Bug 40855: Updates for Firefox 115 (Application Services)

Application services needs NSS and SQLCipher.
We had two projects for them, but they are used only by AS.
So, our build scripts were a copy of Mozilla's, and we applied the same
patches.
This meant we needed to keep the build scripts up to date, with all the
additional changes for RBM.
Since no other project depended on them, we can build these libraries
here with Mozilla's scripts, without the need to keep theirs and ours
in sync.

In addition to that, this commit updates the list of Java dependencies.

projects/application-services/apply-bug-13028.diff

+diff --git a/libs/build-all.sh b/libs/build-all.sh
+index 650c1299..6c4e5404 100755
+--- a/libs/build-all.sh
++++ b/libs/build-all.sh
+@@ -128,6 +128,15 @@ echo $'\
+      fi
+ ' | patch "${NSS_SRC_PATH}/nspr/configure"
+ 
++rm -f python
++ln -s /usr/bin/python3 python
++export PATH=$(pwd):$PATH
++patch_13028=$(realpath bug_13028.patch)
++pushd $NSS_SRC_PATH
++# Apply our proxy bypass defense-in-depth here as well to be on the safe side.
++patch -p2 < $patch_13028
++popd
++
+ if [[ "${PLATFORM}" == "ios" ]]
+ then
+   ./build-all-ios.sh "${SQLCIPHER_SRC_PATH}" "${NSS_SRC_PATH}"

projects/application-services/bug40485.patch → projects/application-services/bug40485.diff

 diff --git a/components/support/nimbus-fml/src/parser.rs b/components/support/nimbus-fml/src/parser.rs
-index 2498445c..dbc814a3 100644
+index bb676f827..d00b1b6ef 100644
 --- a/components/support/nimbus-fml/src/parser.rs
 +++ b/components/support/nimbus-fml/src/parser.rs
-@@ -2,7 +2,7 @@
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
- 
--use std::{collections::HashMap, path::Path};
-+use std::{collections::BTreeMap, collections::HashMap, path::Path};
- 
- use serde::{Deserialize, Serialize};
- use serde_json::json;
-@@ -24,7 +24,7 @@ pub(crate) struct EnumVariantBody {
+@@ -26,7 +26,7 @@ pub(crate) struct EnumVariantBody {
  #[serde(deny_unknown_fields)]
  pub(crate) struct EnumBody {
      description: String,
@@ -20,15 +11,7 @@ index 2498445c..dbc814a3 100644
  }
  
  #[derive(Debug, Deserialize, Serialize, Clone)]
-@@ -43,23 +43,23 @@ pub(crate) struct FieldBody {
- pub(crate) struct ObjectBody {
-     description: String,
-     failable: Option<bool>,
--    fields: HashMap<String, FieldBody>,
-+    fields: BTreeMap<String, FieldBody>,
- }
- 
- #[derive(Debug, Deserialize, Serialize, Clone, Default)]
+@@ -54,9 +54,9 @@ pub(crate) struct ObjectBody {
  #[serde(deny_unknown_fields)]
  pub(crate) struct Types {
      #[serde(default)]
@@ -39,21 +22,38 @@ index 2498445c..dbc814a3 100644
 +    objects: BTreeMap<String, ObjectBody>,
  }
  
- #[derive(Debug, Deserialize, Serialize, Clone)]
- #[serde(deny_unknown_fields)]
- pub(crate) struct FeatureBody {
-     description: String,
--    variables: HashMap<String, FieldBody>,
-+    variables: BTreeMap<String, FieldBody>,
-     #[serde(alias = "defaults")]
-     default: Option<serde_json::Value>,
- }
-@@ -71,7 +71,7 @@ pub(crate) struct ManifestFrontEnd {
+ #[derive(Debug, Deserialize, Serialize, Clone, Default, PartialEq, Eq)]
+@@ -105,7 +105,7 @@ pub(crate) struct ImportBlock {
+     pub(crate) path: String,
+     pub(crate) channel: String,
      #[serde(default)]
+-    pub(crate) features: HashMap<String, Vec<DefaultBlock>>,
++    pub(crate) features: BTreeMap<String, Vec<DefaultBlock>>,
+ }
+ 
+ #[derive(Debug, Deserialize, Serialize, Clone)]
+@@ -134,7 +134,7 @@ pub(crate) struct ManifestFrontEnd {
      #[serde(rename = "types")]
      legacy_types: Option<Types>,
+     #[serde(default)]
 -    features: HashMap<String, FeatureBody>,
 +    features: BTreeMap<String, FeatureBody>,
-     channels: Vec<String>,
  
-     // If a types attribute isn't explicitly expressed,
+     #[serde(default)]
+     #[serde(alias = "include")]
+@@ -1009,12 +1009,12 @@ impl Parser {
+ }
+ 
+ fn merge_map<T: Clone>(
+-    a: &HashMap<String, T>,
+-    b: &HashMap<String, T>,
++    a: &BTreeMap<String, T>,
++    b: &BTreeMap<String, T>,
+     display_key: &str,
+     key: &str,
+     child_path: &FilePath,
+-) -> Result<HashMap<String, T>> {
++) -> Result<BTreeMap<String, T>> {
+     let mut set = HashSet::new();
+ 
+     let (a, b) = if a.len() < b.len() { (a, b) } else { (b, a) };

projects/application-services/build

@@ -3,31 +3,37 @@
 [% pc(c('var/compiler'), 'var/setup', {
     compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')),
     gradle_tarfile => c("input_files_by_name/gradle"),
+    ndk_version => c("var/ndk_version"),
   }) %]
 distdir=/var/tmp/dist/[% project %]
 builddir=/var/tmp/build/[% project %]
 mkdir $distdir
 mkdir /var/tmp/build
 
-cd /var/tmp/dist
-[% FOREACH arch = ['armv7', 'aarch64', 'x86', 'x86_64', 'linux-x86_64'] -%]
-  tar -xf $rootdir/[% c('input_files_by_name/nss-' _ arch) %]
-  mv nss nss-[% arch %]
-  tar -xf $rootdir/[% c('input_files_by_name/sqlcipher-' _ arch) %]
-  mv sqlcipher sqlcipher-[% arch %]
+[% IF c("input_files_by_name/android_ndk") -%]
+  pushd $(dirname $ANDROID_NDK_HOME)
+  unzip -qq $rootdir/[% c("input_files_by_name/android_ndk") %]
+  # Without this link gradle will not find the NDK.
+  ln -s $(basename $ANDROID_NDK_HOME) [% c("var/ndk_version_build") %]
+  popd
 [% END -%]
+
+cd /var/tmp/dist
 tar -xf $rootdir/[% c('input_files_by_name/rust') %]
+tar -xf $rootdir/[% c('input_files_by_name/ninja') %]
 tar -xf $rootdir/[% c('input_files_by_name/uniffi-rs') %]
-export PATH=/var/tmp/dist/rust/bin:/var/tmp/dist/uniffi-rs:$PATH
+export PATH=/var/tmp/dist/rust/bin:/var/tmp/dist/ninja:/var/tmp/dist/uniffi-rs:$PATH
+export RUST_ANDROID_GRADLE_PYTHON_COMMAND=python3
 cd $rootdir
 
 export JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64
 
 [% IF !c('var/fetch_gradle_dependencies') %]
-  gradle_repo=$rootdir/[% c('input_files_by_name/gradle-dependencies') %]
-  cp -r $gradle_repo/dl/android/maven2/* $gradle_repo
-  cp -r $gradle_repo/m2/* $gradle_repo
-  cp -r $gradle_repo/maven2/* $gradle_repo
+  gradle_repo=/var/tmp/dist/gradle-dependencies
+  mv $rootdir/[% c('input_files_by_name/gradle-dependencies') %] $gradle_repo
+  cp -rl $gradle_repo/dl/android/maven2/* $gradle_repo || true
+  cp -rl $gradle_repo/m2/* $gradle_repo || true
+  cp -rl $gradle_repo/maven2/* $gradle_repo || true
 [% END %]
 
 tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.[% c('compress_tar') %]
@@ -36,6 +42,15 @@ tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.[% c('compress_ta
 # Move the directory for hardcoding the path in .cargo/config.
 mv /var/tmp/build/[% project %]-[% c('version') %] $builddir
 tar -C $builddir -xf $rootdir/[% c('input_files_by_name/cargo_vendor') %]
+
+cat > pip.conf << 'EOF'
+[global]
+find-links = /var/tmp/build/application-services/glean-wheels
+index-url =
+no-index = yes
+EOF
+export PIP_CONFIG_FILE=$rootdir/pip.conf
+
 cd $builddir
 # Make sure our vendored crates are used for offline builds.
 cat >> .cargo/config << 'EOF'
@@ -50,36 +65,19 @@ directory = "/var/tmp/build/application-services/vendor"
 offline=true
 EOF
 
-# Move NSS and SQLCipher to the right place
-# XXX: Maybe merge with the loop above.
-archs="armv7 aarch64 x86 x86_64 linux-x86_64"
-for a in $archs
-do
-  if [ "$a" == "armv7" ]
-  then
-    mkdir -p libs/android/armeabi-v7a
-    mv /var/tmp/dist/nss-$a libs/android/armeabi-v7a/nss
-    mv /var/tmp/dist/sqlcipher-$a libs/android/armeabi-v7a/sqlcipher
-  elif [ "$a" == "aarch64" ]
-  then
-    mkdir -p libs/android/arm64-v8a
-    mv /var/tmp/dist/nss-$a libs/android/arm64-v8a/nss
-    mv /var/tmp/dist/sqlcipher-$a libs/android/arm64-v8a/sqlcipher
-  elif [ "$a" == "linux-x86_64" ]
-  then
-    mkdir -p libs/desktop/linux-x86-64
-    mv /var/tmp/dist/nss-$a libs/desktop/linux-x86-64/nss
-    mv /var/tmp/dist/sqlcipher-$a libs/desktop/linux-x86-64/sqlcipher
-  else
-    mkdir -p libs/android/$a
-    mv /var/tmp/dist/nss-$a libs/android/$a/nss
-    mv /var/tmp/dist/sqlcipher-$a libs/android/$a/sqlcipher
-  fi
-done
-
 patch -p1 < $rootdir/no-git.patch
-patch -p1 < $rootdir/bug40485.patch
-export RUST_ANDROID_GRADLE_PYTHON_COMMAND=python3
+patch -p1 < $rootdir/bug40485.diff
+
+pushd libs
+mv $rootdir/[% c("input_files_by_name/nss") %] ./
+mv $rootdir/[% c("input_files_by_name/sqlcipher") %] ./
+mv $rootdir/bug_13028.patch ./
+patch -p2 < $rootdir/apply-bug-13028.diff
+sed -i 's/NDK_VERSION=.*/NDK_VERSION=[% c("var/ndk_version_build") %]/g' android_defaults.sh
+./build-all.sh desktop
+./build-all.sh android
+popd
+
 [% IF c('var/fetch_gradle_dependencies') %]
   # XXX: `assemble` is still not enough to see all fetched dependencies via
   # Gradle's --debug. See: tor-browser-build#40056.
@@ -93,19 +91,15 @@ export RUST_ANDROID_GRADLE_PYTHON_COMMAND=python3
   # otherwise `click` barfs. See: https://click.palletsprojects.com/python3/
   export LC_ALL=C.UTF-8
   export LANG=C.UTF-8
-  patch -p1 < $rootdir/mavenLocal.patch
-  gradle_flags="--offline --no-daemon -Dmaven.repo.local=$gradle_repo"
+  patch -p1 < $rootdir/local-repository.diff
+  gradle_flags="--offline --no-daemon"
   gradle $gradle_flags assembleRelease
   gradle $gradle_flags publish
+  mv build/maven $distdir
 
   pushd components/support/nimbus-fml
   cargo build --release
   popd
-
-  pushd build
-  find maven -regex '.*[0-9].\(aar\|pom\)' -exec cp --parents {} $distdir \;
-  popd
-
   cp target/release/nimbus-fml $distdir
 
   cd /var/tmp/dist

projects/application-services/config

 # vim: filetype=yaml sw=2
-filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]'
-# Remember to update the Cargo vendor archive, when updating
-version: 93.1.0
-git_hash: ae2bb5ae89f9818230bbc003819fc7b9775aae26
+version: 115.0
+git_hash: 78ab4ce85120f45a4b67b055936e401193eabd68
 git_url: https://github.com/mozilla/application-services
 git_submodule: 1
 container:
@@ -10,76 +8,56 @@ container:
 
 var:
   # This should be updated when the list of gradle dependencies is changed.
-  gradle_dependencies_version: 9
-  gradle_version: 6.7.1
-  glean_parser: 4.0.0
+  gradle_dependencies_version: 10
+  gradle_version: 7.6.1
+  glean_parser: 7.1.0
+  ndk_version: 25c
+  ndk_version_build: 25.2.9519653
+  nss_version: 3.88.1
+  nspr_version: '4.35'
+  sqlcipher_version: 4.5.4
 
+steps:
+  build:
+    filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]'
+    var:
+      arch_deps:
+        # Needed to build nss and sqlcipher
+        - gyp
+        - tcl
     input_files:
       - project: container-image
         pkg_type: build
       - project: '[% c("var/compiler") %]'
         name: '[% c("var/compiler") %]'
         pkg_type: build
+      # application-services is the only project for which we use a more recent
+      # NDK than GeckoView. So, download it here, rather than adding 1.5-2GB to
+      # each other Android project.
+      - URL: 'https://dl.google.com/android/repository/android-ndk-r[% c("var/ndk_version") %]-linux.zip'
+        name: android_ndk
+        sha256sum: 769ee342ea75f80619d985c2da990c48b3d8eaf45f48783a2d48870d04b46108
       - project: gradle
         name: gradle
         pkg_type: build
       - project: rust
         name: rust
         pkg_type: build
+      - project: ninja
+        name: ninja
+        pkg_type: build
       - project: uniffi-rs
         name: uniffi-rs
         pkg_type: build
-  - project: nss
-    name: nss-armv7
-    pkg_type: build
-    target_prepend:
-      - android-armv7
-  - project: nss
-    name: nss-aarch64
-    pkg_type: build
-    target_prepend:
-      - android-aarch64
-  - project: nss
-    name: nss-x86
-    pkg_type: build
-    target_prepend:
-      - android-x86
-  - project: nss
-    name: nss-x86_64
-    pkg_type: build
-    target_prepend:
-      - android-x86_64
-  - project: nss
-    name: nss-linux-x86_64
-    pkg_type: build
-    target_prepend:
-      - nss-linux-x86_64
-  - project: sqlcipher
-    name: sqlcipher-armv7
-    pkg_type: build
-    target_prepend:
-      - android-armv7
-  - project: sqlcipher
-    name: sqlcipher-aarch64
-    pkg_type: build
-    target_prepend:
-      - android-aarch64
-  - project: sqlcipher
-    name: sqlcipher-x86
-    pkg_type: build
-    target_prepend:
-      - android-x86
-  - project: sqlcipher
-    name: sqlcipher-x86_64
-    pkg_type: build
-    target_prepend:
-      - android-x86_64
-  - project: sqlcipher
-    name: sqlcipher-linux-x86_64
-    pkg_type: build
-    target_prepend:
-      - sqlcipher-linux-x86_64
-      - nss-linux-x86_64
+      # See libs/build-all.sh to update these!
+      # Also, build them with application-services, since they need the NDK and
+      # we are using a different one from the other projects.
+      - URL: 'https://ftp.mozilla.org/pub/security/nss/releases/NSS_[% c("var/nss_version") | replace("\\.", "_") %]_RTM/src/nss-[% c("var/nss_version") %]-with-nspr-[% c("var/nspr_version") %].tar.gz'
+        name: nss
+        sha256sum: fcfa26d2738ec5b0cf72ab4be784eac832a75132cda2e295799c04d62a93607a
+      - URL: 'https://www.zetetic.net/sqlcipher/verify/[% c("var/sqlcipher_version") %]/sqlcipher-[% c("var/sqlcipher_version") %].zip'
+        name: sqlcipher
+        sha256sum: bb333b1dfa58d66634f263328a81d07d96395ca17f4e147ede4b723ea83ce5f8
       - filename: 'gradle-dependencies-[% c("var/gradle_dependencies_version") %]'
         name: gradle-dependencies
         exec: '[% INCLUDE "fetch-gradle-dependencies" %]'
@@ -88,52 +66,29 @@ input_files:
         name: glean-wheels
         sha256sum: '[% pc("glean", "var/glean_wheels_sha256sum/" _ c("var/glean_parser"), { error_if_undef => 1 }) %]'
         enable: '[% !c("var/fetch_gradle_dependencies") %]'
-  # Use `make cargo_vendor-application-services` to re-generate the vendor tarball
       - name: cargo_vendor
-    URL: https://people.torproject.org/~pierov/mirrors/sources/application-services-vendor-[% c('version') %].tar.xz
-    sha256sum: cc426afe8cc3602f223213a93d3c1dffc156793b68b9c8a89f41715068d533fb
+        project: application-services
+        pkg_type: cargo_vendor
+        norec:
+          sha256sum: 391e5ca72bfd0a66b0e821fe7c264567602853d4293cd3db39932184002419f2
       - filename: no-git.patch
-  - filename: mavenLocal.patch
+      - filename: local-repository.diff
         enable: '[% !c("var/fetch_gradle_dependencies") %]'
       - filename: gen_gradle_deps_file.sh
         enable: '[% c("var/fetch_gradle_dependencies") %]'
+      - filename: bug_13028.patch
+      - filename: apply-bug-13028.diff
       # Delete when this patch is included upstream
-  - filename: bug40485.patch
+      - filename: bug40485.diff
 
-steps:
   list_toolchain_updates:
     git_hash: 'v[% c("version") %]'
     input_files: []
     container:
       use_container: 0
-    var:
-      get_android_components_version: |
-        #!/bin/bash
-        read -d '' p << 'EOF' || true
-        if (m/^\\s*android_components_version\\s=\\s'([^']*)'/) {
-          print $1;
-          exit;
-        }
-        EOF
-        perl -ne "$p" < build.gradle
-      android_components_version: '[% exec(c("var/get_android_components_version")) %]'
-      glean_version: '[% pc("android-components", "var/glean_version", { git_hash => "v" _ c("var/android_components_version") }) %]'
-    input_files:
-      - name: glean
-        project: glean
-        pkg_type: src
 
   get_gradle_dependencies_list:
     filename: 'gradle-dependencies-list-[% c("version") %].txt'
     get_gradle_dependencies_list: '[% INCLUDE build %]'
     var:
       fetch_gradle_dependencies: 1
-
-  cargo_vendor:
-    filename: '[% project %]-vendor-[% c("version") %].tar.xz'
-    input_files:
-      - project: container-image
-        pkg_type: build
-      - project: rust
-        name: rust
-        pkg_type: build

projects/application-services/list_toolchain_updates_checks

@@ -8,7 +8,7 @@ if (m/^\\s*ndkVersion:\\s"([^"]*)",/) {
 }
 EOF
 needed=$(cat build.gradle | perl -ne "$p")
-current='[% pc("android-toolchain", "var/android_ndk_version_build") %]'
+current='[% c("var/ndk_version_build") %]'
 check_update_needed ndkVersion "$needed" "$current"
 
 
@@ -20,7 +20,7 @@ if (m/^\\s*compileSdkVersion:\\s([^"]*),/) {
 }
 EOF
 needed=$(cat build.gradle | perl -ne "$p")
-current=29
+current=33
 check_update_needed compileSdkVersion "$needed" "$current"
 
 
@@ -36,19 +36,6 @@ current=21
 check_update_needed minSdkVersion "$needed" "$current"
 
 
-# glean_parser
-read -d '' p << 'EOF' || true
-if (m/^\\s*"glean_parser==([^"]+)",/) {
-  print $1;
-  exit;
-}
-EOF
-tar xf $rootdir/[% c('input_files_by_name/glean') %]
-needed=$(cat glean-[% c("var/glean_version") %]/glean-core/python/setup.py | perl -ne "$p")
-current='[% c("var/glean_parser") %]'
-check_update_needed glean_parser "$needed" "$current"
-
-
 # gradle
 read -d '' p << 'EOF' || true
 if (m|distributionUrl=https\\\\://services.gradle.org/distributions/gradle-(.*)-.*.zip|) {
@@ -69,7 +56,7 @@ if (m/NSS_ARCHIVE="nss-(.*-with-nspr-.*)\\.tar\\.gz"/) {
 }
 EOF
 needed=$(cat libs/build-all.sh | perl -ne "$p")
-current='[% pc("nss", "version") %]-with-nspr-[% pc("nss", "nspr_version") %]'
+current='[% c("var/nss_version") %]-with-nspr-[% c("var/nspr_version") %]'
 check_update_needed nss-nspr "$needed" "$current"
 
 
@@ -81,18 +68,5 @@ if (m/SQLCIPHER_VERSION="([^"]+)"/) {
 }
 EOF
 needed=$(cat libs/build-all.sh | perl -ne "$p")
-current='[% pc("sqlcipher", "version") %]'
+current='[% c("var/sqlcipher_version") %]'
 check_update_needed sqlcipher "$needed" "$current"
-
-
-# android-gradle-plugin
-read -d '' p << 'EOF' || true
-if (m/^\\s*android_gradle_plugin_version\\s=\\s'([^']*)'/) {
-  print $1;
-  exit;
-}
-EOF
-needed=$(cat build.gradle | perl -ne "$p")
-current='4.2.2'
-check_update_needed android-gradle-plugin "$needed" "$current"
-

projects/application-services/local-repository.diff

+diff --git a/build.gradle b/build.gradle
+index b22a0737..d335aa5b 100644
+--- a/build.gradle
++++ b/build.gradle
+@@ -39,6 +39,13 @@ buildscript {
+     ]
+ 
+     repositories {
++        maven {
++            url "file:///var/tmp/dist/gradle-dependencies"
++            metadataSources {
++                gradleMetadata()
++                mavenPom()
++            }
++        }
+         mavenCentral()
+         google()
+         jcenter()
+@@ -88,6 +95,13 @@ apply plugin: 'de.undercouch.download'
+ 
+ allprojects {
+     repositories {
++        maven {
++            url "file:///var/tmp/dist/gradle-dependencies"
++            metadataSources {
++                gradleMetadata()
++                mavenPom()
++            }
++        }
+         google()
+         jcenter()
+         maven {
+diff --git a/settings.gradle b/settings.gradle
+index f652bd02..8c30a368 100644
+--- a/settings.gradle
++++ b/settings.gradle
+@@ -1,6 +1,19 @@
+ /* This Source Code Form is subject to the terms of the Mozilla Public
+  * License, v. 2.0. If a copy of the MPL was not distributed with this
+  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++pluginManagement {
++    repositories {
++        maven {
++            url "file:///var/tmp/dist/gradle-dependencies"
++            metadataSources {
++                gradleMetadata()
++                mavenPom()
++            }
++        }
++    }
++}
++
+ import org.yaml.snakeyaml.Yaml
+ 
+ includeBuild('tools/nimbus-gradle-plugin') {
+@@ -14,6 +27,13 @@ buildscript {
+         classpath 'org.yaml:snakeyaml:2.0'
+     }
+     repositories {
++        maven {
++            url "file:///var/tmp/dist/gradle-dependencies"
++            metadataSources {
++                gradleMetadata()
++                mavenPom()
++            }
++        }
+         jcenter()
+     }
+ }
+diff --git a/tools/nimbus-gradle-plugin/settings.gradle b/tools/nimbus-gradle-plugin/settings.gradle
+index 7db19be0..1f36b991 100644
+--- a/tools/nimbus-gradle-plugin/settings.gradle
++++ b/tools/nimbus-gradle-plugin/settings.gradle
+@@ -8,6 +8,13 @@ buildscript {
+         classpath 'org.yaml:snakeyaml:2.0'
+     }
+     repositories {
++        maven {
++            url "file:///var/tmp/dist/gradle-dependencies"
++            metadataSources {
++                gradleMetadata()
++                mavenPom()
++            }
++        }
+         jcenter()
+     }
+ }

projects/application-services/mavenLocal.patch

-From 9f848d22882e49d38ff494e684dc54661ec9b714 Mon Sep 17 00:00:00 2001
-From: aguestuser <aguestuser@torproject.org>
-Date: Mon, 28 Mar 2022 10:43:02 -0400
-Subject: [PATCH] Use local maven repository for gradle dependencies
-
----
- build.gradle    | 2 ++
- settings.gradle | 7 +++++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/build.gradle b/build.gradle
-index 8e78d9af..635f0740 100644
---- a/build.gradle
-+++ b/build.gradle
-@@ -38,6 +38,7 @@ buildscript {
-     ]
- 
-     repositories {
-+        mavenLocal()
-         mavenCentral()
-         google()
-         jcenter()
-@@ -90,6 +91,7 @@ apply plugin: 'de.undercouch.download'
- 
- allprojects {
-     repositories {
-+        mavenLocal()
-         google()
-         jcenter()
-         maven {
-diff --git a/settings.gradle b/settings.gradle
-index 2349f829..5d9ceb85 100644
---- a/settings.gradle
-+++ b/settings.gradle
-@@ -2,12 +2,19 @@
-  * License, v. 2.0. If a copy of the MPL was not distributed with this
-  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
- 
-+pluginManagement {
-+  repositories {
-+    mavenLocal()
-+  }
-+}
-+
- import org.yaml.snakeyaml.Yaml
- buildscript {
-     dependencies {
-         classpath 'org.yaml:snakeyaml:1.23'
-     }
-     repositories {
-+        mavenLocal()
-         jcenter()
-     }
- }
--- 
-2.32.0
-

projects/nss/build

-#!/bin/bash
-[% c("var/set_default_env") -%]
-[% IF ! c("var/nss-linux-x86_64") -%]
-  [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
-[% END -%]
-distdir=/var/tmp/dist/nss
-builddir=/var/tmp/build/[% project %]
-mkdir -p /var/tmp/build /var/tmp/dist
-
-tar -C /var/tmp/dist -xf [% c('input_files_by_name/ninja') %]
-export PATH=/var/tmp/dist/ninja:$PATH
-
-[% IF ! c("var/nss-linux-x86_64") -%]
-  nspr_64=""
-  [% IF c("var/cross_prefix") == "armv7a-linux-androideabi" -%]
-    gyp_arch="arm"
-  [% ELSIF c("var/cross_prefix") == "i686-linux-android" -%]
-    gyp_arch="ia32"
-  [% ELSIF c("var/cross_prefix") == "x86_64-linux-android" -%]
-    gyp_arch="x64"
-    nspr_64="--enable-64bit"
-  [% ELSIF c("var/cross_prefix") == "aarch64-linux-android" -%]
-    gyp_arch="arm64"
-    nspr_64="--enable-64bit"
-  [% END -%]
-
-  export AR="[% c('var/cross_prefix') %]-ar"
-  # XXX: Mozilla really uses the NDK_API_VERSION here, which is weird.
-  export CC="[% c('var/cross_prefix') %][% pc('android-toolchain', 'var/android_ndk_version') %]-clang"
-  export CXX="[% c('var/cross_prefix') %][% pc('android-toolchain', 'var/android_ndk_version') %]-clang++"
-  export LD="[% c('var/cross_prefix') %]-ld"
-  export NM="[% c('var/cross_prefix') %]-nm"
-  export RANLIB="[% c('var/cross_prefix') %]-ranlib"
-  export READELF="[% c('var/cross_prefix') %]-readelf"
-[% END -%]
-
-tar -C /var/tmp/build -xf [% c('input_files_by_name/nss') %]
-mv /var/tmp/build/[% project %]-[% c('version') %] $builddir
-cd $builddir
-# Early return hack to prevent NSPR Android setup
-# which does not work with ndk unified headers and clang. See:
-# application-services/libs/build-all.sh
-cat $rootdir/configure.patch | patch nspr/configure
-# Some NSS symbols clash with OpenSSL symbols, rename them using
-# C preprocessor define macros. See:
-# application-services/libs/build-all.sh
-patch -p2 < $rootdir/config.patch
-# Let's apply our proxy bypass defense-in-depth here as well to be on the safe
-# side.
-patch -p2 < $rootdir/bug_13028.patch
-
-patch -p1 < $rootdir/use-python3.patch
-
-[% IF c("var/nss-linux-x86_64") -%]
-  patch -p1 < $rootdir/use-python3-build-sh.patch
-  $builddir/nss/build.sh \
-    -v \
-    --opt \
-    --static \
-    --disable-tests \
-    -Ddisable_dbm=1 \
-    -Dsign_libs=0 \
-    -Ddisable_libpkix=1 \
-    -Dpython=python3
-  mv $builddir/dist/Release "$builddir/nss_build"
-[% ELSE -%]
-  # Building NSPR
-  mkdir $builddir/nspr_build
-  cd $builddir/nspr_build
-  ../nspr/configure \
-    $nspr_64 \
-    --target=[% IF c("arch") == "armv7" %]arm-linux-androideabi[% ELSE %][% c("var/cross_prefix") %][% END %] \
-    --disable-debug \
-    --enable-optimize
-  make
-  cd ..
-
-  # Building NSS
-  mkdir $builddir/nss_build
-  gyp -f ninja-android "$builddir/nss/nss.gyp" \
-    --depth "$builddir/nss/" \
-    --generator-output=. \
-    -DOS=android \
-    -Dnspr_lib_dir="$builddir/nspr_build/dist/lib" \
-    -Dnspr_include_dir="$builddir/nspr_build/dist/include/nspr" \
-    -Dnss_dist_dir="$builddir/nss_build" \
-    -Dnss_dist_obj_dir="$builddir/nss_build" \
-    -Dhost_arch="$gyp_arch" \
-    -Dtarget_arch="$gyp_arch" \
-    -Dstatic_libs=1 \
-    -Ddisable_dbm=1 \
-    -Dsign_libs=0 \
-    -Denable_sslkeylogfile=0 \
-    -Ddisable_tests=1 \
-    -Ddisable_libpkix=1 \
-    -Dpython=python3
-
-  gendir="$builddir/nss/out/Release"
-  ninja -C "$gendir"
-[% END -%]
-
-mkdir -p $distdir/include/nss
-mkdir -p $distdir/lib
-cp -p -L "$builddir/nss_build/lib/libcertdb.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libcerthi.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libcryptohi.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libfreebl_static.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libnss_static.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libmozpkix.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libnssb.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libnssdev.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libnsspki.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libnssutil.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libpk11wrap_static.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libpkcs12.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libpkcs7.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libsmime.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libsoftokn_static.a" "$distdir/lib"
-cp -p -L "$builddir/nss_build/lib/libssl.a" "$distdir/lib"
-
-[% IF c("var/nss-linux-x86_64") -%]
-  cp -p -L "$builddir/nss_build/lib/libintel-gcm-wrap_c_lib.a" "$distdir/lib"
-  cp -p -L "$builddir/nss_build/lib/libintel-gcm-s_lib.a" "$distdir/lib"
-  cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx.a" "$distdir/lib"
-  cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx2.a" "$distdir/lib"
-  cp -p -L "$builddir/nss_build/lib/libgcm-aes-x86_c_lib.a" "$distdir/lib"
-[% ELSE -%]
-  # HW specific.
-  # https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#278-296
-  [% IF c("var/cross_prefix") == "i686-linux-android" || c("var/cross_prefix") == "x86_64-linux-android"-%]
-    cp -p -L "$builddir/nss_build/lib/libgcm-aes-x86_c_lib.a" "$distdir/lib"
-  [% END %]
-  [% IF c("var/cross_prefix") == "armv7a-linux-androideabi" || c("var/cross_prefix") == "aarch64-linux-android"-%]
-    cp -p -L "$builddir/nss_build/lib/libarmv8_c_lib.a" "$distdir/lib"
-  [% END %]
-  [% IF c("var/cross_prefix") == "aarch64-linux-android" -%]
-    cp -p -L "$builddir/nss_build/lib/libgcm-aes-aarch64_c_lib.a" "$distdir/lib"
-  [% END %]
-  [% IF c("var/cross_prefix") == "armv7a-linux-androideabi" -%]
-    cp -p -L "$builddir/nss_build/lib/libgcm-aes-arm32-neon_c_lib.a" "$distdir/lib"
-  [% END %]
-  # https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#315-324
-  # https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#43-47
-  [% IF c("var/cross_prefix") == "x86_64-linux-android"-%]
-    cp -p -L "$builddir/nss_build/lib/libintel-gcm-wrap_c_lib.a" "$distdir/lib"
-    cp -p -L "$builddir/nss_build/lib/libintel-gcm-s_lib.a" "$distdir/lib"
-    cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx.a" "$distdir/lib"
-    cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx2.a" "$distdir/lib"
-  [% END %]
-[% END -%]
-
-[% IF c("var/nss-linux-x86_64") -%]
-  nspr_libdir="$builddir/nss_build/lib"
-  nss_include_dir="$builddir/dist/public/nss/"
-  nspr_include_dir="$builddir/nss_build/include/nspr/"
-[% ELSE -%]
-  nspr_libdir="$builddir/nspr_build/dist/lib"
-  nss_include_dir="$builddir/nss_build/public/nss/"
-  nspr_include_dir="$builddir/nspr_build/dist/include/nspr/"
-[% END -%]
-
-cp -p -L "$nspr_libdir/libplc4.a" "$distdir/lib"
-cp -p -L "$nspr_libdir/libplds4.a" "$distdir/lib"
-cp -p -L "$nspr_libdir/libnspr4.a" "$distdir/lib"
-
-cp -p -L -R "$nss_include_dir/"* "$distdir/include/nss"
-cp -p -L -R "$nspr_include_dir/"* "$distdir/include/nss"
-
-cd /var/tmp/dist
-[% c('tar', {
-        tar_src => [ project ],
-        tar_args => '-caf ' _ dest_dir _ '/' _ c('filename'),
-    }) %]

projects/nss/config

-# vim: filetype=yaml sw=2
-filename: '[% project %]-[% c("version") %]-with-nspr-[% c("nspr_version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]'
-# The required versions for application-services can be found at the respective
-# commit in libs/build-all.sh
-version: 3.66
-nspr_version: 4.30
-container:
-  use_container: 1
-var:
-  deps:
-    - build-essential
-    - gyp
-    - zlib1g-dev
-
-targets:
-  nss-linux-x86_64:
-    var:
-      osname: linux-x86_64
-      nss-linux-x86_64: 1
-
-input_files:
-  - project: container-image
-  - name: '[% c("var/compiler") %]'
-    project: '[% c("var/compiler") %]'
-    enable: '[% ! c("var/nss-linux-x86_64") %]'
-  - name: ninja
-    project: ninja
-  - URL: 'https://ftp.mozilla.org/pub/security/nss/releases/NSS_[% c("version") | replace("\\.", "_") %]_RTM/src/nss-[% c("version") %]-with-nspr-[% c("nspr_version") %].tar.gz'
-    name: nss
-    sha256sum: 4eb72ca78b497a2a425139fdcfb9068cbd318dd51542baaa5365fcfbcb165009
-  - filename: configure.patch
-  - filename: config.patch
-  - filename: bug_13028.patch
-  - filename: use-python3.patch
-  - filename: use-python3-build-sh.patch
-    enable: '[% c("var/nss-linux-x86_64") %]'

projects/nss/config.patch

-From c11dc3a73349fc7d8fa451f9e3a4e3952aa54fd2 Mon Sep 17 00:00:00 2001
-From: Georg Koppen <gk@torproject.org>
-Date: Wed, 1 Jul 2020 09:57:01 +0000
-Subject: [PATCH] Patch for building NSS for application-services
-
-See: application-services/libs/build-all.sh
-
-diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi
-index 62d3cc71ecaf..dd30de079081 100644
---- a/security/nss/coreconf/config.gypi
-+++ b/security/nss/coreconf/config.gypi
-@@ -144,6 +144,23 @@
-       '<(nspr_include_dir)',
-       '<(nss_dist_dir)/private/<(module)',
-     ],
-+    'defines': [
-+      'HMAC_Update=NSS_HMAC_Update',
-+      'HMAC_Init=NSS_HMAC_Init',
-+      'CMAC_Update=NSS_CMAC_Update',
-+      'CMAC_Init=NSS_CMAC_Init',
-+      'MD5_Update=NSS_MD5_Update',
-+      'SHA1_Update=NSS_SHA1_Update',
-+      'SHA256_Update=NSS_SHA256_Update',
-+      'SHA224_Update=NSS_SHA224_Update',
-+      'SHA512_Update=NSS_SHA512_Update',
-+      'SHA384_Update=NSS_SHA384_Update',
-+      'SEED_set_key=NSS_SEED_set_key',
-+      'SEED_encrypt=NSS_SEED_encrypt',
-+      'SEED_decrypt=NSS_SEED_decrypt',
-+      'SEED_ecb_encrypt=NSS_SEED_ecb_encrypt',
-+      'SEED_cbc_encrypt=NSS_SEED_cbc_encrypt',
-+    ],
-     'conditions': [
-       [ 'mozpkix_only==1 and OS=="linux"', {
-         'include_dirs': [
---
-2.27.0

projects/nss/configure.patch

-@@ -2662,6 +2662,9 @@
-
- case "$target" in
- *-android*|*-linuxandroid*)
-+    $as_echo "#define ANDROID 1" >>confdefs.h
-+    ;;
-+    unreachable)
-     if test -z "$android_ndk" ; then
-        as_fn_error $? "You must specify --with-android-ndk=/path/to/ndk when targeting Android." "$LINENO" 5
-     fi
-

projects/nss/use-python3-build-sh.patch

-diff -ru nss-3.66/nss/build.sh nss-3.66.n/nss/build.sh
---- nss-3.66/nss/build.sh	2021-05-28 09:50:43.000000000 +0000
-+++ nss-3.66.n/nss/build.sh	2021-10-15 15:20:52.027557223 +0000
-@@ -69,7 +69,7 @@
- ninja_params=()
- 
- # Assume that the target architecture is the same as the host by default.
--host_arch=$(python "$cwd/coreconf/detect_host_arch.py")
-+host_arch=$(python3 "$cwd/coreconf/detect_host_arch.py")
- target_arch=$host_arch
- 
- # Assume that MSVC is wanted if this is running on windows.

projects/nss/use-python3.patch

-diff -ru nss-3.65/nss/lib/ckfw/builtins/builtins.gyp nss-3.65.n/nss/lib/ckfw/builtins/builtins.gyp
---- nss-3.65/nss/lib/ckfw/builtins/builtins.gyp	2021-09-29 12:48:34.982000000 +0200
-+++ nss-3.65.n/nss/lib/ckfw/builtins/builtins.gyp	2021-09-29 12:48:43.152000000 +0200
-@@ -30,7 +30,7 @@
-         {
-           'msvs_cygwin_shell': 0,
-           'action': [
--            'python',
-+            'python3',
-             'certdata.py',
-             'certdata.txt',
-             '<@(_outputs)',

projects/sqlcipher/build

-#!/bin/bash
-[% c("var/set_default_env") -%]
-[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
-distdir=/var/tmp/dist/sqlcipher
-builddir=/var/tmp/build/[% project %]
-mkdir -p /var/tmp/build
-tar -C /var/tmp/dist -xf [% c('input_files_by_name/nss') %]
-
-[% IF ! c("var/sqlcipher-linux-x86_64") -%]
-  export AR="[% c('var/cross_prefix') %]-ar"
-  # XXX: Mozilla really uses the NDK_API_VERSION here, which is weird.
-  export CC="[% c('var/cross_prefix') %][% pc('android-toolchain', 'var/android_ndk_version') %]-clang"
-  export CXX="[% c('var/cross_prefix') %][% pc('android-toolchain', 'var/android_ndk_version') %]-clang++"
-  export LD="[% c('var/cross_prefix') %]-ld"
-  export RANLIB="[% c('var/cross_prefix') %]-ranlib"
-
-  host=""
-  [% IF c("var/cross_prefix") == "armv7a-linux-androideabi" -%]
-    host="arm-linux"
-  [% ELSIF c("var/cross_prefix") == "i686-linux-android" -%]
-    host="i686-linux"
-  [% ELSIF c("var/cross_prefix") == "x86_64-linux-android" -%]
-    host="x86_64-linux"
-  [% ELSIF c("var/cross_prefix") == "aarch64-linux-android" -%]
-    host="arm-linux"
-  [% END -%]
-[% END -%]
-
-SQLCIPHER_CFLAGS=" \
-  -DSQLITE_HAS_CODEC \
-  -DSQLITE_SOUNDEX \
-  -DHAVE_USLEEP=1 \
-  -DSQLITE_MAX_VARIABLE_NUMBER=99999 \
-  -DSQLITE_THREADSAFE=1 \
-  -DSQLITE_DEFAULT_JOURNAL_SIZE_LIMIT=1048576 \
-  -DNDEBUG=1 \
-  -DSQLITE_ENABLE_MEMORY_MANAGEMENT=1 \
-  -DSQLITE_ENABLE_LOAD_EXTENSION \
-  -DSQLITE_ENABLE_COLUMN_METADATA \
-  -DSQLITE_ENABLE_UNLOCK_NOTIFY \
-  -DSQLITE_ENABLE_RTREE \
-  -DSQLITE_ENABLE_STAT3 \
-  -DSQLITE_ENABLE_STAT4 \
-  -DSQLITE_ENABLE_JSON1 \
-  -DSQLITE_ENABLE_FTS3_PARENTHESIS \
-  -DSQLITE_ENABLE_FTS4 \
-  -DSQLITE_ENABLE_FTS5 \
-  -DSQLCIPHER_CRYPTO_NSS \
-  -DSQLITE_ENABLE_DBSTAT_VTAB \
-  -DSQLITE_SECURE_DELETE \
-  -DSQLITE_DEFAULT_PAGE_SIZE=32768 \
-  -DSQLITE_MAX_DEFAULT_PAGE_SIZE=32768 \
-  -I/var/tmp/dist/nss/include \
-"
-
-LIBS="\
-  -lcertdb \
-  -lcerthi \
-  -lcryptohi \
-  -lfreebl_static \
-  -lnspr4 \
-  -lnss_static \
-  -lnssb \
-  -lnssdev \
-  -lnsspki \
-  -lnssutil \
-  -lpk11wrap_static \
-  -lplc4 \
-  -lplds4 \
-  -lsoftokn_static \
-"
-
-[% IF c("var/sqlcipher-linux-x86_64") -%]
-  LIBS="${LIBS} -lintel-gcm-wrap_c_lib -lintel-gcm-s_lib"
-[% ELSE -%]
-  [% IF c("var/cross_prefix") == "i686-linux-android" || c("var/cross_prefix") == "x86_64-linux-android"-%]
-    LIBS="${LIBS} -lgcm-aes-x86_c_lib"
-  [% END %]
-  [% IF c("var/cross_prefix") == "armv7a-linux-android" || c("var/cross_prefix") == "aarch64-linux-android"-%]
-     LIBS="${LIBS} -larmv8_c_lib"
-  [% END %]
-  [% IF c("var/cross_prefix") == "aarch64-linux-android" -%]
-    LIBS="${LIBS} -lgcm-aes-aarch64_c_lib"
-  [% END %]
-  [% IF c("var/cross_prefix") == "armv7a-linux-androideabi" -%]
-    LIBS="${LIBS} -lgcm-aes-arm32-neon_c_lib"
-  [% END %]
-  [% IF c("var/cross_prefix") == "x86_64-linux-android"-%]
-    LIBS="${LIBS} -lintel-gcm-wrap_c_lib -lintel-gcm-s_lib -lhw-acc-crypto-avx -lhw-acc-crypto-avx2"
-  [% END %]
-[% END -%]
-
-tar -C /var/tmp/build -xf [% c('input_files_by_name/sqlcipher') %]
-mv /var/tmp/build/[% project %]-[% c('version') %] $builddir
-cd $builddir
-
-mkdir $builddir/build
-cd build
-../configure \
-[% IF ! c("var/sqlcipher-linux-x86_64") -%]
-  --host="$host" \
-[% END -%]
-  --with-pic \
-  --verbose \
-  --disable-shared \
-  --with-crypto-lib=none \
-  --disable-tcl \
-  --enable-tempstore=yes \
-  CFLAGS="${SQLCIPHER_CFLAGS}" \
-  LDFLAGS="-L/var/tmp/dist/nss/lib" \
-  LIBS="${LIBS}[% IF ! c("var/sqlcipher-linux-x86_64") %] -llog -lm[% END %]"
-
-make sqlite3.h
-make sqlite3ext.h
-make libsqlcipher.la
-
-mkdir -p $distdir/include/sqlcipher
-mkdir -p $distdir/lib
-
-cp -p "$builddir/build/sqlite3.h" "$distdir/include/sqlcipher"
-cp -p "$builddir/build/sqlite3ext.h" "$distdir/include/sqlcipher"
-cp -p "$builddir/build/.libs/libsqlcipher.a" "$distdir/lib"
-
-# Just in case, ensure that the created binaries are not -w.
-chmod +w "$distdir/lib/libsqlcipher.a"
-
-cd /var/tmp/dist
-[% c('tar', {
-        tar_src => [ project ],
-        tar_args => '-caf ' _ dest_dir _ '/' _ c('filename'),
-    }) %]

projects/sqlcipher/config

-# vim: filetype=yaml sw=2
-filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]'
-# The required versions for application-services can be found at the respective
-# commit in libs/build-all.sh
-version: 4.5.1
-container:
-  use_container: 1
-var:
-  deps:
-    - build-essential
-    - tcl
-
-targets:
-  sqlcipher-linux-x86_64:
-    var:
-      osname: linux-x86_64
-      sqlcipher-linux-x86_64: 1
-
-input_files:
-  - project: container-image
-  - name: '[% c("var/compiler") %]'
-    project: '[% c("var/compiler") %]'
-  - name: nss
-    project: nss
-  - URL: 'https://github.com/sqlcipher/sqlcipher/archive/v[% c("version") %].tar.gz'
-    name: sqlcipher
-    sha256sum: 023499516ef2ade14fbcdbe93fb81cc69458ae6cb3544614df8dbef34835b406