Firefox: Dialectics of Antagonistic Security Bugs

igorzwx · Yesterday 18:19:11

Firefox: Dialectics of Antagonistic Security Bugs

Firefox with unlocked preferences is an attractive target for attacks. Unprotected security preferences can be exploited as backdoors. To lock down these backdoors, you must fix antagonistic bugs with dialectical patches.

Don't panic! Debian's Firefox ESR leverages a system-wide preference lockdown that allows administrators to enforce security policies. Ordinary users, of course, may dwell in ignorance and fear. Devuan Wiki might be difficult to consume for TikTok users.

NOTE: This guide is a work in progress. Please do not post in this topic. Since the community has complained about "spoon-feeding", this guide is intended for experienced Linux users. If you have any questions, please consult the Devuan Wiki, or other knowledge repositories of the sort. If you have problems with dialectical patches, study Hegel or Monty Python.

Firefox Developer Edition
The browser made for developers
All the latest developer tools in beta in addition to features like the Multi-line Console Editor and WebSocket Inspector.
A separate profile and path so you can easily run it alongside Release or Beta Firefox.
Preferences tailored for web developers: Browser and remote debugging are enabled by default, as are the dark theme and developer toolbar button.
_https://www.firefox.com/en-US/channel/desktop/developer

It means:

about:config 
devtools.chrome.enabled = true 
devtools.theme = dark 
browser.toolbars.bookmarks.visibility = always

Why not close backdoors with a key?

// Disable remote debugging
pref("devtools.debugger.remote-enabled", false, locked);
// Restrict connections to localhost only (default: true)
pref("devtools.debugger.force-local", true, locked);
// Disable browser chrome debugging (debugging Firefox itself). 
pref("devtools.chrome.enabled", false, locked);
// Block access to all developer tools functionality
pref("devtools.policy.disabled", true, locked);

Security Implications of Unlocked Preferences:
1. Malicious extensions could modify security-critical preferences (like cookie behavior, remote debugging, or TLS settings)
2. Compromised user accounts could weaken protections through about:config
4. Malware could disable security features to facilitate further attacks
5. Social engineering could trick users into changing critical settings

Official Documentation: Building Firefox On Linux

_https://firefox-source-docs.mozilla.org/setup/linux_build.html
_https://firefox-source-docs.mozilla.org/build/buildsystem/mozconfigs.html

PATCHES:

$ cat PATCHES/0001-Set-MOZ_APP_UA_NAME-to-Firefox-for-clean-UA-strings.patch
From 8bd5afd0265356ddc323cffd8397208b5750227a Mon Sep 17 00:00:00 2001
From: Devuan <devuan@devuan.cargo-cult.org>
Date: Fri, 15 May 2026 23:40:28 +0200
Subject: [PATCH 1/3] Set MOZ_APP_UA_NAME to Firefox for clean UA strings

---
 browser/moz.configure | 1 +
 1 file changed, 1 insertion(+)

diff --git a/browser/moz.configure b/browser/moz.configure
index 3ea3d88b9360..0a95edc31354 100644
--- a/browser/moz.configure
+++ b/browser/moz.configure
@@ -16,6 +16,7 @@ imply_option("MOZ_APP_ID", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}")
 # Include the DevTools client, not just the server (which is the default)
 imply_option("MOZ_DEVTOOLS", "all")
 imply_option("BROWSER_CHROME_URL", "chrome://browser/content/browser.xhtml")
+imply_option("MOZ_APP_UA_NAME", "Firefox")

 with only_when(target_has_linux_kernel & compile_environment):
-- 
2.39.5

$ cat PATCHES/0002-Set-MOZ_APP_PROFILE-to-Firefox-for-clean-APP_PROFILE.patch
From 252efd229f1d9dac21e053d05a5ef9ced1ca14f3 Mon Sep 17 00:00:00 2001
From: Devuan <devuan@devuan.cargo-cult.org>
Date: Sat, 16 May 2026 18:02:08 +0200
Subject: [PATCH 2/3] Set MOZ_APP_PROFILE to Firefox for clean APP_PROFILE
 strings

---
 browser/moz.configure | 1 +
 1 file changed, 1 insertion(+)

diff --git a/browser/moz.configure b/browser/moz.configure
index 0a95edc31354..a4a4945ddbdd 100644
--- a/browser/moz.configure
+++ b/browser/moz.configure
@@ -17,6 +17,7 @@ imply_option("MOZ_APP_ID", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}")
 imply_option("MOZ_DEVTOOLS", "all")
 imply_option("BROWSER_CHROME_URL", "chrome://browser/content/browser.xhtml")
 imply_option("MOZ_APP_UA_NAME", "Firefox")
+imply_option("MOZ_APP_PROFILE", "firefox-dev")

 with only_when(target_has_linux_kernel & compile_environment):
-- 
2.39.5

$ cat PATCHES/0003-Fix-system-preferences-for-custom-firefox-dev-builds.patch
From 9f4226e27c3b85506873bea8e30645fb066709ae Mon Sep 17 00:00:00 2001
From: Devuan <devuan@devuan.cargo-cult.org>
Date: Thu, 28 May 2026 23:41:26 +0200
Subject: [PATCH 3/3] Fix system preferences for custom firefox-dev builds
 (security-critical)

This fixes two upstream bugs that prevent the system preferences security
feature from working, which is designed to lock down potential backdoors
by allowing administrators to enforce system-wide preference settings.

Bug 1: Configure option contradiction in toolkit/moz.configure
- Original code defines --disable-system-preferences but requires
  --enable-system-preferences in the when condition, creating a
  semantic contradiction that prevents the feature from being enabled
- Fixed with inline lambda pattern: when=depends("--disable-system-preferences")(lambda x: not x)

Bug 2: Dynamic app name resolution in xpcom/io/SpecialSystemDirectory.cpp
- Runtime code dynamically constructs /etc/{appname}/defaults/pref/ path
- This breaks system-wide configuration for custom builds with non-standard
  app names like firefox-dev
- Fixed by hardcoding "firefox-dev" to match the existing directory structure

REQUIREMENT: Users must add this line to their .mozconfig:
  ac_add_options --disable-system-preferences

This is a dialectical workaround: the --disable option actually enables
the feature due to the inverted lambda logic. Without this in .mozconfig,
the configure system will not set MOZ_SYSTEM_PREFERENCES.

Security Impact: System preferences load LAST, overriding application defaults.
This allows administrators to lock down preferences that could be exploited
as backdoors (telemetry, proxy settings, extensions, etc.). The upstream bugs
prevent this security mechanism from functioning.
---
 toolkit/moz.configure               |  4 ++--
 xpcom/io/SpecialSystemDirectory.cpp | 31 ++++++++++++++++-------------
 2 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/toolkit/moz.configure b/toolkit/moz.configure
index 2412f33b4ef5..cd230f461282 100644
--- a/toolkit/moz.configure
+++ b/toolkit/moz.configure
@@ -4232,8 +4232,8 @@ option(
     help="Disable reading preferences from /etc/firefox",
 )
 
-set_config("MOZ_SYSTEM_PREFERENCES", True, when="--enable-system-preferences")
-set_define("MOZ_SYSTEM_PREFERENCES", True, when="--enable-system-preferences")
+set_config("MOZ_SYSTEM_PREFERENCES", True, when=depends("--disable-system-preferences")(lambda x: not x))
+set_define("MOZ_SYSTEM_PREFERENCES", True, when=depends("--disable-system-preferences")(lambda x: not x))
 
 # Allow disabling the creation a legacy profile
 # ==============================================================
diff --git a/xpcom/io/SpecialSystemDirectory.cpp b/xpcom/io/SpecialSystemDirectory.cpp
index 5e80ca881c27..3d1cdf7b3fc1 100644
--- a/xpcom/io/SpecialSystemDirectory.cpp
+++ b/xpcom/io/SpecialSystemDirectory.cpp
@@ -155,20 +155,22 @@ static nsresult GetUnixHomeDir(nsIFile** aFile) {
 #  endif
 }
 
-static nsresult GetUnixSystemConfigDir(nsIFile** aFile) {
-#  if defined(ANDROID)
-  return NS_ERROR_FAILURE;
-#  else
-  nsAutoCString appName;
-  if (nsCOMPtr<nsIXULAppInfo> appInfo =
-          do_GetService("@mozilla.org/xre/app-info;1")) {
-    MOZ_TRY(appInfo->GetName(appName));
-  } else {
-    appName.AssignLiteral(MOZ_APP_BASENAME);
-  }
-
-  ToLowerCase(appName);
-
+static nsresult GetUnixSystemConfigDir(nsIFile** aFile) {  
+#  if defined(ANDROID)  
+  return NS_ERROR_FAILURE;  
+#  else  
+  // DIALECTICAL FIX: Hardcode firefox-dev for custom build  
+  nsAutoCString appName("firefox-dev");  
+    
+  // Original dynamic code (commented out):  
+  // if (nsCOMPtr<nsIXULAppInfo> appInfo =  
+  //         do_GetService("@mozilla.org/xre/app-info;1")) {  
+  //   MOZ_TRY(appInfo->GetName(appName));  
+  // } else {  
+  //   appName.AssignLiteral(MOZ_APP_BASENAME);  
+  // }  
+  // ToLowerCase(appName);  
+  
   nsDependentCString sysConfigDir;
   if (PR_GetEnv("XPCSHELL_TEST_PROFILE_DIR")) {
     const char* mozSystemConfigDir = PR_GetEnv("MOZ_SYSTEM_CONFIG_DIR");
@@ -181,6 +183,7 @@ static nsresult GetUnixSystemConfigDir(nsIFile** aFile) {
     sysConfigDir.Assign(nsLiteralCString("/app/etc"));
   }
 #    endif
+
   if (sysConfigDir.IsEmpty()) {
     sysConfigDir.Assign(nsLiteralCString("/etc"));
   }
-- 
2.39.5

# Project tree:
#   BUILD/
#   ├── build_dir_ALSA-dev/     # created with ./mach build 
#   ├── debdir_ALSA-dev/        # created with ./mach install
#   ├── DEB_templates/          # 
#   │   └── make_deb.sh         # Bash script for Firefox packaging
#   ├── firefox/                # Firefox source code
#   └── PATCHES
#       ├── 0001-Set-MOZ_APP_UA_NAME-to-Firefox-for-clean-UA-strings.patch
#       ├── 0002-Set-MOZ_APP_PROFILE-to-Firefox-for-clean-APP_PROFILE.patch
#       └── 0003-Fix-system-preferences-for-custom-firefox-dev-builds.patch

Create firefox/.mozconfig with a text editor

nano firefox/.mozconfig

$ cat firefox/.mozconfig
# The default mozconfig is located here: sourcedir/browser/config/mozconfig
. $topsrcdir/browser/config/mozconfig  
mk_add_options MOZ_MAKE_FLAGS="-j$(expr $(nproc) + 2)" 
mk_add_options MOZ_OBJDIR="$(dirname $topsrcdir)"/build_dir_ALSA-dev  
mk_add_options MOZ_APP_DISPLAYNAME="Firefox Developer Edition"  
mk_add_options MOZ_SIMPLE_PACKAGE_NAME=firefox-dev  
ac_add_options --with-app-basename="Firefox Developer Edition" 
ac_add_options --with-app-name=firefox-dev  
ac_add_options --prefix=/usr  
ac_add_options --without-sysroot  
ac_add_options --enable-audio-backends=alsa
mk_add_options MOZ_DEV_EDITION=1
mk_add_options MOZ_APP_REMOTINGNAME=firefox-dev
ac_add_options --with-branding=browser/branding/aurora   #  Firefox Developer Edition
ac_add_options --enable-update-channel=aurora
ac_add_options --disable-crashreporter   # Optional
ac_add_options --disable-system-preferences  # dialectical workaround to enable system preferences
export LDFLAGS="-Wl,--no-keep-memory"

Update the sorce code:

cd firefox && git pull

Apply pathes:

$ ls -1 ../PATCHES
0001-Set-MOZ_APP_UA_NAME-to-Firefox-for-clean-UA-strings.patch
0002-Set-MOZ_APP_PROFILE-to-Firefox-for-clean-APP_PROFILE.patch
0003-Fix-system-preferences-for-custom-firefox-dev-builds.patch

patch -Np1 -i ../PATCHES/0001*
patch -Np1 -i ../PATCHES/0002*
patch -Np1 -i ../PATCHES/0003*

Build firefox-dev

./mach clobber
./mach configure

$ grep "MOZ_SYSTEM_PREFERENCES" ../build_dir_ALSA-dev/config.status.json
    "MOZ_SYSTEM_PREFERENCES": "1",
    "MOZ_SYSTEM_PREFERENCES": "1",

./mach build -v --priority normal

$ grep "MOZ_SYSTEM_PREFERENCES" ../build_dir_ALSA-dev/mozilla-config.h
#define MOZ_SYSTEM_PREFERENCES 1

Install to debdir

DESTDIR="$(dirname $(pwd))"/debdir_ALSA-dev ./mach install

$ tree -L 3 ../debdir_ALSA-dev
../debdir_ALSA-dev
└── usr
    ├── bin
    │   └── firefox-dev -> /usr/lib/firefox-dev/firefox-dev
    └── lib
        └── firefox-dev

$ ../debdir_ALSA-dev/usr/lib/firefox-dev/firefox-dev
Mozilla Firefox Developer Edition 153.0a1

Packaging

sudo apt install fakeroot

mkdir "$(dirname $(pwd))"/DEB_templates && cd "$(dirname $(pwd))"/DEB_templates

Create a script for Firefox packaging with a text editor

nano make_deb.sh

and make it executable.

$ cat make_deb.sh
#!/bin/bash
#
# Firefox Developer Edition Debian Package Builder
# ================================================
#
# This script creates a Debian package for Firefox Developer Edition 
# with security-hardened configuration. 
#
# NOTE: Alternatively, one may try the official Mozilla ./mach repackage deb tool, 
#       though it might be an exercise in masochism.
#
# Usage: ./make_deb.sh
# Location: Run from DEB_templates directory
#
# Project structure:
#   BUILD/
#   ├── build_dir_ALSA-dev/     # Compiled Firefox binaries created with ./mach build 
#   ├── debdir_ALSA-dev/        # Package staging directory created with ./mach install
#   ├── DEB_templates/          # This directory
#   │   └── make_deb.sh         # This script
#   └── firefox/                # Firefox source tree
#
# Output: firefox-dev-ed_<version>_<arch>.deb
#
# ==============================================================================

# Bash Strict Mode
set -euo pipefail

# -----------------------------------------------------------------------------
# Configuration
# -----------------------------------------------------------------------------
DEB_ROOT="$(dirname "$(pwd)")"/debdir_ALSA-dev
SHARE_DIR="$DEB_ROOT/usr/share"
ETC_DIR="$DEB_ROOT/etc"
LIB_DIR="$DEB_ROOT/usr/lib"
PACKAGE_NAME="firefox-dev"
DEB_PACKAGE_NAME="firefox-dev-ed"
VERSION="153.0a1-1"
ARCH="amd64"

echo "Creating Debian package for $PACKAGE_NAME $VERSION..."

# -----------------------------------------------------------------------------
# 1. Create directory structure (FHS compliant)
# -----------------------------------------------------------------------------
install -dm755 "$SHARE_DIR/$PACKAGE_NAME"/{browser/{chrome/icons/default,defaults/preferences},distribution/searchplugins/common}
install -dm755 "$SHARE_DIR/applications"
install -dm755 "$SHARE_DIR/icons/hicolor"/{16x16,32x32,48x48,64x64,128x128,symbolic}/apps
install -dm755 "$SHARE_DIR/doc/$PACKAGE_NAME"
install -dm755 "$SHARE_DIR/lintian/overrides"
install -dm755 "$SHARE_DIR/man/man1"
install -dm755 "$SHARE_DIR/mozilla/extensions"
install -dm755 "$ETC_DIR/$PACKAGE_NAME"/defaults/pref
install -dm755 "$DEB_ROOT/DEBIAN"

# -----------------------------------------------------------------------------
# 2. Create system-wide configuration files
# -----------------------------------------------------------------------------
# These files contain security-hardened Firefox preferences.
# They are placed in /etc/firefox-dev/ and symlinked to the defaults/pref directory.
# This allows system administrators to easily modify defaults.

# Primary configuration file with security preferences
install -m644 <(cat << 'EOF'
// Debian system-wide preferences for Firefox Developer Edition
// ============================================================
//
// This file contains security-hardened default settings for Firefox.
// System administrators can modify these values to change defaults.
//
// Syntax:
//   pref("preference.name", value);           // Default (user can override)
//   pref("preference.name", value, locked);   // Locked (user cannot override)
//
//   String values must be enclosed in double quotes.
//
// Security Configuration:
// ------------------------

// Extension updates
pref("extensions.update.enabled", true);

// Browser behavior
pref("browser.shell.checkDefaultBrowser", false);

// Media settings (disable GMP OpenH264 for privacy)
pref("media.gmp-gmpopenh264.enabled", false);

// Enhanced privacy: disable enhanced new tab page
pref("browser.newtabpage.enhanced", false, locked);

// Telemetry and data reporting (DISABLED for privacy)
pref("datareporting.healthreport.uploadEnabled", false, locked);

// URL bar: disable search suggestions for privacy
pref("browser.urlbar.suggest.searches", false, locked);

// Telemetry (DISABLED for privacy)
pref("toolkit.telemetry.enabled", false, locked);

// Media configuration for better sound quality
pref("media.webm.enabled", false, locked);
pref("media.resampling.enabled", false, locked);
pref("media.cubeb_latency_playback_ms", 160, locked);

// Region and localization (force US/English to prevent fingerprinting)
pref("browser.region.network.url", "", locked);
pref("browser.region.update.enabled", false, locked);
pref("browser.region.network.scan", false, locked);
pref("privacy.spoof_english", 2, locked);
pref("intl.accept_languages", "en-US, en, en-GB", locked);
pref("browser.search.region", "US", locked);
pref("browser.search.geoip.url", "", locked);
pref("distribution.searchplugins.defaultLocale", "en-US", locked);
EOF
) "$ETC_DIR/$PACKAGE_NAME/defaults/pref/firefox-dev.cfg1.js"

# -----------------------------------------------------------------------------
# 4. Create desktop entry (freedesktop.org compliant)
# -----------------------------------------------------------------------------
install -m644 <(cat << 'EOF'
[Desktop Entry]
Name=Firefox Developer Edition
Comment=Web Browser
Exec=/usr/lib/firefox-dev/firefox-dev %u
Icon=firefox-dev
Terminal=false
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;
StartupNotify=true
EOF
) "$SHARE_DIR/applications/$PACKAGE_NAME.desktop"

# -----------------------------------------------------------------------------
# 5. Create copyright file (Debian Policy compliant)
# -----------------------------------------------------------------------------
install -m644 <(cat << 'EOF'
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: Firefox Developer Edition
Source: https://github.com/mozilla/firefox

License: MPL-2.0
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
 file, You can obtain one at http://mozilla.org/MPL/2.0/.
EOF
) "$SHARE_DIR/doc/$PACKAGE_NAME/copyright"

# -----------------------------------------------------------------------------
# 6. Create lintian override (suppress expected warnings)
# -----------------------------------------------------------------------------
install -m644 <(echo "$PACKAGE_NAME: binary-without-manpage") \
    "$SHARE_DIR/lintian/overrides/$PACKAGE_NAME"

# -----------------------------------------------------------------------------
# 7. Create man page
# -----------------------------------------------------------------------------
install -m644 <(cat << 'EOF'
.TH FIREFOX-DEV 1 "User Commands"
.SH NAME
firefox-dev \- Mozilla Firefox Developer Edition
.SH DESCRIPTION
Firefox Developer Edition with custom ALSA support.
This build uses ALSA directly for audio output instead of PulseAudio.
.SH FILES
.I /etc/firefox-dev/firefox-dev.cfg*.js
System-wide preference files.
.SH SEE ALSO
Firefox documentation: https://developer.mozilla.org/
EOF
) "$SHARE_DIR/man/man1/$PACKAGE_NAME.1"
gzip -9f "$SHARE_DIR/man/man1/$PACKAGE_NAME.1"

# -----------------------------------------------------------------------------
# 8. Copy icons from Firefox build directory
# -----------------------------------------------------------------------------
ICON_SOURCE_DIR="$LIB_DIR/$PACKAGE_NAME/browser/chrome/icons/default"
if [ -d "$ICON_SOURCE_DIR" ]; then
    for size in 16 32 48 64 128; do
        if [ -f "$ICON_SOURCE_DIR/default${size}.png" ]; then
            install -m644 "$ICON_SOURCE_DIR/default${size}.png" \
                "$SHARE_DIR/icons/hicolor/${size}x${size}/apps/$PACKAGE_NAME.png"
        fi
    done
fi

# -----------------------------------------------------------------------------
# 9. Calculate dependencies and Installed-Size
# -----------------------------------------------------------------------------
# This section uses dpkg-shlibdeps to automatically calculate library dependencies.
# A temporary debian directory is created for dependency calculation.

# Create control file template for dpkg-shlibdeps
mkdir -p debian
cat > debian/control << EOF
Source: ${DEB_PACKAGE_NAME}
Package: ${DEB_PACKAGE_NAME}
Depends: \${shlibs:Depends}
EOF

# Calculate dependencies using dpkg-shlibdeps
dpkg-shlibdeps -x"$PACKAGE_NAME" -l"$DEB_ROOT"/usr/lib \
    --ignore-missing-info -e $(find "$DEB_ROOT" -type f 2>/dev/null) 2>/dev/null

# Extract dependencies or use fallback
if [ -f debian/substvars ] && grep -q "shlibs:Depends" debian/substvars; then
    DEPS=$(grep "shlibs:Depends" debian/substvars | sed 's/shlibs:Depends=//')
else
    DEPS="libc6"
fi

# Add changelog (required by dpkg-gencontrol)
cat > debian/changelog << EOF
${DEB_PACKAGE_NAME} (${VERSION}) unstable; urgency=medium
  * Custom build with security enhancements and ALSA support
 -- Devuan Packaging <devuan@devuan.org>  $(date -R)
EOF

# Add misc dependencies (required by dpkg-gencontrol)
echo "misc:Depends=" >> debian/substvars
echo "misc:Pre-Depends=" >> debian/substvars

# Create control file template for dpkg-gencontrol
cat > debian/control << EOF
Source: ${DEB_PACKAGE_NAME}

Package: ${DEB_PACKAGE_NAME}
Architecture: ${ARCH}
EOF

# Run dpkg-gencontrol to calculate Installed-Size
dpkg-gencontrol -p${DEB_PACKAGE_NAME} \
    -ldebian/changelog \
    -Tdebian/substvars \
    -P"$DEB_ROOT" \
    2>/dev/null

# Extract Installed-Size
SIZE=$(sed -n 's/Installed-Size: //p' "$DEB_ROOT/DEBIAN/control")

# Clean up temporary directory
rm -rf debian

# -----------------------------------------------------------------------------
# 10. Create DEBIAN/control file with all fields in correct Debian order
# -----------------------------------------------------------------------------

cat > "$DEB_ROOT/DEBIAN/control" << EOF
Package: ${DEB_PACKAGE_NAME}
Version: ${VERSION}
Priority: optional
Section: web
Architecture: ${ARCH}
Maintainer: Devuan Packaging <devuan@devuan.org>
Installed-Size: ${SIZE}
Provides: gnome-www-browser, www-browser
Depends: ${DEPS}
Conflicts: firefox-dev
Recommends: libavcodec61 | libavcodec-extra61 | libavcodec60 | libavcodec-extra60 | libavcodec59 | libavcodec-extra59 | libavcodec58 | libavcodec-extra58 | libavcodec57 | libavcodec-extra57 | libavcodec56 | libavcodec-extra56 | libavcodec55 | libavcodec-extra55 | libavcodec54 | libavcodec-extra54 | libavcodec53 | libavcodec-extra53
Suggests: fonts-stix | otf-stix, fonts-lmodern, libgssapi-krb5-2 | libkrb53, libcanberra0
Description: Firefox Developer Edition (ALSA build)
 Firefox Developer Edition is a high-performance browser for web developers,
 featuring Multi-line Console Editor and WebSocket Inspector. It runs
 side-by-side with Release, Beta, or Nightly builds using a separate Profile
 Directory and installation path.
 .
 This custom build includes:
  * Security-hardened default preferences
  * ALSA audio support (no PulseAudio dependency)
  * Pre-configured developer defaults: remote debugging enabled, dark theme,
    and developer toolbar
EOF

# -----------------------------------------------------------------------------
# 11. Generate md5sums for all installed files
# -----------------------------------------------------------------------------
cd "$DEB_ROOT"
install -m644 <(find . -type f -not -path './DEBIAN/*' -printf '%P\0' | \
    xargs -0 md5sum | sort -k 2) DEBIAN/md5sums

# Display package structure
echo "Package structure:"
tree -L 3 .

# Return to script directory
cd "$(dirname "$(pwd)")"/DEB_templates

# -----------------------------------------------------------------------------
# 12. Build the package using dpkg-deb
# -----------------------------------------------------------------------------
echo "Building Debian package..."
fakeroot -- dpkg-deb -b "$DEB_ROOT" "${DEB_PACKAGE_NAME}_${VERSION}_${ARCH}.deb"

echo "Package built successfully: ${DEB_PACKAGE_NAME}_${VERSION}_${ARCH}.deb"

Run make_deb.sh to build Debian package

$ ./make_deb.sh
Creating Debian package for firefox-dev 153.0a1-1...
Package structure:
.
├── DEBIAN
│   ├── control
│   └── md5sums
├── etc
│   └── firefox-dev
│       └── defaults
└── usr
    ├── bin
    │   └── firefox-dev -> /usr/lib/firefox-dev/firefox-dev
    ├── lib
    │   └── firefox-dev
    └── share
        ├── applications
        ├── doc
        ├── firefox-dev
        ├── icons
        ├── lintian
        ├── man
        └── mozilla

17 directories, 3 files
Building Debian package...
dpkg-deb: building package 'firefox-dev-ed' in 'firefox-dev-ed_153.0a1-1_amd64.deb'.
Package built successfully: firefox-dev-ed_153.0a1-1_amd64.deb

$ ls -1 *deb
firefox-dev-ed_153.0a1-1_amd64.deb

Install

sudo dpkg -i firefox-dev-ed_153.0a1-1_amd64.deb

$ firefox-dev --version
Mozilla Firefox Developer Edition 153.0a1

Hacking dependencies

The DEBIAN/control file is not included in DEBIAN/md5sums.
You can edit it freely without regenerating checksums.
To rebuild the package, run:

fakeroot -- dpkg-deb -b ../debdir_ALSA-dev firefox-dev-ed_153.0a1-1_amd64.deb

Repackaging

fakeroot -u -- dpkg-repack firefox-dev-ed
fakeroot -u dpkg-repack --generate <package-name>

Example of Firefox hardened configuration:

$ cat /etc/firefox-dev/defaults/pref/firefox-dev.cfg5.js
// ============================================================================
// Firefox Security-Hardened Configuration
// ============================================================================
// This file locks all security-critical preferences to prevent 
// modification by users, extensions, or malicious code. 
// Place in /etc/firefox-dev/defaults/pref/
// ============================================================================

// -----------------------------------------------------------------------------
// Sandbox
// -----------------------------------------------------------------------------
// Linux Content Process Sandbox
// Level 6 = default-deny for ioctl (most restrictive)
pref("security.sandbox.content.level", 6, locked);
// Whitelist paths (empty string = no whitelist)
pref("security.sandbox.content.write_path_whitelist", "", locked);
pref("security.sandbox.content.read_path_whitelist", "", locked);
pref("security.sandbox.content.syscall_whitelist", "", locked);

// Socket Process Sandbox
// Level 2 = default-deny for ioctl
pref("security.sandbox.socket.process.level", 2, locked);

// Sandbox Logging (disable for security)
pref("security.sandbox.logging.enabled", false, locked);

// -----------------------------------------------------------------------------
// Remote Debugging and Developer Tools
// -----------------------------------------------------------------------------
// Disable remote debugging
pref("devtools.debugger.remote-enabled", false, locked);
// Port number for the debugging server (default: 6000)
pref("devtools.debugger.remote-port", 6000, locked);
// Restrict connections to localhost only (default: true)
pref("devtools.debugger.force-local", true, locked);
// Disable browser chrome debugging (debugging Firefox itself). Debian's default: false
pref("devtools.chrome.enabled", false, locked);
// Block access to all developer tools functionality
pref("devtools.policy.disabled", true, locked);

// -----------------------------------------------------------------------------
// Cookie and Privacy Settings
// -----------------------------------------------------------------------------
// Strongest cookie privacy setting (reject trackers, partition third-party cookies)
pref("network.cookie.cookieBehavior", 5, locked);
pref("network.cookie.cookieBehavior.pbmode", 5, locked);
// Block-by-default with opt-in partitioning (more restrictive than dFPI)
pref("network.cookie.cookieBehavior.optInPartitioning", true, locked);
pref("network.cookie.cookieBehavior.optInPartitioning.pbmode", true, locked);
// Block third-party cookies from tracking protection list
pref("network.cookie.cookieBehavior.trackerCookieBlocking", true, locked);
// Prevent sync from propagating weaker settings
pref("services.sync.prefs.sync.network.cookie.cookieBehavior", false, locked);

// Global Privacy Control
pref("privacy.globalprivacycontrol.enabled", true, locked);
pref("privacy.globalprivacycontrol.functionality.enabled", true, locked);
pref("privacy.globalprivacycontrol.pbmode.enabled", true, locked);

// Disable First Party Isolation (incompatible with behavior 5)
pref("privacy.firstparty.isolate", false, locked);
pref("privacy.firstparty.isolate.block_post_message", false, locked);
pref("privacy.firstparty.isolate.restrict_opener_access", true, locked);
pref("privacy.firstparty.isolate.use_site", false, locked);

// -----------------------------------------------------------------------------
// TLS/SSL Configuration
// -----------------------------------------------------------------------------
// Minimum TLS version (1=tls1, 2=tls1.1, 3=tls1.2, 4=tls1.3)
pref("security.tls.version.min", 3, locked);
// Maximum TLS version
pref("security.tls.version.max", 4, locked);
// Disable deprecated TLS versions
pref("security.tls.version.enable-deprecated", false, locked);

// TLS Security Features
pref("security.ssl.require_safe_negotiation", true, locked);
pref("security.tls.hello_downgrade_check", true, locked);
pref("security.ssl.enable_ocsp_stapling", true, locked);
pref("security.OCSP.require", true, locked);
pref("security.OCSP.enabled", 1, locked);

// TLS 1.3 Features
pref("security.tls.enable_0rtt_data", false, locked);
pref("security.tls.enable_post_handshake_auth", true, locked);
pref("security.tls.enable_delegated_credentials", true, locked);

// Encrypted Client Hello (ECH)
pref("network.dns.echconfig.enabled", true, locked);
pref("network.dns.http3_echconfig.enabled", true, locked);

// Disable weak cipher suites
pref("security.ssl3.rsa_aes_128_sha", false, locked);
pref("security.ssl3.rsa_aes_256_sha", false, locked);
pref("security.ssl3.rsa_aes_128_gcm_sha256", false, locked);
pref("security.ssl3.rsa_aes_256_gcm_sha384", false, locked);
pref("security.ssl3.deprecated.rsa_des_ede3_sha", false, locked);

// -----------------------------------------------------------------------------
// Content Security
// -----------------------------------------------------------------------------
pref("security.block_fileuri_script_with_wrong_mime", true, locked);
pref("security.mixed_content.block_active_content", true, locked);
pref("security.mixed_content.block_display_content", true, locked);
pref("security.mixed_content.upgrade_display_content", true, locked);
pref("security.insecure_connection_text.enabled", true, locked);
pref("security.insecure_connection_text.pbmode.enabled", true, locked);
pref("security.warn_submit_secure_to_insecure", true, locked);

// HTTPS-Only Mode
//pref("dom.security.https_only_mode", true, locked);
//pref("dom.security.https_only_mode_pbm", true, locked);
//pref("dom.security.https_first", true, locked);
//pref("dom.security.https_first_pbm", true, locked);

// HTTPS-First (less aggressive than HTTPS-Only)
pref("dom.security.https_first", true, locked);
pref("dom.security.https_first_pbm", true, locked);

// -----------------------------------------------------------------------------
// Certificate and PKI Settings
// -----------------------------------------------------------------------------
pref("security.default_personal_cert", "Ask Every Time", locked);
pref("security.pki.certificate_transparency.mode", 1, locked);
pref("security.ssl.errorReporting.enabled", true, locked);
pref("security.enterprise_roots.enabled", true, locked);

// -----------------------------------------------------------------------------
// Safe Browsing
// -----------------------------------------------------------------------------
pref("browser.safebrowsing.malware.enabled", true, locked);
pref("browser.safebrowsing.phishing.enabled", true, locked);
pref("browser.safebrowsing.downloads.enabled", true, locked);
pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", true, locked);
pref("browser.safebrowsing.downloads.remote.block_uncommon", true, locked);

// -----------------------------------------------------------------------------
// WebAuthn
// -----------------------------------------------------------------------------
pref("security.webauthn.always_allow_direct_attestation", false, locked);

// -----------------------------------------------------------------------------
// CSP Reporting
// -----------------------------------------------------------------------------
pref("security.csp.reporting.enabled", true, locked);

// -----------------------------------------------------------------------------
// Extension Security
// -----------------------------------------------------------------------------
//pref("xpinstall.whitelist.required", true, locked);
//pref("xpinstall.enabled", false, locked);
//pref("extensions.update.enabled", false, locked);

// -----------------------------------------------------------------------------
// Telemetry and Data Collection
// -----------------------------------------------------------------------------
pref("datareporting.healthreport.uploadEnabled", false, locked);
pref("toolkit.telemetry.enabled", false, locked);
pref("browser.newtabpage.activity-stream.feeds.telemetry", false, locked);
pref("browser.newtabpage.activity-stream.telemetry", false, locked);

// -----------------------------------------------------------------------------
// Network Security
// -----------------------------------------------------------------------------
pref("network.http.sendRefererHeader", 2, locked);
pref("privacy.resistFingerprinting", true, locked);
pref("privacy.trackingprotection.enabled", true, locked);
pref("privacy.trackingprotection.pbmode.enabled", true, locked);

// -----------------------------------------------------------------------------
// DNS over HTTPS
// -----------------------------------------------------------------------------
// pref("network.trr.mode", 3, locked);

// DoH with fallback (mode 2 instead of 3)
pref("network.trr.mode", 2, locked);

// -----------------------------------------------------------------------------
// Local Network Access
// -----------------------------------------------------------------------------
pref("network.lna.blocking", true, locked);

// -----------------------------------------------------------------------------
// Post-Quantum Cryptography
// -----------------------------------------------------------------------------
pref("security.tls.post_quantum_key_agreement.enabled", true, locked);

The officially official Devuan Forum!

#1 Yesterday 18:19:11