build: hardened GCP Linux build lane (full Gecko + engine patches + scorecard)#42
Merged
Conversation
Adds a two-part lane to compile BearBrowser from source on a GCP VM — the
machine the 8GB Mac can't be (Gecko link needs 16GB+ RAM). Produces Linux
binaries + the real fingerprint scorecard (the first actual compile-verification
of the canvas/audio farble + OS-spoof patches).
gcp-remote-build.sh : runs on the VM. apt deps + npm ci, then per profile:
apply-sourceos-overlays -> make bootstrap (Mozilla toolchain) -> make build
-> measure-fingerprint --bin. tor-mode asserts the Windows identity actually
compiled in (the OS-spoof verification). Packages each dist; never aborts the
other profile on a single failure.
gcp-build-linux.sh : orchestrator. Hardened for first-time success:
- teardown trap (a hung/failed build can never keep billing)
- free --dry-run (validates auth + machine type + image, no VM)
- auth preflight with exact 'gcloud auth login' instructions
- auto-detects external-IP SSH vs --tunnel-through-iap (org-policy safe)
- build runs DETACHED + polled via a status file, so a dropped SSH never
kills the build or triggers an early teardown; 5h safety cap
- 150GB SSD (two full obj trees fit), live progress, artifact pull
Tested offline: both pass bash -n; repo tarball is 11M with all key paths and
zero leaked build/node_modules/.git; --dry-run fails gracefully on expired auth.
Actual run needs 'gcloud auth login' first (token expired).
socioprophet-platform is locked down: outbound :22 blocked, OS Login org- enforced, Workspace disables SSH-key registration, default compute SA missing. SSH to build VMs is impossible. Rework the lane to use GCS + a startup script instead — the VM builds autonomously and pushes results to a bucket; we poll. - gcp-build-linux.sh: upload repo -> GCS, create VM with startup-script metadata + synapseiq-build SA (storage.admin), poll gs://.../DONE, download artifacts, teardown trap + --max-run-duration=DELETE cost cap. Free --dry-run validates auth/machine/image/bucket. - gcp-vm-startup.sh: on the VM — install gcloud, pull repo, build as non-root 'builder', push artifacts + DONE marker to GCS. - gcp-remote-build.sh: per-profile overlay->bootstrap->build->measure (unchanged). Verified: dry-run clean; first real launch compiles (serial console shows overlay prep -> bootstrap in progress).
The msix.patch filter block was written but never committed — GCP builds tar the git-tracked state so the fix was absent. Closes the tor-mode build failure on FF140 ESR where msix.patch drifts and aborts make.
…o patch mozilla::RandomUint64OrZero() was removed in Firefox 150 — only RandomUint64OrDie() and RandomUint64() remain. The audio farble patch adds code to nsRFPService.cpp that called the removed overload, causing the human-secure build to fail at compile. Switch to RandomUint64() with .valueOr(0) fallback (same behavior, correct API).
…efox
The compile succeeds but the build names the binary 'bearbrowser' (branded),
so the firefox-only finder reported 'no binary' and failed an otherwise-good
build. Match bearbrowser/librewolf/firefox; on miss, list dist/bin to debug.
Note: human-secure full Gecko compile with our canvas+audio engine patches is
now PROVEN ('Your build was successful!') — the audio RandomUint64 fix compiles.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two-part lane to compile BearBrowser from source on a GCP VM (the 8GB Mac can't — Gecko link needs 16GB+). Produces Linux binaries + the real fingerprint scorecard: the first actual compile-verification of the farble + OS-spoof patches.
gcp-remote-build.sh(on VM): apt deps + npm ci, then per profile apply-sourceos-overlays → make bootstrap → make build → measure-fingerprint. tor-mode asserts the compiled-in Windows identity.gcp-build-linux.sh(orchestrator): teardown trap, free --dry-run, auth preflight, external-IP/IAP auto-detect, detached+polled build (SSH-drop safe), 150GB disk, artifact pull.Tested offline (bash -n, 11M tarball with all key paths, graceful auth failure). Real run needs
gcloud auth loginfirst.🤖 Generated with Claude Code