED on Linux, LOCAL_PEERCRED on BSD, etc.) <span class="bbc">utils.cc:25-111</span></p></li><li><p><strong>Access control</strong>: Only UID 0 can create sessions <span class="bbc">turnstiled.cc:297-300</span></p></li><li><p><strong>Privilege separation</strong>: Service managers run with dropped privileges <span class="bbc">exec_utils.cc:339-349</span></p></li><li><p><strong>Resource limits</strong>: Sanitizes rlimits before PAM session setup <span class="bbc">exec_utils.cc:106-124</span></p></li></ol><p><strong>Attack Surface</strong></p><p>The primary attack vectors would be:</p><ul><li><p>Bugs in credential checking code</p></li><li><p>Protocol parsing vulnerabilities</p></li><li><p>Race conditions in process management</p></li><li><p>Memory corruption in the daemon</p></li></ul><p><strong>Notes</strong></p><p>While the design is deliberate for PAM integration <span class="bbc">turnstiled.cc:40-46</span> , it does increase the attack surface. The security relies heavily on the correctness of the credential verification implementation. Regular security audits and keeping the daemon updated would be essential for any deployment.</p><p>The documentation does present a tension between the &quot;work in progress&quot; status and the security requirements.</p><p><strong>What the Documentation States</strong></p><p>The README explicitly labels Turnstile as &quot;a work in progress effort&quot; <span class="bbc">README.md:3-5</span> while simultaneously stating it &quot;needs to be running as the superuser&quot; <span class="bbc">README.md:78-81</span> . There is no explicit security warning about this combination.</p><p><strong>Security Considerations in Code</strong></p><p>The code does implement security measures:</p><ul><li><p>Platform-specific credential verification for all connections</p></li><li><p>Only UID 0 can create sessions <span class="bbc">turnstiled.cc:297-300</span></p></li><li><p>Privilege separation for service managers</p></li></ul><p>However, the design acknowledges accepting connections from non-root processes as a deliberate trade-off <span class="bbc">turnstiled.cc:40-46</span> .</p><p><strong>Missing Documentation</strong></p><p>What&#039;s absent from the documentation:</p><ul><li><p>No explicit warning about running Work-In-Progress (WIP) software as root</p></li><li><p>No security audit status or review process mentioned</p></li><li><p>No clear statement about production readiness</p></li></ul><p><strong>Notes</strong></p><p>This is a valid concern. While the code implements standard security practices for a session tracker, users should be aware that running any &quot;work in progress&quot; daemon as root carries inherent risks. The documentation could be more transparent about these risks and the current security posture of the project.</p><ul><li><p>The project seems to place considerable faith in its users&#039; understanding of the inherent risks involved.</p></li><li><p>The users are invited to trust developers who have not fully disclosed the security risks associated with running work-in-progress (WIP) software with root privileges.</p></li></ul><p>Transparency is a key pillar of trust in software development. </p><p>In cybersecurity, <strong>trust must be earned through demonstrable actions, not assumed or invited</strong>. When developers work on software that requires elevated privileges like root access, the stakes are significantly higher. A lack of transparency about known risks, especially in Work-In-Progress (WIP) software, undermines user safety and ethical responsibility.</p><p>Transparency was, of course, something of a guiding principle in Linux and open-source software, and one rather hopes it might linger on.</p>]]></description>
			<author><![CDATA[dummy@example.com (igorzwx)]]></author>
			<pubDate>Tue, 10 Feb 2026 10:11:40 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7799&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[How to Disable the New Apt Pager]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7342&amp;action=new</link>
			<description><![CDATA[<p>Found this answer via duckduckgo! &quot;apt list&quot; was actually broken on my system because the pager was stripping the escape characters that were supposed to control the colours. This made the output very difficult to read. Probably something to do with what my default pager is or how it&#039;s set up, but the apt end-user documentation is near useless. I was contemplating dowloading the source code.</p>]]></description>
			<author><![CDATA[dummy@example.com (steve_graham)]]></author>
			<pubDate>Wed, 04 Feb 2026 17:07:09 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7342&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[The Biological Risk of High-Frequency EQ]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7750&amp;action=new</link>
			<description><![CDATA[<p>ALSA default settings:</p><div class="codebox"><pre><code>$ cat /usr/share/alsa/alsa.conf
#
#  ALSA library configuration file
...
defaults.ctl.card 0
defaults.pcm.card 0
defaults.pcm.device 0
...
defaults.pcm.dmix.rate 48000
...</code></pre></div><p><strong>To improve sound quality</strong> with Firefox and YouTube, you can <strong>disable WebM (Opus)</strong> support in Firefox (<span class="bbc">media.mediasource.webm.enabled = false</span>). This will automatically enable AAC (MP4) playback at a 44100 Hz sample rate. </p><p>To prevent resampling, set the default sample rate to 44100 Hz in <span class="bbc">~/.asoundrc</span>:</p><div class="codebox"><pre><code>defaults.pcm.dmix.rate 44100</code></pre></div><p>Firefox settings for better sound quality:</p><div class="codebox"><pre><code>media.mediasource.webm.enabled              false
media.cubeb.backend                         alsa
media.resampling.enabled                    false
media.cubeb_latency_playback_ms             160</code></pre></div><p><strong>Configuration Editor for Firefox:</strong><br />_https://support.mozilla.org/en-US/kb/about-config-editor-firefox</p><p>If you are using the <strong>fftrate</strong> resampler, you can configure it for the maximum sample rate supported by your sound card (e.g., 192kHz, 32-bit for Intel HDA on notebooks), as <strong>fftrate</strong> provides much better sound quality than the built-in resampler of your sound card.</p><h5>Equalizers and Hearing Aids</h5><p>The idea that a <strong>system-wide equalizer</strong> resembles a <strong>hearing aid</strong> stems from their shared function: adjusting sound frequencies to suit individual perception.&#160; In theory, boosting certain frequencies (like high tones for age-related hearing loss) could help someone hear better, much like a hearing aid. However, while both tools manipulate audio, they differ fundamentally in design, precision, and purpose.</p><p>Despite their flexibility, <strong>system-wide equalizers fall short as hearing aids</strong> because they apply the same frequency adjustments to all volume levels.&#160; Hearing loss, especially sensorineural types like presbycusis, involves <strong>loudness recruitment</strong>—a reduced dynamic range where soft sounds are inaudible but loud sounds become painful. </p><p>A fixed EQ cannot adapt gain based on input level. For instance, boosting high frequencies to hear whispers may make loud sounds uncomfortably piercing. Additionally, EQs lack features like <strong>noise reduction, feedback cancellation, and directional microphones</strong> found in modern hearing aids.</p><p>Modern digital hearing aids go far beyond simple EQs by using <strong>multi-channel, level-dependent compression</strong>.&#160; Devices like the SONIC NATURA™ use <strong>nine independent compression bands</strong> at half-octave intervals, allowing different gain settings for soft (50 dB) and loud (90 dB) sounds—referred to as the <strong>&#039;5&#039; and &#039;9&#039; curves</strong>. </p><p>This dual-curve system compensates not only for <strong>frequency-specific hearing loss</strong> but also for <strong>abnormal loudness growth</strong>.&#160; Unlike a static home audio EQ, this approach dynamically reshapes sound across intensity levels, mimicking the function of a healthy cochlear amplifier.</p><p>While a <strong>system-wide equalizer can mimic some aspects of hearing aid functionality</strong>, it lacks the <strong>adaptive, multi-dimensional processing</strong> required for effective hearing rehabilitation.&#160; Hearing aids are medical devices designed for <strong>individual audiometric profiles</strong>, with dynamic gain control, noise management, and feedback suppression. </p><p><strong>Health Risks</strong></p><ul><li><p><strong>Hearing damage is inevitable if output levels are excessive</strong>, especially with high-frequency boosts (e.g., 10–20kHz), which can accelerate <strong>cochlear hair cell loss</strong> and lead to <strong>permanent threshold shift (PTS)</strong>.&#160; Research confirms that overexposure to intense sound—particularly in high-frequency ranges—causes irreversible damage to hair cells and auditory nerve synapses, even if hearing thresholds appear to recover initially. The risk increases when EQ is used to boost already loud signals, potentially causing <strong>acoustic trauma</strong> through prolonged or extreme listening.</p></li><li><p><strong>Tinnitus sufferers</strong> may misuse EQ to compensate for hearing loss, inadvertently increasing loudness to dangerous levels. </p></li></ul><div class="quotebox"><blockquote><div><p>⚠️ Critical point: Software EQ lacks <strong>dynamic range compression</strong> and <strong>peak limiting</strong> found in hearing aids, so uncontrolled use can cause <strong>acoustic trauma</strong>.</p></div></blockquote></div><p><strong>Conclusion</strong></p><p>The reasonable approach is to disable all unnecessary sound processing (e.g., resampling) and low-quality codecs (e.g., Opus) that degrade sound quality and cause audio distortions. Then compare sound quality with that of macOS.&#160; Afterward, you can decide whether you need an equalizer or a hearing aid.</p>]]></description>
			<author><![CDATA[dummy@example.com (igorzwx)]]></author>
			<pubDate>Tue, 20 Jan 2026 22:28:18 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7750&amp;action=new</guid>
		</item>
		<item>
			<title><![CDATA[WineHQ released Wine 11 - runs without i386 architecture]]></title>
			<link>https://dev1galaxy.org/viewtopic.php?id=7751&amp;action=new</link>
			<description><![CDATA[<p>Sounds promising, no more having to go multiarch for the sake of Wine and generating separate 32/64 prefixes. I hope WoW64 support really is on par with the old 32-bit Wine. Looks like .NET and DirectMusic are also available out of the box now, which is great if that&#039;s the case. It&#039;s about time for these things to be included by default.</p>]]></description>
			<author><![CDATA[dummy@example.com (Calamity)]]></author>
			<pubDate>Sat, 17 Jan 2026 20:44:00 +0000</pubDate>
			<guid>https://dev1galaxy.org/viewtopic.php?id=7751&amp;action=new</guid>
		</item>
	</channel>
</rss>
