CONTRIBUTING.md

-# Contributing 
+# Contributing
 
 Whether you've got a bugfix, documentation update, or new feature for us, these are the steps to follow to contribute code back into the main trisquel repo.
 
@@ -6,34 +6,27 @@ Whether you've got a bugfix, documentation update, or new feature for us, these
 
 
 
- 1. Install needed packages for both, sources and binary builds
+ 1. Install needed packages for running the helpers
 ```
-sudo apt-get install  dpkg-dev devscripts git pbuilder quilt patch sed rpl parsewiki
+sudo apt-get install cdbs devscripts dpkg-dev git gnupg patch quilt rpl sed
 ```
 
- 1. Configure build environment for binary packages
+ 1. Get the Trisquel build environment and follow the [README](https://gitlab.trisquel.org/trisquel/trisquel-builder/-/blob/master/README.md) to setup your system for building
 ```
-git clone https://devel.trisquel.info/trisquel/trisquel-builder.git
-ln -s $(readlink -f trisquel-builder/pbuilderrc) ~/.pbuilderrc
-sudo ln -s $(readlink -f trisquel-builder/hooks) /var/cache/pbuilder/hooks.d
-```
-
- 1. Create the build environment for each distribution/architecture you want to work with
-```
-sudo BUILDDIST=belenos BUILDARCH=amd64 pbuilder create 
+git clone https://gitlab.trisquel.org/trisquel/trisquel-builder.git
 ```
 
 
 ## 2. Get the latest code from gitlab
 
-You'll need to understand a little bit about how git and gitlab work before this step (GitHub works the same way, but we like free software). In simple terms, log in [here](https://devel.trisquel.info/users/sign_in?redirect_to_referer=yes), visit the [trisquel/package-helpers project page](https://devel.trisquel.info/trisquel/package-helpers), and click the "fork" button to create your own copy of the repo.  You will push your changes to this new repo under your own git account, and we will pull changes into the main repo from there.
+You'll need to understand a little bit about how git and gitlab work before this step (GitHub works the same way, but we like free software). In simple terms, log in [here](https://gitlab.trisquel.org/users/sign_in?redirect_to_referer=yes), visit the [trisquel/package-helpers project page](https://gitlab.trisquel.org/trisquel/package-helpers), and click the "fork" button to create your own copy of the repo.  You will push your changes to this new repo under your own git account, and we will pull changes into the main repo from there.
 
 For the sake of the rest of the examples in this guide, we're going to assume your gitlab username is "**richardtorvalds**" and you will be working with the  "**hello**" package, and use those in our examples.
 
 Now, we want to grab the latest from this newly created repository and pull it down to your local machine. Getting the latest code from your repo is simple, just clone it:
 
 ```bash
-git clone https://devel.trisquel.info/richardtorvalds/package-helpers.git
+git clone https://gitlab.trisquel.org/richardtorvalds/package-helpers.git
 cd package-helpers
 ```
 
@@ -44,7 +37,7 @@ This will give you a directory called "package-helpers" on your local machine wi
 One thing you'll need to do to make things easier to integrate and keep up to date in your fork is to add the main repo as a remote reference. This way you can fetch the latest code from the production version and integrate it. So, here's how to set that up:
 
 ```bash
-git remote add upstream https://devel.trisquel.info/trisquel/package-helpers.git
+git remote add upstream https://gitlab.trisquel.org/trisquel/package-helpers.git
 git remote   (this will list out your remotes, showing the new one we added)
 ```
 
@@ -52,14 +45,14 @@ Then, when you need to pull the latest from the main trisquel repo, you just fet
 
 ```bash
 git fetch upstream
-git merge upstream/belenos
+git merge upstream/nabia
 ```
 
-You can also use *git pull upstream belenos* if you want it all in one step.
+You can also use *git pull upstream nabia* if you want it all in one step.
 
 ## 4. Making a branch for your changes
 
-When adding features or bug fixes, please create a separate branch for each changeset you want us to pull in, either with the issue number in the branch name or with an indication of what the feature is (feature, bugfix...). 
+When adding features or bug fixes, please create a separate branch for each changeset you want us to pull in, either with the issue number in the branch name or with an indication of what the feature is (feature, bugfix...).
 
 ```bash
 git branch   (lists your current branches)
@@ -75,7 +68,7 @@ cd helpers
 cp make-apache2 make-hello
 ```
 
-For importing free packages from ppa's or other sources, check [make-toxcore](https://devel.trisquel.info/trisquel/package-helpers/blob/belenos/helpers/make-toxcore) and update the _EXTERNAL_ , _SIGNKEY_ and _changelog_ lines  with your own values.
+For importing free packages from ppa's or other sources, check [make-tor](https://gitlab.trisquel.org/trisquel/package-helpers/blob/nabia/helpers/make-tor) and update the _EXTERNAL_ , _SIGNKEY_ and _changelog_ lines  with your own values.
 
 Then, run the helper with
 ```
@@ -86,12 +79,12 @@ If everything goes fine, you will have your new source package ready at _PACKAGE
 
 ## 6. Build and test the binary package
 
-The last step generated a source package file, so we need to build the binary one:
+The last step generated a source package file, so we need to build the binary one. Please make sure that you set or replace `CODENAME` and `ARCH` variables:
 ```
-sudo BUILDDIST=belenos BUILDARCH=amd64 pbuilder build PACKAGES/hello/*.dsc
+sbuild -v -A --dist $CODENAME --arch $ARCH PACKAGES/hello/*.dsc
 ```
 
-The binary packages will be avaliable at _/var/cache/pbuilder/jenkins-repos/$BUILDDIST/_
+The binary packages will be avaliable in the directory from which you ran the previous command.
 
 
 ## 7. Push your code and make a pull request
@@ -107,6 +100,4 @@ This pushes everything in that branch up. Then you can go back to your forked pa
 That lets us know that there's something new from you that needs to be pulled in. We'll review it and get back to you about it if we have any questions. Otherwise, we'll integrate it and let you know when it's in!
 
 
-Hope this guide helps you get started in contributing to the trisquel project! If you still have questions, don't hesitate to join us on IRC - we're in #trisquel-dev on freenode -, or send a mail to the development mailing list trisquel-devel at listas.trisquel.info.
-
-   
+Hope this guide helps you get started in contributing to the trisquel project! If you still have questions, don't hesitate to join us on IRC - we're in #trisquel-dev on libera.chat -, or send a mail to the development mailing list trisquel-devel at listas.trisquel.info.

README.md

@@ -11,9 +11,9 @@ derivative of your own, we suggest you to use Builder instead of this helpers.
 
 Once a new package is added, it takes priority over the original one from Ubuntu,
 so they never enter into the repo from upstream and need to be
-compiled with this helpers and pushed into reprepro. 
+compiled with this helpers and pushed into reprepro.
 
-To add a package to the list, follow the [CONTRIBUTING](https://devel.trisquel.info/trisquel/package-helpers/blob/belenos/CONTRIBUTING.md) guidelines.
+To add a package to the list, follow the [CONTRIBUTING](https://gitlab.trisquel.org/trisquel/package-helpers/blob/nabia/CONTRIBUTING.md) guidelines.
 
 ## Steps
 
@@ -26,11 +26,20 @@ Those are the steps done by the helpers:
 5. Apply the changes described in the helper
 6. Re-package it, adding "triquel$VERSION" version string
 
+## Variables in helper scripts
+
+* `VERSION` (required): The trisquel version for the helper.
+* `EXTERNAL`: When building packages not coming from the upstream Ubuntu, the external `deb-src` in the same format as in `apt.sources.list`.
+* `REPOKEY`: An additional GPG key to import for the helper. Mostly only used in conjunction with `EXTERNAL`.
+* `BACKPORT(S)`: Must be set to `true` if the package is a backport.
+* `QUILT`: If `skip`, avoids patches to be automatically applied. Only set this variables if you know what you are doing.
+* `BUILD_UNTIL`: build this helper if the Trisquel REVISION number (e.g. Trisquel 10.0) is <= this number. To be used when we know that the helper will not be needed at a certain future release.
+
 ## Recommendations
 
 * You don't need to use sudo in order to run those scripts, but some extra packages are needed:
 
-     `sudo apt-get install dpkg-dev sed git rpl devscripts quilt patch cdbs`
+     `sudo apt-get install cdbs devscripts dpkg-dev git gnupg gnupg2 patch python2 quilt rename rpl sed python3-jsonschema`
 
 * Take care to use the right sourcePackageName, many source packages produce
 several binary packages. `apt-cache showsrc binary-package` can help you.
@@ -41,8 +50,26 @@ it at the `DATA/sourcePackageName` directory
 would actually be shown to the user. Avoid replacing copyright statements!
 * Try to write your replacements in a way they might work in future versions
 of the upstream package. Well written regexps and sed will help with that.
-* You can test your changes by doing them inside the _PACKAGES/sourcePackageName/source/_ directory, 
+* You can test your changes by doing them inside the _PACKAGES/sourcePackageName/source/_ directory,
 and running `dpkg-source -b .`, before being added to the helper script
+* You can check the status of failed build at https://jenkins.trisquel.org/job/build-watchdog/lastBuild/consoleText
+
+## Debootstrap
+On every new release we need to get compiled the very basic packages in order
+to create a trisquel base builder.
+Before that we currently relay on a upstream debootstrap image, so creating a
+trisquel debootstrap is the starting point.
+
+Every new release need the following packages taken care of first,
+
+* `make-apt`
+* `make-base-files`
+* `make-bash`
+* `make-debootstrap`
+* `make-dpkg`
+* `make-cdebconf`
+* `trisquel-keyring` (not as helper)
+* `trisquel-meta` (not as helper)
 
 ## Netinstall
 
@@ -62,4 +89,3 @@ To generate the images, we run the following scripts:
 
 Then we push the results into the Trisquel repository and run the script
 `make-debian-installer` to build the final images.
-

helpers/DATA/akregator/trisquel_feeds.patch

+--- src/akregator_part.cpp	2020-06-05 11:41:23.000000000 -0500
++++ src/akregator_part_trisquel.cpp	2020-06-05 12:46:05.914051386 -0500
+@@ -189,6 +189,61 @@
+     wire.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("http://wire.kubuntu.org/?feed=rss2"));
+     kubuntuFolder.appendChild(wire);
+ 
++// Trisquel feeds
++    QDomElement trisquelFolder = doc.createElement(QStringLiteral("outline"));
++    trisquelFolder.setAttribute(QStringLiteral("text"), QStringLiteral("Trisquel GNU/Linux"));
++    body.appendChild(trisquelFolder);
++
++    QDomElement tnews = doc.createElement(QStringLiteral("outline"));
++    tnews.setAttribute(QStringLiteral("text"), i18n("News"));
++    tnews.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("https://trisquel.info/en/node/feed"));
++    trisquelFolder.appendChild(tnews);
++
++    QDomElement relAnnounce = doc.createElement(QStringLiteral("outline"));
++    relAnnounce.setAttribute(QStringLiteral("text"), i18n("Release announcements"));
++    relAnnounce.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("https://trisquel.info/en/taxonomy/term/700/0/feed"));
++    trisquelFolder.appendChild(relAnnounce);
++
++    QDomElement enForum = doc.createElement(QStringLiteral("outline"));
++    enForum.setAttribute(QStringLiteral("text"), i18n("Forum"));
++    enForum.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("https://trisquel.info/en/taxonomy/term/50/0/feed"));
++    trisquelFolder.appendChild(enForum);
++
++    QDomElement tReddit = doc.createElement(QStringLiteral("outline"));
++    tReddit.setAttribute(QStringLiteral("text"), i18n("Trisquel at Reddit"));
++    tReddit.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("https://www.reddit.com/r/trisquel/.rss"));
++    trisquelFolder.appendChild(tReddit);
++
++// Free Software feeds
++    QDomElement fsFolder = doc.createElement(QStringLiteral("outline"));
++    fsFolder.setAttribute(QStringLiteral("text"), QStringLiteral("Free Software"));
++    body.appendChild(fsFolder);
++
++    QDomElement newGNU = doc.createElement(QStringLiteral("outline"));
++    newGNU.setAttribute(QStringLiteral("text"), i18n("What's New at GNU"));
++    newGNU.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("https://www.reddit.com/r/trisquel/.rss"));
++    fsFolder.appendChild(newGNU);
++
++    QDomElement fsfNews = doc.createElement(QStringLiteral("outline"));
++    fsfNews.setAttribute(QStringLiteral("text"), i18n("FSF News"));
++    fsfNews.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("https://static.fsf.org/fsforg/rss/news.xml"));
++    fsFolder.appendChild(fsfNews);
++
++    QDomElement fsfEvents = doc.createElement(QStringLiteral("outline"));
++    fsfEvents.setAttribute(QStringLiteral("text"), i18n("FSF Events"));
++    fsfEvents.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("https://static.fsf.org/fsforg/rss/events.xml"));
++    fsFolder.appendChild(fsfEvents);
++
++    QDomElement fsfBlog = doc.createElement(QStringLiteral("outline"));
++    fsfBlog.setAttribute(QStringLiteral("text"), i18n("FSF Blogs"));
++    fsfBlog.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("https://static.fsf.org/fsforg/rss/blogs.xml"));
++    fsFolder.appendChild(fsfBlog);
++
++    QDomElement gnuReddit = doc.createElement(QStringLiteral("outline"));
++    gnuReddit.setAttribute(QStringLiteral("text"), i18n("GNU at Reddit"));
++    gnuReddit.setAttribute(QStringLiteral("xmlUrl"), QStringLiteral("https://www.reddit.com/r/gnu/.rss"));
++    fsFolder.appendChild(gnuReddit);
++
+     return doc;
+ }
+ }

helpers/DATA/apache2/001_branding

-#!/bin/sh -e
-## 02_branding.dpatch by Adam Conrad <adconrad@0c3.net>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Changes apache's PLATFORM based on lsb_release output
-
-BUILD_DIST="($(lsb_release -i -s) GNU/Linux)"
-
-if [ $# -ne 1 ]; then
-    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
-    exit 1
-fi
-
-case "$1" in
-  -patch)
-    if grep -q "${BUILD_DIST}" server/core.c 2>/dev/null; then
-      echo >&2 "`basename $0`: patch already applied"
-      exit 1
-    else
-      # This is where we get our distribution-specific server signature from:
-      sed -i -e "s:(\" PLATFORM \"):${BUILD_DIST}:" server/core.c
-    fi
-  ;;
-  -unpatch)
-    if grep -q "${BUILD_DIST}" server/core.c 2>/dev/null; then
-      sed -i -e "s:${BUILD_DIST}:(\" PLATFORM \"):" server/core.c
-    else
-      echo >&2 "`basename $0`: patch not yet applied, cannot unpatch"
-      exit 1
-    fi
-  ;;
-  *)
-    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
-    exit 1
-  ;;
-esac
-

helpers/DATA/app-install-data-ubuntu/09_app_install_entry.patch

-Index: gnome-menus-2.28.0/layout/applications.menu
-===================================================================
---- gnome-menus-2.28.0.orig/layout/applications.menu	2009-09-24 11:34:44.000000000 +0200
-+++ gnome-menus-2.28.0/layout/applications.menu	2009-09-24 11:34:44.000000000 +0200
-@@ -157,4 +157,29 @@
-     <Directory>Debian.directory</Directory>
-   </Menu>
- 
-+<Include>
-+  <Filename>gnome-app-install.desktop</Filename>
-+</Include>
-+
-+<!-- Separator between menus and gnome-app-install -->
-+<Layout>
-+  <Merge type="menus"/>
-+  <Menuname>Internet</Menuname>
-+  <Menuname>Office</Menuname>
-+  <Menuname>Education</Menuname>
-+  <Menuname>Development</Menuname>
-+  <Menuname>Graphics</Menuname>
-+  <Menuname>Multimedia</Menuname>
-+  <Menuname>Games</Menuname>
-+  <Menuname>Accessories</Menuname>
-+  <Menuname>System</Menuname>
-+  <Menuname>Universal Access</Menuname>
-+  <Menuname>Debian</Menuname>
-+  <Menuname>Other</Menuname>
-+  <Menuname>wine-wine</Menuname>
-+  <Merge type="files"/>
-+  <Separator/>
-+  <Filename>gnome-app-install.desktop</Filename>
-+</Layout>
-+
- </Menu> <!-- End Applications -->
-Index: gnome-menus-2.28.0/layout/settings.menu
-===================================================================
---- gnome-menus-2.28.0.orig/layout/settings.menu	2009-09-24 11:34:47.000000000 +0200
-+++ gnome-menus-2.28.0/layout/settings.menu	2009-09-24 11:35:22.000000000 +0200
-@@ -43,6 +43,7 @@
-       <And>
-         <Category>Settings</Category>
-         <Category>System</Category>
-+        <Not><Filename>gnome-app-install.desktop</Filename></Not>
-       </And>
-     </Include>
-   </Menu>     <!-- End System Settings -->

helpers/DATA/apparmor-profiles-extra/70aed868a4ed76d74eecf3b210ce7bf3098ffab4.patch

+From 70aed868a4ed76d74eecf3b210ce7bf3098ffab4 Mon Sep 17 00:00:00 2001
+From: Jacob K <jacobk@disroot.org>
+Date: Wed, 12 Feb 2025 12:19:24 -0600
+Subject: [PATCH] Add some lines from Atril's profile to fix the screen reader
+
+---
+ profiles/usr.bin.pidgin | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/profiles/usr.bin.pidgin b/profiles/usr.bin.pidgin
+index 5e18702..085301c 100644
+--- a/profiles/usr.bin.pidgin
++++ b/profiles/usr.bin.pidgin
+@@ -8,6 +8,7 @@
+   #include <abstractions/bash>
+   #include <abstractions/dbus-session>
+   #include <abstractions/dbus-strict>
++  #include <abstractions/dbus-accessibility>
+   #include <abstractions/dconf>
+   #include <abstractions/enchant>
+   #include <abstractions/gnome>
+@@ -82,6 +83,13 @@
+   owner @{PROC}/@{pid}/auxv r,
+   owner @{PROC}/@{pid}/fd/ r,
+ 
++  # These lines were copied from Atril's profile to make the screen reader functional
++  owner /{,var/}run/user/*/at-spi2-*/   rw,
++  owner /{,var/}run/user/*/at-spi2-*/** rw,
++  # Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
++  #   https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43
++  owner /{,var/}run/user/*/at-spi/bus* rw,
++
+   # Site-specific additions and overrides. See local/README for details.
+   #include <local/usr.bin.pidgin>
+ }
+-- 
+2.25.1
+

helpers/DATA/apparmor/b5a7641dd3502fcfb897d3b96e197628b674ce3c.patch

+From b5a7641dd3502fcfb897d3b96e197628b674ce3c Mon Sep 17 00:00:00 2001
+From: Adrian Heine <mail@adrianheine.de>
+Date: Mon, 23 Jan 2023 20:35:29 +0100
+Subject: [PATCH] Add pipewire client.conf to audio abstractions
+
+Fixes: https://bugs.launchpad.net/bugs/2003702
+---
+ profiles/apparmor.d/abstractions/audio | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/profiles/apparmor.d/abstractions/audio b/profiles/apparmor.d/abstractions/audio
+index 01493260d..dd783992d 100644
+--- a/profiles/apparmor.d/abstractions/audio
++++ b/profiles/apparmor.d/abstractions/audio
+@@ -85,5 +85,8 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
+ # wildmidi
+ /etc/wildmidi/wildmidi.cfg r,
+ 
++# pipewire
++/usr/share/pipewire/client.conf r,
++
+   # Include additions to the abstraction
+   include if exists <abstractions/audio.d>
+-- 
+GitLab
+

helpers/DATA/apt-mirror/Trisquel-mirror.list

@@ -14,14 +14,14 @@ set _tilde 0
 #
 ############# end config ##############
 
-deb http://archive.trisquel.info/trisquel @CODENAME@ main
-deb http://archive.trisquel.info/trisquel @CODENAME@-security main 
-deb http://archive.trisquel.info/trisquel @CODENAME@-updates main 
-deb http://archive.trisquel.info/trisquel @CODENAME@-backports main 
+deb http://archive.trisquel.org/trisquel @CODENAME@ main
+deb http://archive.trisquel.org/trisquel @CODENAME@-security main 
+deb http://archive.trisquel.org/trisquel @CODENAME@-updates main 
+deb http://archive.trisquel.org/trisquel @CODENAME@-backports main 
 
-deb-src http://archive.trisquel.info/trisquel @CODENAME@ main 
-deb-src http://archive.trisquel.info/trisquel @CODENAME@-security main 
-deb-src http://archive.trisquel.info/trisquel @CODENAME@-updates main 
-deb-src http://archive.trisquel.info/trisquel @CODENAME@-backports main 
+deb-src http://archive.trisquel.org/trisquel @CODENAME@ main 
+deb-src http://archive.trisquel.org/trisquel @CODENAME@-security main 
+deb-src http://archive.trisquel.org/trisquel @CODENAME@-updates main 
+deb-src http://archive.trisquel.org/trisquel @CODENAME@-backports main 
 
-clean http://archive.trisquel.info/trisquel
+clean http://archive.trisquel.org/trisquel

helpers/DATA/apt/trisquel/apt-vendor.ent

@@ -4,17 +4,17 @@
 <!ENTITY keyring-filename "<filename>/usr/share/keyrings/trisquel-archive-keyring.gpg</filename>">
 <!ENTITY keyring-removed-filename "<filename>/usr/share/keyrings/trisquel-archive-removed-keys.gpg</filename>">
 <!ENTITY keyring-master-filename "/usr/share/keyrings/trisquel-master-keyring.gpg">
-<!ENTITY keyring-uri "http://archive.trisquel.info/trisquel/trisquel-archive-signkey.gpg">
+<!ENTITY keyring-uri "http://archive.trisquel.org/trisquel/trisquel-archive-signkey.gpg">
 
-<!ENTITY sourceslist-list-format "deb http://es.archive.trisquel.info/trisquel &trisquel-codename; main
-deb http://es.archive.trisquel.info/trisquel &trisquel-codename;-security main
-deb http://es.archive.trisquel.info/trisquel &trisquel-codename;-updates main">
+<!ENTITY sourceslist-list-format "deb http://archive.trisquel.org/trisquel &trisquel-codename; main
+deb http://archive.trisquel.org/trisquel &trisquel-codename;-security main
+deb http://archive.trisquel.org/trisquel &trisquel-codename;-updates main">
 <!ENTITY sourceslist-sources-format "Types: deb
-URIs: http://es.archive.trisquel.info/trisquel
+URIs: http://archive.trisquel.org/trisquel
 Suites: &trisquel-codename; &trisquel-codename;-updates
 Components: main
 
 Types: deb
-URIs: http://es.archive.trisquel.info/trisquel
+URIs: http://archive.trisquel.org/trisquel
 Suites: &trisquel-codename;-security
 Components: main">

helpers/DATA/apt/trisquel/sources.list.in

 # See sources.list(5) manpage for more information
 # Remember that CD-ROMs, DVDs and such are managed through the apt-cdrom tool.
-deb http://es.archive.trisquel.info/trisquel &trisquel-codename; main
-deb-src http://es.archive.trisquel.info/trisquel &trisquel-codename; main
+deb http://archive.trisquel.org/trisquel &trisquel-codename; main
+deb-src http://archive.trisquel.org/trisquel &trisquel-codename; main
 
-deb http://es.archive.trisquel.info/trisquel &trisquel-codename;-security main
-deb-src http://es.archive.trisquel.info/trisquel &trisquel-codename;-security main
+deb http://archive.trisquel.org/trisquel &trisquel-codename;-security main
+deb-src http://archive.trisquel.org/trisquel &trisquel-codename;-security main
 
-deb http://es.archive.trisquel.info/trisquel &trisquel-codename;-updates main
-deb-src http://es.archive.trisquel.info/trisquel &trisquel-codename;-updates main
+deb http://archive.trisquel.org/trisquel &trisquel-codename;-updates main
+deb-src http://archive.trisquel.org/trisquel &trisquel-codename;-updates main

helpers/DATA/arctica-greeter/org.ArcticaProject.arctica-greeter.gschema.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<schemalist gettext-domain="arctica-greeter">
+  <schema id="org.ArcticaProject.arctica-greeter" path="/org/ArcticaProject/arctica-greeter/">
+    <key name="background" type="s">
+      <default>'/usr/share/backgrounds/aramo.jpg'</default>
+      <summary>Background file to use, either an image path or a color (e.g. #772953)</summary>
+    </key>
+    <key name="background-color" type="s">
+      <default>'#000000'</default>
+      <summary>Background color (e.g. #772953), set before wallpaper is seen</summary>
+    </key>
+    <key name="togglebox-font-fgcolor" type="s">
+      <default>'#A0A0A0'</default>
+      <summary>Font foreground color (e.g. #A0A0A0) for selected session names in session list</summary>
+    </key>
+    <key name="togglebox-button-bgcolor" type="s">
+      <default>'#2F70C6'</default>
+      <summary>Font foreground color (e.g. #202020) for selected session names in session list</summary>
+    </key>
+    <key name="draw-user-backgrounds" type="b">
+      <default>true</default>
+      <summary>Whether to draw user backgrounds</summary>
+    </key>
+    <key name="draw-grid" type="b">
+      <default>false</default>
+      <summary>Whether to draw an overlay grid</summary>
+    </key>
+    <key name="show-hostname" type="b">
+      <default>true</default>
+      <summary>Whether to show the hostname in the menubar</summary>
+    </key>
+    <key name="logo" type="s">
+      <default>'/usr/share/arctica-greeter/logo.png'</default>
+      <summary>Logo file to use</summary>
+    </key>
+    <key name="theme-name" type="s">
+      <default>'Trisquel-dark'</default>
+      <summary>GTK+ theme to use</summary>
+    </key>
+    <key name="icon-theme-name" type="s">
+      <default>'trisquel'</default>
+      <summary>Icon theme to use</summary>
+    </key>
+    <key name="font-name" type="s">
+      <default>'Sans 11'</default>
+      <summary>Font to use</summary>
+    </key>
+    <key name="xft-antialias" type="b">
+      <default>true</default>
+      <summary>Whether to antialias Xft fonts</summary>
+    </key>
+    <key name="xft-dpi" type="d">
+      <default>96</default>
+      <summary>Resolution for Xft in dots per inch</summary>
+    </key>
+    <key name="xft-hintstyle" type="s">
+      <choices>
+        <choice value='hintnone'/>
+        <choice value='hintslight'/>
+        <choice value='hintmedium'/>
+        <choice value='hintfull'/>
+      </choices>
+      <default>'hintslight'</default>
+      <summary>What degree of hinting to use</summary>
+    </key>
+    <key name="xft-rgba" type="s">
+      <choices>
+        <choice value='none'/>
+        <choice value='rgb'/>
+        <choice value='bgr'/>
+        <choice value='vrgb'/>
+        <choice value='vbgr'/>
+      </choices>
+      <default>'rgb'</default>
+      <summary>Type of subpixel antialiasing</summary>
+    </key>
+    <key name="onscreen-keyboard" type="b">
+      <default>false</default>
+      <summary>Whether to enable the onscreen keyboard</summary>
+    </key>
+    <key name="high-contrast" type="b">
+      <default>false</default>
+      <summary>Whether to use a high contrast theme</summary>
+    </key>
+    <key name="screen-reader" type="b">
+      <default>false</default>
+      <summary>Whether to enable the screen reader</summary>
+    </key>
+    <key name="play-ready-sound" type="b">
+      <default>true</default>
+      <summary>Whether to play sound when greeter is ready</summary>
+    </key>
+    <key name="indicators" type="as">
+      <default>['ug-accessibility', 'org.ayatana.indicator.keyboard', 'org.ayatana.indicator.session', 'org.ayatana.indicator.datetime', 'org.ayatana.indicator.power', 'org.ayatana.indicator.sound', 'ayatana-application']</default>
+      <summary>Which indicators to load</summary>
+    </key>
+    <key name="hidden-users" type="as">
+      <default>[]</default>
+      <summary>List of usernames that are hidden until a special key combination is hit</summary>
+    </key>
+    <key name="group-filter" type="as">
+      <default>[]</default>
+      <summary>List of groups that users must be part of to be shown (empty list shows all users)</summary>
+    </key>
+    <key name="idle-timeout" type="i">
+      <default>300</default>
+      <summary>Number of seconds of inactivity before blanking the screen. Set to 0 to never timeout.</summary>
+    </key>
+    <key name="enable-hidpi" type="s">
+      <choices>
+        <choice value='on'/>
+        <choice value='off'/>
+        <choice value='auto'/>
+      </choices>
+      <default>'auto'</default>
+      <summary>Whether to enable HiDPI support</summary>
+    </key>
+    <key name="remote-service-configure-uri" type="s">
+      <default>''</default>
+      <summary>Default FQDN for host offering Remote Logon Service</summary>
+    </key>
+    <key name="activate-numlock" type="b">
+      <default>false</default>
+      <summary>Whether to activate numlock. This features requires the installation of numlockx.</summary>
+    </key>
+    <key name="only-on-monitor" type="s">
+      <default>'auto'</default>
+      <summary>Monitor on which to show the Login GUI</summary>
+    </key>
+  </schema>
+</schemalist>

helpers/DATA/atril/apparmor-profile

+# vim:syntax=apparmor
+
+# evince is not written with application confinement in mind and is designed to
+# operate within a trusted desktop session where anything running within the
+# user's session is trusted. That said, evince will often process untrusted
+# input (PDFs, images, etc). Ideally evince would be written in such a way that
+# image processing is separate from the main process and that processing
+# happens in a restrictive sandbox, but unfortunately that is not currently the
+# case. Because evince will process untrusted input, this profile aims to
+# provide some hardening, but considering evince's design and other factors such
+# as X, gsettings, accessibility, translations, DBus session and system
+# services, etc, complete confinement is not possible.
+
+#include <tunables/global>
+
+/usr/bin/atril {
+  #include <abstractions/audio>
+  #include <abstractions/bash>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus-accessibility>
+  #include <abstractions/atril>
+  #include <abstractions/ibus>
+  #include <abstractions/nameservice>
+
+  #include <abstractions/ubuntu-browsers>
+  #include <abstractions/ubuntu-console-browsers>
+  #include <abstractions/ubuntu-email>
+  #include <abstractions/ubuntu-console-email>
+  #include <abstractions/ubuntu-media-players>
+
+  # allow atril to spawn browsers distributed as snaps (LP: #1794064)
+  #include <abstractions/snap_browsers>
+
+  # For now, let atril talk to any session services over dbus. We can
+  # blacklist any problematic ones (but note, evince uses libsecret :\)
+  #include <abstractions/dbus-session>
+
+  #include <abstractions/dbus-strict>
+  dbus (receive) bus=system,
+  # Allow getting information from various system services
+  dbus (send)
+      bus=system
+      member="Get*"
+      peer=(label=unconfined),
+  # Allow talking to avahi with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.Avahi{,.*}",
+  # Allow talking to colord with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.ColorManager{,.*}",
+
+  # Terminals for using console applications. These abstractions should ideally
+  # have 'ix' to restrict access to what only atril is allowed to do
+  #include <abstractions/ubuntu-gnome-terminal>
+
+  # By default, we won't support launching a terminal program in Xterm or
+  # KDE's konsole. It opens up too many unnecessary files for most users.
+  # People who need this functionality can uncomment the following:
+  ##include <abstractions/ubuntu-xterm>
+  ##include <abstractions/ubuntu-konsole>
+
+  /usr/bin/atril rmPx,
+  /usr/bin/atril-previewer Px,
+  /usr/bin/yelp Cx -> sanitized_helper,
+  /usr/bin/bug-buddy px,
+  # 'Show Containing Folder' (LP: #1022962)
+  /usr/bin/nautilus Cx -> sanitized_helper, # Gnome
+  /usr/bin/pcmanfm Cx -> sanitized_helper,  # LXDE
+  /usr/bin/krusader Cx -> sanitized_helper, # KDE
+  /usr/bin/thunar Cx -> sanitized_helper,   # XFCE
+
+  # Print Dialog
+  /usr/lib/@{multiarch}/libproxy/*/pxgsettings Cx -> sanitized_helper,
+
+  # For Xubuntu to launch the browser
+  #include <abstractions/exo-open>
+
+  # For text attachments
+  /usr/bin/gedit ixr,
+
+  # For Send to
+  /usr/bin/nautilus-sendto Cx -> sanitized_helper,
+
+  # GLib desktop launch helper (used under the hood by g_app_info_launch)
+  /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
+  /usr/bin/env ixr,
+
+  # allow directory listings (ie 'r' on directories) so browsing via the file
+  # dialog works
+  / r,
+  /**/ r,
+
+  # This is need for saving files in your home directory without an extension.
+  # Changing this to '@{HOME}/** r' makes it require an extension and more
+  # secure (but with 'rw', we still have abstractions/private-files-strict in
+  # effect).
+  owner @{HOME}/** rw,
+  owner /media/**  rw,
+  owner @{HOME}/.local/share/gvfs-metadata/** l,
+  owner /{,var/}run/user/*/gvfs-metadata/** l,
+
+  # Maybe add to an abstraction?
+  /etc/dconf/**                                       r,
+  owner @{HOME}/.cache/dconf/user                     rw,
+  owner @{HOME}/.config/dconf/user                    r,
+  owner @{HOME}/.config/enchant/*                     rk,
+  owner /{,var/}run/user/*/dconf/                     w,
+  owner /{,var/}run/user/*/dconf/user                 rw,
+  owner /{,var/}run/user/*/dconf-service/keyfile/     w,
+  owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
+
+  owner /{,var/}run/user/*/at-spi2-*/   rw,
+  owner /{,var/}run/user/*/at-spi2-*/** rw,
+
+  # Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
+  #   https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43
+  owner /{,var/}run/user/*/at-spi/bus* rw,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read and write for all supported file formats
+  /**.[aA][iI]         rw,
+  /**.[bB][mM][pP]     rw,
+  /**.[dD][jJ][vV][uU] rw,
+  /**.[dD][vV][iI]     rw,
+  /**.[gG][iI][fF]     rw,
+  /**.[jJ][pP][gG]     rw,
+  /**.[jJ][pP][eE][gG] rw,
+  /**.[oO][dD][pP]     rw,
+  /**.[fFpP][dD][fF]   rw,
+  /**.[pP][nN][mM]     rw,
+  /**.[pP][nN][gG]     rw,
+  /**.[pP][sS]         rw,
+  /**.[eE][pP][sS]     rw,
+  /**.[tT][iI][fF]     rw,
+  /**.[tT][iI][fF][fF] rw,
+  /**.[xX][pP][mM]     rw,
+  /**.[gG][zZ]         rw,
+  /**.[bB][zZ]2        rw,
+  /**.[cC][bB][rRzZ7]  rw,
+  /**.[xX][zZ]         rw,
+
+  # atril creates a temporary stream file like '.goutputstream-XXXXXX' in the
+  # directory a file is saved. This allows that behavior.
+  owner /**/.goutputstream-* w,
+
+  # allow atril to spawn browsers distributed as snaps (LP: #1794064)
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers,
+}
+
+/usr/bin/atril-previewer {
+  #include <abstractions/audio>
+  #include <abstractions/bash>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus-accessibility>
+  #include <abstractions/atril>
+  #include <abstractions/ibus>
+  #include <abstractions/nameservice>
+
+  #include <abstractions/ubuntu-browsers>
+  #include <abstractions/ubuntu-console-browsers>
+  #include <abstractions/ubuntu-email>
+  #include <abstractions/ubuntu-console-email>
+  #include <abstractions/ubuntu-media-players>
+
+  # For now, let atril talk to any session services over dbus. We can
+  # blacklist any problematic ones (but note, evince uses libsecret :\)
+  #include <abstractions/dbus-session>
+
+  #include <abstractions/dbus-strict>
+  dbus (receive) bus=system,
+  # Allow getting information from various system services
+  dbus (send)
+      bus=system
+      member="Get*"
+      peer=(label=unconfined),
+  # Allow talking to avahi with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.Avahi{,.*}",
+  # Allow talking to colord with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.ColorManager{,.*}",
+
+
+  # Terminals for using console applications. These abstractions should ideally
+  # have 'ix' to restrict access to what only atril is allowed to do
+  #include <abstractions/ubuntu-gnome-terminal>
+
+  # By default, we won't support launching a terminal program in Xterm or
+  # KDE's konsole. It opens up too many unnecessary files for most users.
+  # People who need this functionality can uncomment the following:
+  ##include <abstractions/ubuntu-xterm>
+
+  /usr/bin/atril-previewer mr,
+  /usr/bin/yelp Cx -> sanitized_helper,
+  /usr/bin/bug-buddy px,
+
+  # Lenient, but remember we still have abstractions/private-files-strict in
+  # effect). Write is needed for 'print to file' from the previewer.
+  @{HOME}/ r,
+  @{HOME}/** rw,
+
+  # Maybe add to an abstraction?
+  owner /{,var/}run/user/*/dconf/          w,
+  owner /{,var/}run/user/*/dconf/user      rw,
+}
+
+/usr/bin/atril-thumbnailer {
+  #include <abstractions/base>
+  #include <abstractions/private-files-strict>
+
+  #include <abstractions/fonts>
+  deny @{HOME}/.{,cache/}fontconfig/** wl,
+  deny @{HOME}/missfont.log wl,
+
+  #include <abstractions/dbus-session-strict>
+  dbus (receive) bus=session,
+  dbus (send)
+    bus=session
+    path="/org/gtk/vfs/mounttracker"
+    interface="org.gtk.vfs.MountTracker"
+    member="ListMountableInfo"
+    peer=(label=unconfined),
+
+  # updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it
+  deny dbus (send)
+    bus=session
+    path="/org/gtk/vfs/metadata"
+    interface="org.gtk.vfs.Metadata"
+    member="GetTreeFromDevice"
+    peer=(label=unconfined),
+  deny @{HOME}/.local/share/gvfs-metadata/* r,
+
+  dbus (send)
+    bus=session
+    path="/org/gtk/vfs/Daemon"
+    interface="org.gtk.vfs.Daemon"
+    member="List*"
+    peer=(label=unconfined),
+
+  # The thumbnailer doesn't need access to everything in the nameservice
+  # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
+  # logging denial of nsswitch.conf.
+  /etc/passwd r,
+  /etc/group r,
+  deny /etc/nsswitch.conf r,
+
+  # TCP/UDP network access for NFS
+  network inet  stream,
+  network inet6 stream,
+  network inet  dgram,
+  network inet6 dgram,
+
+  /etc/papersize r,
+
+  /usr/bin/atril-thumbnailer mr,
+
+  /etc/texmf/ r,
+  /etc/texmf/** r,
+  /etc/xpdf/* r,
+
+  /usr/bin/gs-esp ixr,
+  # Silence these denials since 'no new privs' drops transitions to
+  # sanitized_helper, we don't want all those perms in the thumbnailer
+  # and the thumbnailer generates thumbnails without these just fine.
+  deny /usr/bin/mktexpk x,
+  deny /usr/bin/mktextfm x,
+  deny /usr/bin/dvipdfm x,
+  deny /usr/bin/dvipdfmx x,
+  deny /usr/bin/mkofm x,
+
+  # supported archivers
+  /{usr/,}bin/gzip ixr,
+  /{usr/,}bin/bzip2 ixr,
+  /usr/bin/unrar* ixr,
+  /usr/bin/unzip ixr,
+  /usr/bin/7zr ixr,
+  /usr/lib/p7zip/7zr ixr,
+  /usr/bin/7za ixr,
+  /usr/lib/p7zip/7za ixr,
+  /usr/bin/zipnote ixr,
+  /{usr/,}bin/tar ixr,
+  /usr/bin/xz ixr,
+
+  # miscellaneous access for the above
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  /sys/devices/system/cpu/ r,
+
+  # allow read access to anything in /usr/share, for plugins and input methods
+  /usr/local/share/** r,
+  /usr/share/** r,
+  /usr/lib/ghostscript/** mr,
+  /var/lib/ghostscript/** r,
+  /var/lib/texmf/** r,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read for all supported file formats
+  /**.[bB][mM][pP]     r,
+  /**.[dD][jJ][vV][uU] r,
+  /**.[dD][vV][iI]     r,
+  /**.[gG][iI][fF]     r,
+  /**.[jJ][pP][gG]     r,
+  /**.[jJ][pP][eE][gG] r,
+  /**.[oO][dD][pP]     r,
+  /**.[fFpP][dD][fF]   r,
+  /**.[pP][nN][mM]     r,
+  /**.[pP][nN][gG]     r,
+  /**.[pP][sS]         r,
+  /**.[eE][pP][sS]     r,
+  /**.[eE][pP][sS][fFiI23] r,
+  /**.[tT][iI][fF]     r,
+  /**.[tT][iI][fF][fF] r,
+  /**.[xX][pP][mM]     r,
+  /**.[gG][zZ]         r,
+  /**.[bB][zZ]2        r,
+  /**.[cC][bB][rRzZ7]  r,
+  /**.[xX][zZ]         r,
+
+  owner @{HOME}/.texlive*/** r,
+  owner @{HOME}/.texmf*/** r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+
+  # With the network rules above, this allows data exfiltration for files
+  # not covered by private-files-strict.
+  @{HOME}/ r,
+  owner @{HOME}/[^.]** r,
+  owner /media/**  r,
+
+  owner /tmp/.gnome_desktop_thumbnail* w,
+  owner /tmp/gnome-desktop-* rw,
+  owner /tmp/atril-thumbnailer*/{,**} rw,
+  
+  # these happen post pivot_root
+  / r,
+  deny /missfont.log w,
+
+  # Add apparmor rule for mate's caja - LP#1798091
+  owner /tmp/.mate_desktop_thumbnail* w,
+  owner /tmp/mate-desktop-thumbnailer* w,
+
+  # Fix thumbnail issue #915024
+  owner @{HOME}/.cache/thumbnails/** rw,
+  owner /tmp/atril-thumbnailer* rw,
+
+}

helpers/DATA/atril/apparmor-profile.abstraction

+# vim:syntax=apparmor
+#
+# abstraction used by atril binaries
+#
+
+  #include <abstractions/gnome>
+  #include <abstractions/p11-kit>
+  #include <abstractions/ubuntu-helpers>
+
+  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/[0-9]*/mountinfo r,
+  owner @{PROC}/[0-9]*/auxv r,
+  owner @{PROC}/[0-9]*/status r,
+
+  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+  # Possibly move to an abstraction if anything else needs it.
+  deny /run/udev/data/** r,
+
+  # move out to the gnome abstraction if anyone else needs these
+  /etc/udev/udev.conf r,
+  /sys/devices/**/block/**/uevent r,
+
+  # apport
+  /etc/default/apport r,
+
+  # XFCE
+  /etc/xfce4/defaults.list r,
+
+  # Lubuntu
+  /etc/xdg/lubuntu/applications/defaults.list r,
+
+  # atril specific
+  /etc/ r,
+  /etc/fstab r,
+  /etc/texmf/ r,
+  /etc/texmf/** r,
+  /etc/xpdf/* r,
+  owner @{HOME}/.config/atril/   rw,
+  owner @{HOME}/.config/atril/** rwkl,
+
+  /usr/bin/gs-esp ixr,
+  /usr/bin/mktexpk Cx -> sanitized_helper,
+  /usr/bin/mktextfm Cx -> sanitized_helper,
+  /usr/bin/dvipdfm Cx -> sanitized_helper,
+  /usr/bin/dvipdfmx Cx -> sanitized_helper,
+
+  # gio-launch-desktop was replaced by a very small shell script
+  /{usr/,}bin/{dash,bash} ixr,
+ 
+  # supported archivers
+  /{usr/,}bin/gzip ixr,
+  /{usr/,}bin/bzip2 ixr,
+  /usr/bin/unrar* ixr,
+  /usr/bin/unzip ixr,
+  /usr/bin/7zr ixr,
+  /usr/lib/p7zip/7zr ixr,
+  /usr/bin/7za ixr,
+  /usr/lib/p7zip/7za ixr,
+  /usr/bin/zipnote ixr,
+  /{usr/,}bin/tar ixr,
+  /usr/bin/xz ixr,
+
+  # allow read access to anything in /usr/share, for plugins and input methods
+  /usr/local/share/** r,
+  /usr/share/** r,
+  /usr/lib/ghostscript/** mr,
+  /var/lib/ghostscript/** r,
+  /var/lib/texmf/{,**} r,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read for all supported file formats
+  /**.[aA][iI]         r,
+  /**.[bB][mM][pP]     r,
+  /**.[dD][jJ][vV][uU] r,
+  /**.[dD][vV][iI]     r,
+  /**.[gG][iI][fF]     r,
+  /**.[jJ][pP][gG]     r,
+  /**.[jJ][pP][eE][gG] r,
+  /**.[oO][dD][pP]     r,
+  /**.[fFpP][dD][fF]   r,
+  /**.[pP][nN][mM]     r,
+  /**.[pP][nN][gG]     r,
+  /**.[pP][sS]         r,
+  /**.[eE][pP][sS]     r,
+  /**.[eE][pP][sS][fFiI23] r,
+  /**.[tT][iI][fF]     r,
+  /**.[tT][iI][fF][fF] r,
+  /**.[xX][pP][mM]     r,
+  /**.[gG][zZ]         r,
+  /**.[bB][zZ]2        r,
+  /**.[cC][bB][rRzZ7]  r,
+  /**.[xX][zZ]         r,
+
+  # Use abstractions/private-files instead of abstractions/private-files-strict
+  # and add the sensitive files manually to work around LP: #451422. The goal
+  # is to disallow access to the .mozilla folder in general, but to allow
+  # access to the Cache directory, which the browser may tell atril to open
+  # from directly.
+
+  #include <abstractions/private-files>
+  audit deny @{HOME}/.gnupg/{,**} mrwkl,
+  audit deny @{HOME}/.ssh/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2/ w,
+  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
+  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl,
+  audit deny @{HOME}/.pki/{,nssdb/} w,
+  audit deny @{HOME}/.pki/nssdb/{,**} wl,
+
+  audit deny @{HOME}/.mozilla/{,**/} w,
+  audit deny @{HOME}/.mozilla/*/*/* mrwkl,
+  audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl,
+
+  audit deny @{HOME}/.config/ w,
+  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+  audit deny @{HOME}/.evolution/{,**} mrwkl,
+  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde/share/config/{,**} mrwkl,
+  audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl,