# firefox-fourier PKGBUILD overlay

Verified working sequence on `boltzmann` LXD container `firefox-fourier`, 2026-05-05.

## Strategy

We do NOT fork mozilla-central. We layer a single-file patch on top of the upstream Arch Linux `firefox` PKGBUILD using AUR-style `source=()` + `prepare()` injection. This gives:

- All build deps managed by pacman/makepkg
- Arch's already-validated mozconfig
- A `pacman -U` installable result on ohm
- `makepkg -e` semantics for fast iteration

**`pkgname` stays `firefox`.** We bump `pkgrel=1` → `pkgrel=1.1` to mark our build, which lets pacman vercmp distinguish it from stock. Renaming `pkgname` would have rippled through ~30 `$pkgname` references in package() (companion files, branding paths, gnome-shell search provider) — the rel-bump approach is far cleaner and pacman -U replaces stock firefox naturally.

## Source of upstream PKGBUILD

`https://gitlab.archlinux.org/archlinux/packaging/packages/firefox/-/raw/main/PKGBUILD`

Verified 2026-05-04: returns firefox 150.0.1-1 PKGBUILD with `arch=(x86_64)`. ALARM does not fork it; ALARM's build farm builds straight from upstream Arch with `arch=` widened to include aarch64.

## Bootstrap

The reproducible bootstrap script is `bootstrap.sh` in this directory. It:

1. Installs `pacman-contrib` if missing (for `updpkgsums`)
2. Fetches upstream PKGBUILD + companion source files into `/build/aur/firefox-fourier/`
3. Copies our patch in as `0005-rdd-allow-stateless-v4l2-request-api.patch`
4. Applies five overlay edits in place:
   - `pkgrel=1` → `pkgrel=1.1`
   - `arch=(x86_64)` → `arch=(x86_64 aarch64)`
   - Our patch added to `source=()` after the existing 0004 entry
   - Our patch added to `prepare()` after the 0004 patch application
   - `onnxruntime` removed from `makedepends` and `optdepends`, plus the `ln -srv libonnxruntime.so` line removed from `package()` — onnxruntime is not in ALARM aarch64; it's only used by Firefox's optional ML smart-tab-groups feature, not on the V4L2 path.
5. Runs `updpkgsums` to regenerate sha256/b2 sums for our new patch
6. Validates with `bash -n PKGBUILD`

Run inside the container as `builder`:

```bash
ssh -J boltzmann builder@firefox-fourier
chmod +x ~/firefox-fourier/bootstrap.sh
~/firefox-fourier/bootstrap.sh
```

## Prerequisite gap (ALARM-stale wasi packages)

ALARM extra ships wasi packages from 2021 (sdk-13 era, `wasm32-wasi` triple). Mozilla 150 + clang 22 use the `wasm32-wasip1` triple. Before our build can configure, install upstream Arch x86_64 wasi packages — they're `arch=any` so the `.pkg.tar.zst` is identical across architectures:

```bash
sudo pacman -U \
  https://geo.mirror.pkgbuild.com/extra/os/x86_64/wasi-libc-1:0+592+161b3195-1-any.pkg.tar.zst \
  https://geo.mirror.pkgbuild.com/extra/os/x86_64/wasi-compiler-rt-22.1.0-2-any.pkg.tar.zst \
  https://geo.mirror.pkgbuild.com/extra/os/x86_64/wasi-libc++-22.1.0-1-any.pkg.tar.zst \
  https://geo.mirror.pkgbuild.com/extra/os/x86_64/wasi-libc++abi-22.1.0-1-any.pkg.tar.zst
```

(The container had this done by his subagent on 2026-05-05; the four packages are cached at `/build/aur/wasi/upstream-any/`.)

Verify:

```bash
ls /usr/lib/clang/22/lib/wasm32-unknown-wasip1/libclang_rt.builtins.a \
   /usr/share/wasi-sysroot/lib/wasm32-wasip1/crt1.o
```

Both must exist before the firefox build can pass configure.

## Build

```bash
cd /build/aur/firefox-fourier
nohup makepkg --syncdeps --skippgpcheck --noconfirm --nocheck \
  > build.log 2>&1 < /dev/null &
disown
```

Why `--skippgpcheck`: Mozilla rotated their release-signing key in 2025 (5ECB6497C1A20256). The upstream Arch PKGBUILD's `validpgpkeys=()` array still has the old key. Skipping PGP does NOT weaken the build — sha256+blake2b sums on the source tarball are still verified, and the tarball is fetched over HTTPS from archive.mozilla.org.

The `--enable-v4l2` mozconfig flag does NOT exist in Mozilla 150. `MOZ_ENABLE_V4L2` is auto-set in `toolkit/moz.configure:643` when target.cpu is arm/aarch64/riscv64 and toolkit is GTK. Adding `ac_add_options --enable-v4l2` causes `mozbuild.configure.options.InvalidOptionError`. Don't add it.

Build time on boltzmann RK3588: 1.5–2.5 hours (8 cores, parallel C++ + one big rustc).

## Resulting package

```
firefox-150.0.1-1.1-aarch64.pkg.tar.zst   (~80 MB)
```

(pkgname stayed `firefox`, the 1.1 in the filename is our pkgrel bump.)

## What `makepkg -e` skips

From `man makepkg`:

> -e, --noextract: Do not extract source files; use whatever source already exists in the src/ directory.

For our flow:
- First build: `makepkg --skippgpcheck` (extract → patch → configure → compile → package)
- After tweaking source under `src/firefox-150.0.1/...`: `makepkg -e --skippgpcheck` (skips extract AND prepare)
- For .patch text changes: `makepkg -C --skippgpcheck` (full cleanbuild)

This squares with the user guidance: "if an aur package is the basis, remember to skip re-extraction and patching (makepkg -e) on rebuilds".

## Validation gates

Pre-build:
- `bash -n PKGBUILD` — syntax check
- `patch -Np1 --dry-run -i 0005-rdd-allow-stateless-v4l2-request-api.patch` from inside `src/firefox-150.0.1/` — confirm patch applies cleanly. The patch uses proper `@@ -line,count +line,count @@` headers, regenerated against firefox-150.0.1's actual SandboxBrokerPolicyFactory.cpp.

Post-configure (~0:30 elapsed in build.log):
- `0:28.86 checking the wasm C linker can find wasi libraries... yes`
- `0:29.19 checking the wasm C++ linker can find wasi libraries... yes`

If either says `no`, the wasi sysroot install above didn't take.

## Deployment to ohm

After successful build in the container:

```bash
# Pull package out of container onto boltzmann host:
ssh boltzmann lxc file pull \
  firefox-fourier/build/aur/firefox-fourier/firefox-150.0.1-1.1-aarch64.pkg.tar.zst /tmp/

# scp to ohm (operator powers ohm on first):
scp /tmp/firefox-150.0.1-1.1-aarch64.pkg.tar.zst mfritsche@ohm.fritz.box:/tmp/

# Install on ohm — replaces stock firefox 150.0.1-1 with our 150.0.1-1.1:
ssh mfritsche@ohm.fritz.box "sudo pacman -U /tmp/firefox-150.0.1-1.1-aarch64.pkg.tar.zst"

# Verify:
ssh mfritsche@ohm.fritz.box "firefox --version && pacman -Q firefox"
# Expect: Mozilla Firefox 150.0.1
#         firefox 150.0.1-1.1
```

Post-install on ohm, optionally pin against accidental upgrade:
```bash
echo "IgnorePkg = firefox" | sudo tee -a /etc/pacman.conf
```

## File inventory

| File | Purpose |
|---|---|
| `PKGBUILD-overlay.md` | This document |
| `bootstrap.sh` | Reproducible PKGBUILD overlay script (run inside container) |
| `0001-rdd-allow-stateless-v4l2-request-api.patch` | The patch (campaign-side filename; renamed to `0005-...` when staged in container alongside upstream's 0001-0004) |