Firefox with uBlock Origin and arkenfox user.js is a setup recommended by many privacy advocates. I created an overlay for Portage (Gentoo’s package manager) to install and update them like system packages.

Why

Recently, I found my Firefox addons were terribly outdated. I brought this on myself - I avoid automatic updates (why#1 why#2), whereas user.js requires a manual update. However, I manage to update the system regularly somehow.

Idea: update Firefox addons alongside my system packages. This is not new: in Arch Linux there are AUR packages that allow this. This inspired me to try the same in Portage.

Result

There are two packages of interest:

  • www-misc/firefox-policy blocks browser and addon updates system-wide and installs addons from packages in www-plugins (see USE flags)
  • www-misc/arkenfox installs user.js system-wide. WARNING: by default this config clears your history on exit, among other potentially destructive things. You can apply user-overrides.js with savedconfig.
USE="redirect nocookiespopup" emerge firefox-policy arkenfox

[ebuild  N     ] www-plugins/ublock-origin-bin-1.57.2
[ebuild  N     ] www-plugins/libredirect-bin-2.8.4
[ebuild  N     ] www-plugins/istilldontcareaboutcookies-bin-1.1.4
[ebuild  N     ] dev-libs/oniguruma-6.9.8  USE="-crnl-as-line-terminator -static-libs" ABI_X86="(64) -32 (-x32)"
[ebuild  N     ] www-misc/arkenfox-122  USE="savedconfig"
[ebuild  N     ] app-misc/jq-1.7.1  USE="oniguruma -static-libs -test"
[ebuild  N     ] www-misc/firefox-policy-1.0  USE="nocookiespopup noupdate redirect ublock"

Conclusion

Did I solve my problem? Not really - I have to update the overlay now… but it’s easier to remember and can help others.

Remarks and plans

Apparently, you could semi-automatically sideload addons by dropping them in a directory. However, since 2020 it is not supported, allegedly, for security reasons. ESR, Developer, Nightly and unbranded editions were spared, but these are used by few.

I don’t know the full story, but in my opinion this justification is weird. The sideloading directory should be owned by root, and if a malicious actor has root permissions, you have more serious problems than a weird browser addon.

Anyway, sideloading of signed addons (among other things) is still kept for enterprise users. By installing a policy one can still (force-)install addons for all users on a computer. But, again, the addons must be signed. For that reason, the overlay has -bin packages that pull addons from Mozilla servers. I still prepared a source-based package for uBlock Origin in case I move to self-compiled Firefox.