Skip to content

Instantly share code, notes, and snippets.

@danbst
Last active June 17, 2019 12:30
Show Gist options
  • Save danbst/30165b59996fb403068c74a95b108d6f to your computer and use it in GitHub Desktop.
Save danbst/30165b59996fb403068c74a95b108d6f to your computer and use it in GitHub Desktop.
Old Firefox with latest Java plugin. For the upcoming in August Java plugin deprecation in Firefox

What is this for

Firefox and Oracle deprecated Java plugin. But some online banking systems rely on that plugin very much. Soon the only solution would be to use old browser version.

Here I try to solve the yet-to-come problem using Nix.

  1. I do use an old firefox-esr from 18.03 NixOS release (52.9.0esr as of writing)
  2. However Java plugin is used from bleeding edge nixpkgs-usntable
  3. Oracle makes some complications for automated JDK fetchers, but we overcome them with some hacky curl | sh from some random script in Internet. We accept Oracle license by using Oracle JDK
  4. But thanks to Nix build environment, that curl | sh hardly can harm our system, especially if sandbox is enabled.
  5. And because we trust Nixpkgs, fetched tar.gz won't contain backdoors, because it's SHA256 is checked against known one for that JDK distribution.

How to use this

Something like this:

$ nix-env -i $(nix-build -E "$(curl -L https://gist.github.com/danbst/30165b59996fb403068c74a95b108d6f/raw/firefox-esr-java.nix)") \
   -p /nix/var/nix/profiles/per-user/$(whoami)/firefox-esr-java
$ /nix/var/nix/profiles/per-user/$(whoami)/firefox-esr-java/bin/firefox --no-remote -P some-profile
let
oldNixpkgs =
# I had to referr to specific commit here, because 18.03 release have banned firefox esr 52. This commit
# is last with firefox 52 ESR updates. From now on you are in insecure world with firefox+jre
import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/0a70d65fd471e30fc1f300cc4eebaf18b56d90b8.tar.gz) {
config = {
allowUnfree = true;
firefox.jre = true;
};
};
freshNixpkgsDir = fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixpkgs-unstable.tar.gz;
freshNixpkgs = import freshNixpkgsDir { config.oraclejdk.accept_license = true; };
fetchJDKScript = freshNixpkgs.runCommand "jdk.tar.gz" {
buildInputs = with freshNixpkgs; [ curl wget ];
outputHashAlgo = freshNixpkgs.jrePlugin.src.outputHashAlgo;
outputHash = freshNixpkgs.jrePlugin.src.outputHash;
preferLocalBuild = true;
} ''
set -e
export CURL_CA_BUNDLE=${freshNixpkgs.cacert}/etc/ssl/certs/ca-bundle.crt
version=$(echo ${freshNixpkgs.jrePlugin.meta.name} | cut -d- -f 2)
echo $version
curl -LO https://gist.githubusercontent.com/n0ts/40dd9bd45578556f93e7/raw/0e9112d60fc0c9228a30e4c92d5e845df3bc1beb/get_oracle_jdk_linux_x64.sh
sed -i \
-e 's/wget --no-cookies/wget --no-cookies -nv/g' \
-e "s/jdk-\''${jdk_version}/jdk-$version/g" \
-e "s/curl -s/curl -Ls/g" \
-e "s/http/https/g" \
get_oracle_jdk_linux_x64.sh
echo Downloading Oracle JDK....
bash get_oracle_jdk_linux_x64.sh 8 tar.gz
echo Downloaded
cp $(ls -d *.tar.gz) $out
'';
wrapper = oldNixpkgs.wrapFirefox.override {
jrePlugin = freshNixpkgs.jrePlugin.overrideDerivation (sup: {
src = fetchJDKScript;
});
};
in
wrapper oldNixpkgs.firefox-esr-52-unwrapped { }
@oneingan
Copy link

Yep I saw it on N0ts repo. So maybe, have sense on NIx ecosystem point to a local tar.gz?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment