Tor Browser: update to 12.0a3

Yes, that's an alpha release, which is not ideal. Unfortunately however,
Tor Browser's last stable release is based on an unsupported version of
Firefox ESR which does not build with the newest version of Rust (which
we already have).

If you don't want to use an alpha release of Tor Browser, it's probably
best to run OpenBSD 7.2 for another month until Tor Browser 12.0
is released.

Encouraged by landry@ tb@ george@
OK landry@

meta/tor-browser/Makefile

@@ -2,12 +2,11 @@ COMMENT=	Tor Browser meta package
 
 MAINTAINER=	Caspar Schutijser <caspar@schutijser.com>
 
-PKGNAME=	tor-browser-11.5.2
+PKGNAME=	tor-browser-12.0alpha3
 ONLY_FOR_ARCHS =	amd64
-REVISION=	0
 
-RUN_DEPENDS=	www/tor-browser/browser>=11.5.2 \
-		www/tor-browser/noscript>=11.4.6 \
+RUN_DEPENDS=	www/tor-browser/browser>=12.0alpha3 \
+		www/tor-browser/noscript>=11.4.11 \
 		net/tor>=0.4.7.10
 
 .include <bsd.port.mk>

www/tor-browser/Makefile.inc

@@ -3,7 +3,7 @@ HOMEPAGE ?=		https://www.torproject.org
 PERMIT_PACKAGE ?=	Yes
 CATEGORIES =		www
 BROWSER_NAME =		tor-browser
-TB_VERSION =		11.5.2
+TB_VERSION =		12.0a3
 TB_PREFIX =		tb
 
 SUBST_VARS +=		BROWSER_NAME TB_VERSION

www/tor-browser/browser/Makefile

@@ -5,30 +5,29 @@
 COMMENT =		modified version of Firefox ESR for browsing over Tor
 ONLY_FOR_ARCHS =	amd64
 
-BROKEN=			fail to build with lang/rust 1.64.0
-
 MOZILLA_VERSION =	${TB_VERSION}
 MOZILLA_PROJECT =	${BROWSER_NAME}
 MOZILLA_CODENAME =	browser
-TL_VERSION =		0.2.37
-REVISION =		1
+TL_VERSION =		0.2.39
 
 EXTRACT_SUFX =		.tar.xz
 PATCHORIG =		.pat.orig
 
-PKGNAME =		${TB_PREFIX}-browser-${TB_VERSION}
-DISTNAME =		src-firefox-tor-browser-91.13.0esr-11.5-1-build2
+# XXX
+#PKGNAME =		${TB_PREFIX}-browser-${TB_VERSION}
+PKGNAME =		${TB_PREFIX}-browser-12.0alpha3
+DISTNAME =		src-firefox-tor-browser-102.3.0esr-12.0-1-build2
 
 FIX_EXTRACT_PERMISSIONS	= Yes
 DISTFILES +=		${DISTNAME}.tar.xz \
 			src-tor-launcher-${TL_VERSION}.tar.xz \
 			tor-browser-linux64-${TB_VERSION}_en-US.tar.xz
 
-SO_VERSION =		7.0
+SO_VERSION =		8.0
 MOZILLA_LIBS =		xul clearkey lgpllibs mozavcodec mozavutil mozgtk
 MOZILLA_LIBS +=		freebl3 nss3 nssckbi
 MOZILLA_LIBS +=		nssutil3 smime3 softokn3 ssl3
-MOZILLA_LIBS +=		nspr4 mozsqlite3 plc4 plds4
+MOZILLA_LIBS +=		nspr4 mozsqlite3 plc4 plds4 ipcclientcerts
 
 # mozilla public license for the browser
 PERMIT_PACKAGE=	Yes
@@ -41,7 +40,6 @@ MODULES =		www/mozilla lang/python
 MODPY_RUNDEP =		No
 
 COMPILER =		ports-clang
-MODCLANG_ARCHS =	amd64 i386
 
 # tor-browser needs built-in nss, sqlite
 MOZILLA_USE_BUNDLED_NSPR =	Yes
@@ -49,7 +47,12 @@ MOZILLA_USE_BUNDLED_NSS =	Yes
 # 63 requires node because why not #1483595
 BUILD_DEPENDS +=	lang/node
 # 63 requires cbindgen #1478813
-BUILD_DEPENDS +=	devel/cbindgen>=0.19.0
+BUILD_DEPENDS +=	devel/cbindgen>=0.23.0
+# wasi
+BUILD_DEPENDS +=	lang/wasi-sdk/compiler-rt \
+			lang/wasi-sdk/libcxxabi \
+			lang/wasi-sdk/libcxx \
+			lang/wasi-libc
 
 # uses pledge()
 # Extra:  Xcomposite.4 Xdamage.4 Xfixes.6 gdk-x11-2.0.2400 gtk-x11-2.0.2400
@@ -81,12 +84,11 @@ RUN_DEPENDS +=		net/tor>=0.4.7.10
 CONFIGURE_ARGS +=	--enable-release #1386371
 CONFIGURE_ARGS +=	--enable-sandbox
 CONFIGURE_ARGS +=	--enable-forkserver
+CONFIGURE_ARGS +=	--with-wasi-sysroot=${LOCALBASE}/share/wasi-sysroot
 CONFIGURE_ARGS +=	--enable-lto=thin
 CONFIGURE_ARGS +=	--with-libclang-path=${LOCALBASE}/lib
-# remove post 96
-CONFIGURE_ARGS +=	--disable-necko-wifi
 
-# XXX badly formed debug in libxul ?
+# XXX badly formed debug
 DWZ = :
 #DEBUG_PACKAGES =	${BUILD_PACKAGES}
 DEBUG_CONFIGURE_ARGS +=	--enable-debug-symbols \
@@ -110,6 +112,8 @@ post-patch:
 	    ${WRKSRC}/browser/app/profile/000-tor-browser.js
 	ln -s ${WRKSRC}/mozconfig-linux-x86_64 ${WRKSRC}/.mozconfig
 
+	${SUBST_CMD} ${WRKSRC}/xpcom/build/BinaryPath.h
+
 BROWSER_DIR = ${PREFIX}/lib/${BROWSER_NAME}
 TRUEBROWSER_DIR = ${TRUEPREFIX}/lib/${BROWSER_NAME}
 BROWSER_CFG = ${BROWSER_DIR}/${BROWSER_NAME}.cfg
@@ -164,8 +168,10 @@ post-install:
 	${SUBST_PROGRAM} ${FILESDIR}/${BROWSER_NAME} \
 	    ${PREFIX}/bin/${BROWSER_NAME}
 
-.for f in unveil.content unveil.gpu unveil.main unveil.rdd unveil.socket pledge.content pledge.gpu pledge.main pledge.rdd pledge.socket
-	${INSTALL_DATA} ${FILESDIR}/${f} ${BROWSER_DIR}/browser/defaults/preferences/
+.for f in unveil pledge
+.for t in content gpu main rdd socket utility utility-audioDecoder
+	${INSTALL_DATA} ${FILESDIR}/${f}.${t} ${BROWSER_DIR}/browser/defaults/preferences/
+.endfor
 .endfor
 
 .include <bsd.port.mk>

www/tor-browser/browser/distinfo

@@ -1,6 +1,6 @@
-SHA256 (mozilla/src-firefox-tor-browser-91.13.0esr-11.5-1-build2.tar.xz) = fDppZPkr7ZYd+PpLWvOaTInCajbdnwbAM410NRfeuOQ=
-SHA256 (mozilla/src-tor-launcher-0.2.37.tar.xz) = 91AWkxTFbRS5HFXz2pon3l0hHAYusYX559AIr1i2MTw=
-SHA256 (mozilla/tor-browser-linux64-11.5.2_en-US.tar.xz) = kM3OOFTpEU7nIyqqdGcqLZ86QLb6isM5cfWG7jo891o=
-SIZE (mozilla/src-firefox-tor-browser-91.13.0esr-11.5-1-build2.tar.xz) = 413531784
-SIZE (mozilla/src-tor-launcher-0.2.37.tar.xz) = 261128
-SIZE (mozilla/tor-browser-linux64-11.5.2_en-US.tar.xz) = 112222220
+SHA256 (mozilla/src-firefox-tor-browser-102.3.0esr-12.0-1-build2.tar.xz) = DKDsS/d5QHBPrM35Pofmpr2A5rK0KYV2XgNBObB3Qcg=
+SHA256 (mozilla/src-tor-launcher-0.2.39.tar.xz) = w9zcO9aM433DWvGQeHuR3ea9yEqsxG3ttzjqIcxME68=
+SHA256 (mozilla/tor-browser-linux64-12.0a3_en-US.tar.xz) = qEHwPxZouA6Of6c0zWUWHKbNLHpibI+TuOZe9wijwa0=
+SIZE (mozilla/src-firefox-tor-browser-102.3.0esr-12.0-1-build2.tar.xz) = 511983476
+SIZE (mozilla/src-tor-launcher-0.2.39.tar.xz) = 262744
+SIZE (mozilla/tor-browser-linux64-12.0a3_en-US.tar.xz) = 113342676

www/tor-browser/browser/files/pledge.content

@@ -9,5 +9,6 @@ unix
 drm
 ps
 inet #dns.google does socket()
+dns #allows sndio forwarding on a fqdn
 # only needed if using NIS of the profile is located on a NFS share
 getpw

www/tor-browser/browser/files/pledge.utility

@@ -0,0 +1,4 @@
+stdio
+recvfd
+sendfd
+unix

www/tor-browser/browser/files/pledge.utility-audioDecoder

@@ -0,0 +1,7 @@
+stdio
+tmppath
+rpath # gtk tries to access /usr/local/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
+recvfd
+sendfd
+prot_exec
+unix # getsockopt

www/tor-browser/browser/files/unveil.content

@@ -1,4 +1,4 @@
-/dev/dri rw
+/dev/dri/card0 rw
 
 /etc/fonts r
 /etc/machine-id r

www/tor-browser/browser/files/unveil.main

@@ -54,6 +54,7 @@
 $XDG_RUNTIME_DIR/dconf rwc
 $XDG_CACHE_HOME/thumbnails rwc
 $XDG_CONFIG_HOME/dconf rw
+$XDG_CONFIG_HOME/fcitx r
 $XDG_CONFIG_HOME/fontconfig r
 $XDG_CONFIG_HOME/gtk-3.0 r
 $XDG_CONFIG_HOME/mimeapps.list r

www/tor-browser/browser/files/unveil.utility

@@ -0,0 +1 @@
+# nothing

www/tor-browser/browser/files/unveil.utility-audioDecoder

@@ -0,0 +1,3 @@
+/usr/lib r
+/usr/local/lib r
+/tmp rwc

www/tor-browser/browser/patches/patch-browser_extensions_tor-launcher_src_components_tl-process_js

@@ -4,7 +4,7 @@ the new getTorFile() deal with it.
 Index: browser/extensions/tor-launcher/src/components/tl-process.js
 --- browser/extensions/tor-launcher/src/components/tl-process.js.orig
 +++ browser/extensions/tor-launcher/src/components/tl-process.js
-@@ -386,6 +386,8 @@ TorProcessService.prototype =
+@@ -388,6 +388,8 @@ TorProcessService.prototype =
        var torrcFile = TorLauncherUtil.getTorFile("torrc", true);
        var torrcDefaultsFile =
                      TorLauncherUtil.getTorFile("torrc-defaults", false);
@@ -13,7 +13,7 @@ Index: browser/extensions/tor-launcher/src/components/tl-process.js
        var hashedPassword = this.mProtocolSvc.TorGetPassword(true);
        var controlIPCFile = this.mProtocolSvc.TorGetControlIPCFile();
        var controlPort = this.mProtocolSvc.TorGetControlPort();
-@@ -413,19 +415,14 @@ TorProcessService.prototype =
+@@ -415,19 +417,14 @@ TorProcessService.prototype =
          return;
        }
  

www/tor-browser/browser/patches/patch-config_makefiles_rust_mk

@@ -1,15 +1,17 @@
 use lto=thin to reduce memory pressure when building gkrust
 https://bugzilla.mozilla.org/show_bug.cgi?id=1644409
+https://bugzilla.mozilla.org/show_bug.cgi?id=1640982
 
 Index: config/makefiles/rust.mk
 --- config/makefiles/rust.mk.orig
 +++ config/makefiles/rust.mk
-@@ -70,7 +70,7 @@ ifndef MOZ_DEBUG_RUST
- # gkrust_gtest. And not when doing cross-language LTO.
- ifndef MOZ_LTO_RUST_CROSS
+@@ -90,7 +90,8 @@ ifndef rustflags_sancov
+ # Never enable when coverage is enabled to work around https://github.com/rust-lang/rust/issues/90045.
+ ifndef MOZ_CODE_COVERAGE
  ifeq (,$(findstring gkrust_gtest,$(RUST_LIBRARY_FILE)))
 -cargo_rustc_flags += -Clto
 +cargo_rustc_flags += -Clto=thin
++export CARGO_PROFILE_RELEASE_LTO=thin
  endif
  # We need -Cembed-bitcode=yes for all crates when using -Clto.
  RUSTFLAGS += -Cembed-bitcode=yes

www/tor-browser/browser/patches/patch-gfx_webrender_bindings_webrender_ffi_h

@@ -7,7 +7,7 @@ https://github.com/eqrion/cbindgen/issues/767#issuecomment-1153125949
 Index: gfx/webrender_bindings/webrender_ffi.h
 --- gfx/webrender_bindings/webrender_ffi.h.orig
 +++ gfx/webrender_bindings/webrender_ffi.h
-@@ -77,8 +77,6 @@ struct WrPipelineInfo;
+@@ -73,8 +73,6 @@ struct WrPipelineInfo;
  struct WrPipelineIdAndEpoch;
  using WrPipelineIdEpochs = nsTArray<WrPipelineIdAndEpoch>;
  

www/tor-browser/browser/patches/patch-js_src_jit_ProcessExecutableMemory_h

@@ -1,11 +1,16 @@
+https://bugzilla.mozilla.org/show_bug.cgi?id=1347139
+
 Index: js/src/jit/ProcessExecutableMemory.h
 --- js/src/jit/ProcessExecutableMemory.h.orig
 +++ js/src/jit/ProcessExecutableMemory.h
-@@ -14,7 +14,7 @@ namespace jit {
+@@ -13,8 +13,9 @@ namespace js {
+ namespace jit {
  
  // Limit on the number of bytes of executable memory to prevent JIT spraying
- // attacks.
+-// attacks.
 -#if JS_BITS_PER_WORD == 32
++// attacks. Default datasize is 768Mb on OpenBSD, keep MaxCodeBytesPerProcess
++// low there otherwise the js engine hits ulimit quickly.
 +#if JS_BITS_PER_WORD == 32 || defined(__OpenBSD__)
  static const size_t MaxCodeBytesPerProcess = 140 * 1024 * 1024;
  #else

www/tor-browser/browser/patches/patch-toolkit_components_downloads_DownloadIntegration_jsm

@@ -4,15 +4,15 @@ revert parts of https://hg.mozilla.org/mozilla-central/rev/aadba76932ea
 Index: toolkit/components/downloads/DownloadIntegration.jsm
 --- toolkit/components/downloads/DownloadIntegration.jsm.orig
 +++ toolkit/components/downloads/DownloadIntegration.jsm
-@@ -68,6 +68,7 @@ ChromeUtils.defineModuleGetter(
+@@ -58,6 +58,7 @@ ChromeUtils.defineModuleGetter(
    "NetUtil",
    "resource://gre/modules/NetUtil.jsm"
  );
 +ChromeUtils.defineModuleGetter(this, "OS", "resource://gre/modules/osfile.jsm");
  ChromeUtils.defineModuleGetter(
    this,
-   "CloudStorage",
-@@ -365,9 +366,7 @@ var DownloadIntegration = {
+   "Services",
+@@ -367,9 +368,7 @@ var DownloadIntegration = {
              Ci.nsIFile
            );
            directoryPath = directory.path;
@@ -21,9 +21,9 @@ Index: toolkit/components/downloads/DownloadIntegration.jsm
 -          });
 +          await OS.File.makeDir(directoryPath, { ignoreExisting: true });
          } catch (ex) {
+           Cu.reportError(ex);
            // Either the preference isn't set or the directory cannot be created.
-           directoryPath = await this.getSystemDownloadsDirectory();
-@@ -943,8 +942,8 @@ var DownloadIntegration = {
+@@ -958,8 +957,8 @@ var DownloadIntegration = {
      );
  
      // Create the Downloads folder and ignore if it already exists.

www/tor-browser/browser/patches/patch-toolkit_components_processtools_ProcInfo_linux_cpp

@@ -0,0 +1,122 @@
+about:processes for OpenBSD
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1772090
+
+Index: toolkit/components/processtools/ProcInfo_linux.cpp
+--- toolkit/components/processtools/ProcInfo_linux.cpp.orig
++++ toolkit/components/processtools/ProcInfo_linux.cpp
+@@ -13,6 +13,11 @@
+ #include "nsMemoryReporterManager.h"
+ #include "nsWhitespaceTokenizer.h"
+ 
++#ifdef __OpenBSD__
++#include <sys/types.h>
++#include <sys/sysctl.h>
++#include <cerrno>
++#endif
+ #include <cstdio>
+ #include <cstring>
+ #include <unistd.h>
+@@ -24,6 +29,95 @@ namespace mozilla {
+ 
+ int GetCycleTimeFrequencyMHz() { return 0; }
+ 
++#ifdef __OpenBSD__
++nsresult GetCpuTimeSinceProcessStartInMs(uint64_t* aResult) {
++  timespec t;
++  if (clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &t) == 0) {
++    uint64_t cpuTime =
++        uint64_t(t.tv_sec) * 1'000'000'000u + uint64_t(t.tv_nsec);
++    *aResult = cpuTime / PR_NSEC_PER_MSEC;
++    return NS_OK;
++  }
++
++  return NS_ERROR_FAILURE;
++}
++
++nsresult GetGpuTimeSinceProcessStartInMs(uint64_t* aResult) {
++  return NS_ERROR_NOT_IMPLEMENTED;
++}
++
++ProcInfoPromise::ResolveOrRejectValue GetProcInfoSync(
++    nsTArray<ProcInfoRequest>&& aRequests) {
++  ProcInfoPromise::ResolveOrRejectValue result;
++
++  HashMap<base::ProcessId, ProcInfo> gathered;
++  if (!gathered.reserve(aRequests.Length())) {
++    result.SetReject(NS_ERROR_OUT_OF_MEMORY);
++    return result;
++  }
++  for (const auto& request : aRequests) {
++    size_t size;
++    int mib[6];
++    mib[0] = CTL_KERN;
++    mib[1] = KERN_PROC;
++    mib[2] = KERN_PROC_PID | KERN_PROC_SHOW_THREADS;
++    mib[3] = request.pid;
++    mib[4] = sizeof(kinfo_proc);
++    mib[5] = 0;
++    if (sysctl(mib, 6, nullptr, &size, nullptr, 0) == -1) {
++      // Can't get info for this process. Skip it.
++      continue;
++    }
++
++    mib[5] = size / sizeof(kinfo_proc);
++    auto procs = MakeUniqueFallible<kinfo_proc[]>(mib[5]);
++    if (!procs) {
++      result.SetReject(NS_ERROR_OUT_OF_MEMORY);
++      return result;
++    }
++    if (sysctl(mib, 6, procs.get(), &size, nullptr, 0) == -1 &&
++        errno != ENOMEM) {
++      continue;
++    }
++
++    ProcInfo info;
++    info.pid = request.pid;
++    info.childId = request.childId;
++    info.type = request.processType;
++    info.origin = request.origin;
++    info.windows = std::move(request.windowInfo);
++
++    bool found = false;
++    for (size_t i = 0; i < size / sizeof(kinfo_proc); i++) {
++      const auto& p = procs[i];
++      if (p.p_tid == -1) {
++        // This is the process.
++        found = true;
++        info.cpuTime = p.p_rtime_sec * 1'000'000'000u +
++            p.p_uutime_usec * 1'000u;
++        info.memory = (p.p_vm_tsize + p.p_vm_dsize + p.p_vm_ssize) *
++            getpagesize();
++      } else {
++        // This is one of its threads.
++        ThreadInfo threadInfo;
++        threadInfo.tid = p.p_tid;
++        threadInfo.cpuTime = p.p_rtime_sec * 1'000'000'000u +
++            p.p_uutime_usec * 1'000u;
++        info.threads.AppendElement(threadInfo);
++      }
++    }
++
++    if (found && !gathered.put(request.pid, std::move(info))) {
++      result.SetReject(NS_ERROR_OUT_OF_MEMORY);
++      return result;
++    }
++  }
++
++  // ... and we're done!
++  result.SetResolve(std::move(gathered));
++  return result;
++}
++#else
+ // StatReader can parse and tokenize a POSIX stat file.
+ // see http://man7.org/linux/man-pages/man5/proc.5.html
+ //
+@@ -340,5 +434,6 @@ ProcInfoPromise::ResolveOrRejectValue GetProcInfoSync(
+   result.SetResolve(std::move(gathered));
+   return result;
+ }
++#endif
+ 
+ }  // namespace mozilla

www/tor-browser/browser/patches/patch-toolkit_moz_configure

@@ -3,7 +3,7 @@ Required to make font fingerprinting defenses work.
 Index: toolkit/moz.configure
 --- toolkit/moz.configure.orig
 +++ toolkit/moz.configure
-@@ -1581,7 +1581,7 @@ set_config(
+@@ -1770,7 +1770,7 @@ set_config(
  
  @depends(target)
  def bundled_fonts_default(target):

www/tor-browser/browser/patches/patch-toolkit_system_gnome_nsGIOService_cpp

@@ -1,3 +1,5 @@
+https://bugzilla.mozilla.org/show_bug.cgi?id=1714919
+
 Try to fix opening downloaded files with registered external mimetype handlers
 after gio-launch-desktop removal in glib 2.64.
 
@@ -8,31 +10,36 @@ unveiled.
 Index: toolkit/system/gnome/nsGIOService.cpp
 --- toolkit/system/gnome/nsGIOService.cpp.orig
 +++ toolkit/system/gnome/nsGIOService.cpp
-@@ -240,10 +240,21 @@ nsGIOMimeApp::LaunchWithURI(nsIURI* aUri,
+@@ -234,13 +234,24 @@ nsGIOMimeApp::LaunchWithURI(nsIURI* aUri,
    uris.data = const_cast<char*>(spec.get());
  
-   GError* error = nullptr;
--  gboolean result = g_app_info_launch_uris(mApp, &uris, nullptr, &error);
+   GUniquePtr<GError> error;
+-  gboolean result = g_app_info_launch_uris(
+-      mApp, &uris, GetLaunchContext().get(), getter_Transfers(error));
+-  if (!result) {
+-    g_warning("Cannot launch application: %s", error->message);
 +  gchar *path = g_filename_from_uri(spec.get(), NULL, NULL);
 +  const gchar *bin = g_app_info_get_executable(mApp);
 +  if (!bin) {
 +    g_warning("no executable found for %s, maybe not unveiled ?", g_app_info_get_name(mApp));
-+    return NS_ERROR_FAILURE;
-+  }
+     return NS_ERROR_FAILURE;
+   }
 +  g_message("LaunchWithURI: spawning %s %s for %s", bin, path, spec.get());
 +  const gchar * const argv[] = { bin, path, NULL };
  
 +  GSpawnFlags flags = static_cast<GSpawnFlags>(G_SPAWN_SEARCH_PATH |
 +                                               G_SPAWN_DO_NOT_REAP_CHILD);
-+  gboolean result = g_spawn_async( NULL, (char**) argv, NULL, flags, NULL, NULL, NULL, &error);
++  gboolean result = g_spawn_async( NULL, (char**) argv, NULL, flags, NULL, NULL, NULL, getter_Transfers(error));
 +
-   if (!result) {
--    g_warning("Cannot launch application: %s", error->message);
++   if (!result) {
 +    g_warning("Cannot launch application %s with arg %s: %s", bin, path, error->message);
-     g_error_free(error);
-     return NS_ERROR_FAILURE;
-   }
-@@ -497,20 +508,15 @@ nsGIOService::GetAppForMimeType(const nsACString& aMim
++    return NS_ERROR_FAILURE;
++  }
++
+   return NS_OK;
+ }
+ 
+@@ -491,23 +502,18 @@ nsGIOService::GetAppForMimeType(const nsACString& aMim
      return NS_ERROR_NOT_AVAILABLE;
    }
  
@@ -42,29 +49,33 @@ Index: toolkit/system/gnome/nsGIOService.cpp
 -  // registered as defaults for this type.  Fake it up by just executing
 -  // xdg-open via gio-launch-desktop (which we do have access to) and letting
 -  // it figure out which program to execute for this MIME type
--  GAppInfo* app_info = g_app_info_create_from_commandline(
+-  RefPtr<GAppInfo> app_info = dont_AddRef(g_app_info_create_from_commandline(
 -      "/usr/local/bin/xdg-open",
--      nsPrintfCString("System default for %s", content_type).get(),
--      G_APP_INFO_CREATE_NONE, NULL);
+-      nsPrintfCString("System default for %s", content_type.get()).get(),
+-      G_APP_INFO_CREATE_NONE, NULL));
 -#else
-   GAppInfo* app_info = g_app_info_get_default_for_type(content_type, false);
+   RefPtr<GAppInfo> app_info =
+       dont_AddRef(g_app_info_get_default_for_type(content_type.get(), false));
 -#endif
-   if (app_info) {
-+    char *t;
-+    t = g_find_program_in_path(g_app_info_get_executable(app_info));
-+    if (t != NULL) {
-+      g_debug("%s is registered as handler for %s, binary available as %s", g_app_info_get_executable(app_info), content_type, t);
-+    } else {
-+      g_warning("%s is registered as handler for %s but not available in PATH (missing unveil ?)", g_app_info_get_executable(app_info), content_type);
-+    }
-     nsGIOMimeApp* mozApp = new nsGIOMimeApp(app_info);
-     NS_ADDREF(*aApp = mozApp);
-   } else {
-@@ -546,7 +552,24 @@ nsGIOService::ShowURI(nsIURI* aURI) {
-   nsresult rv = aURI->GetSpec(spec);
-   NS_ENSURE_SUCCESS(rv, rv);
-   GError* error = nullptr;
--  if (!g_app_info_launch_default_for_uri(spec.get(), nullptr, &error)) {
+   if (!app_info) {
+     return NS_ERROR_FAILURE;
+   }
++  char *t;
++  t = g_find_program_in_path(g_app_info_get_executable(app_info));
++  if (t != NULL) {
++    g_debug("%s is registered as handler for %s, binary available as %s", g_app_info_get_executable(app_info), content_type.get(), t);
++  } else {
++    g_warning("%s is registered as handler for %s but not available in PATH (missing unveil ?)", g_app_info_get_executable(app_info), content_type.get());
++  }
+   RefPtr<nsGIOMimeApp> mozApp = new nsGIOMimeApp(app_info.forget());
+   mozApp.forget(aApp);
+   return NS_OK;
+@@ -535,8 +541,24 @@ nsresult nsGIOService::ShowURI(nsIURI* aURI) {
+   nsAutoCString spec;
+   MOZ_TRY(aURI->GetSpec(spec));
+   GUniquePtr<GError> error;
+-  if (!g_app_info_launch_default_for_uri(spec.get(), GetLaunchContext().get(),
+-                                         getter_Transfers(error))) {
 +  gboolean result_uncertain;
 +  gchar *path = g_filename_from_uri(spec.get(), NULL, NULL);
 +  gchar *content_type = g_content_type_guess(path, NULL, 0, &result_uncertain);
@@ -79,20 +90,21 @@ Index: toolkit/system/gnome/nsGIOService.cpp
 +    const gchar * const argv[] = { bin, path, NULL };
 +    GSpawnFlags flags = static_cast<GSpawnFlags>(G_SPAWN_SEARCH_PATH |
 +                                                 G_SPAWN_DO_NOT_REAP_CHILD);
-+    g_spawn_async( NULL, (char**) argv, NULL, flags, NULL, NULL, NULL, &error);
++    g_spawn_async( NULL, (char**) argv, NULL, flags, NULL, NULL, NULL, getter_Transfers(error));
 +  }
 +  g_free(content_type);
 +  if (error) {
      g_warning("Could not launch default application for URI: %s",
                error->message);
-     g_error_free(error);
-@@ -562,7 +585,22 @@ nsGIOService::ShowURIForInput(const nsACString& aUri) 
-   nsresult rv = NS_ERROR_FAILURE;
-   GError* error = nullptr;
- 
--  g_app_info_launch_default_for_uri(spec, nullptr, &error);
+     return NS_ERROR_FAILURE;
+@@ -549,8 +571,23 @@ static nsresult LaunchPath(const nsACString& aPath) {
+       g_file_new_for_commandline_arg(PromiseFlatCString(aPath).get()));
+   GUniquePtr<char> spec(g_file_get_uri(file));
+   GUniquePtr<GError> error;
+-  g_app_info_launch_default_for_uri(spec.get(), GetLaunchContext().get(),
+-                                    getter_Transfers(error));
 +  gboolean result_uncertain;
-+  gchar *path = g_filename_from_uri(spec, NULL, NULL);
++  gchar *path = g_filename_from_uri(spec.get(), NULL, NULL);
 +  gchar *content_type = g_content_type_guess(path, NULL, 0, &result_uncertain);
 +  if (content_type != NULL && !result_uncertain) {
 +    GAppInfo* app_info = g_app_info_get_default_for_type(content_type, false);
@@ -101,20 +113,13 @@ Index: toolkit/system/gnome/nsGIOService.cpp
 +      g_warning("no executable found for %s, maybe not unveiled ?", g_app_info_get_name(app_info));
 +      return NS_ERROR_FAILURE;
 +    }
-+    g_message("ShowURIForInput: spawning %s %s for %s (content type %s)", bin, path, spec, content_type);
++    g_message("ShowURIForInput: spawning %s %s for %s (content type %s)", bin, path, spec.get(), content_type);
 +    const gchar * const argv[] = { bin, path, NULL };
 +    GSpawnFlags flags = static_cast<GSpawnFlags>(G_SPAWN_SEARCH_PATH |
 +                                                 G_SPAWN_DO_NOT_REAP_CHILD);
-+    g_spawn_async( NULL, (char**) argv, NULL, flags, NULL, NULL, NULL, &error);
++    g_spawn_async( NULL, (char**) argv, NULL, flags, NULL, NULL, NULL, getter_Transfers(error));
 +  }
++  g_free(content_type);
    if (error) {
      g_warning("Cannot launch default application: %s", error->message);
-     g_error_free(error);
-@@ -571,6 +609,7 @@ nsGIOService::ShowURIForInput(const nsACString& aUri) 
-   }
-   g_object_unref(file);
-   g_free(spec);
-+  g_free(content_type);
- 
-   return rv;
- }
+     return NS_ERROR_FAILURE;

www/tor-browser/browser/patches/patch-toolkit_xre_glxtest_cpp

@@ -0,0 +1,15 @@
+https://bugzilla.mozilla.org/show_bug.cgi?id=1776713
+
+Index: toolkit/xre/glxtest.cpp
+--- toolkit/xre/glxtest.cpp.orig
++++ toolkit/xre/glxtest.cpp
+@@ -258,6 +258,9 @@ static void close_logging() {
+ #define PCI_BASE_CLASS_DISPLAY 0x03
+ 
+ static int get_pci_status() {
++#ifdef __OpenBSD__
++  return 1;
++#endif
+   void* libpci = dlopen("libpci.so.3", RTLD_LAZY);
+   if (!libpci) {
+     libpci = dlopen("libpci.so", RTLD_LAZY);

www/tor-browser/browser/patches/patch-tor-browser_en-US_Browser_TorBrowser_Data_fontconfig_fonts_conf

@@ -3,7 +3,7 @@ Set path to bundled fonts.
 Index: tor-browser_en-US/Browser/TorBrowser/Data/fontconfig/fonts.conf
 --- tor-browser_en-US/Browser/TorBrowser/Data/fontconfig/fonts.conf.orig
 +++ tor-browser_en-US/Browser/TorBrowser/Data/fontconfig/fonts.conf
-@@ -34,7 +34,7 @@ PERFORMANCE OF THIS SOFTWARE.
+@@ -39,7 +39,7 @@ PERFORMANCE OF THIS SOFTWARE.
  
  <!-- Font directory list -->
  

www/tor-browser/browser/patches/patch-xpcom_build_BinaryPath_h

@@ -0,0 +1,13 @@
+avoid pledge sysctl 4: 1 55 29028 1 ?
+
+Index: xpcom/build/BinaryPath.h
+--- xpcom/build/BinaryPath.h.orig
++++ xpcom/build/BinaryPath.h
+@@ -204,6 +204,7 @@ class BinaryPath {
+     mib[1] = KERN_PROC_ARGS;
+     mib[2] = getpid();
+     mib[3] = KERN_PROC_ARGV;
++    return GetFromArgv0("${TRUEPREFIX}/lib/${MOZILLA_PROJECT}/${MOZILLA_PROJECT}", aResult);
+ 
+     size_t len = 0;
+     if (sysctl(mib, 4, nullptr, &len, nullptr, 0) < 0) {

www/tor-browser/browser/pkg/PLIST

@@ -28,6 +28,8 @@ lib/${BROWSER_NAME}/browser/defaults/preferences/pledge.main
 @sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/pledge.main
 lib/${BROWSER_NAME}/browser/defaults/preferences/pledge.rdd
 lib/${BROWSER_NAME}/browser/defaults/preferences/pledge.socket
+lib/${BROWSER_NAME}/browser/defaults/preferences/pledge.utility
+lib/${BROWSER_NAME}/browser/defaults/preferences/pledge.utility-audioDecoder
 lib/${BROWSER_NAME}/browser/defaults/preferences/unveil.content
 @sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/unveil.content
 lib/${BROWSER_NAME}/browser/defaults/preferences/unveil.gpu
@@ -36,6 +38,8 @@ lib/${BROWSER_NAME}/browser/defaults/preferences/unveil.main
 @sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/unveil.main
 lib/${BROWSER_NAME}/browser/defaults/preferences/unveil.rdd
 lib/${BROWSER_NAME}/browser/defaults/preferences/unveil.socket
+lib/${BROWSER_NAME}/browser/defaults/preferences/unveil.utility
+lib/${BROWSER_NAME}/browser/defaults/preferences/unveil.utility-audioDecoder
 lib/${BROWSER_NAME}/browser/defaults/profile/
 lib/${BROWSER_NAME}/browser/defaults/profile/bookmarks.html
 lib/${BROWSER_NAME}/browser/features/
@@ -193,6 +197,7 @@ lib/${BROWSER_NAME}/distribution/distribution.ini
 lib/${BROWSER_NAME}/fonts/
 lib/${BROWSER_NAME}/fonts/TwemojiMozilla.ttf
 @lib lib/${BROWSER_NAME}/libfreebl3.so.${LIBfreebl3_VERSION}
+@lib lib/${BROWSER_NAME}/libipcclientcerts.so.${LIBipcclientcerts_VERSION}
 @lib lib/${BROWSER_NAME}/liblgpllibs.so.${LIBlgpllibs_VERSION}
 @lib lib/${BROWSER_NAME}/libmozavcodec.so.${LIBmozavcodec_VERSION}
 @lib lib/${BROWSER_NAME}/libmozavutil.so.${LIBmozavutil_VERSION}

www/tor-browser/noscript/Makefile

@@ -1,6 +1,5 @@
 ADDON_NAME =		noscript
-V =			11.4.9
-REVISION =		0
+V =			11.4.11
 COMMENT =		Tor Browser add-on: flexible JS blocker
 HOMEPAGE =		https://noscript.net
 MASTER_SITES =		https://secure.informaction.com/download/releases/

www/tor-browser/noscript/distinfo

@@ -1,2 +1,2 @@
-SHA256 (noscript-11.4.9.xpi) = R6dA+QJY3nVbcJFoxJhdn8ZyH/fzL5z8THCUMWzF+WA=
-SIZE (noscript-11.4.9.xpi) = 922472
+SHA256 (noscript-11.4.11.xpi) = 0UMN3D87w6XEA9vzn/jIJ1oufs1KLweb45wZPUYqKgs=
+SIZE (noscript-11.4.11.xpi) = 922584