Merge branch 'master' of ssh://github.com/netblue30/firejail

43 files changed, 442 insertions, 125 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 8754e7eff..0a9628d31 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -54,7 +54,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
+      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -84,7 +84,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
+      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -110,7 +110,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
+      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -132,7 +132,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
+      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -150,7 +150,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
+      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 32dbaf8cc..a53260e64 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,7 +46,7 @@ jobs:
       SHELL: /bin/bash
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
+      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 34d5bcc27..4b9aaa7d6 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -75,7 +75,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
+      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
       with:
         disable-sudo: true
         egress-policy: block
@@ -93,7 +93,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8
+      uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -104,7 +104,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8
+      uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -118,4 +118,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8
+      uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index 0e7403508..8d4e5ba28 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
+      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
       with:
         disable-sudo: true
         egress-policy: block
diff --git a/Makefile b/Makefile
index 03ae71026..3055e226a 100644
--- a/Makefile
+++ b/Makefile
@@ -347,12 +347,12 @@ deb: dist config.sh
         ./mkdeb.sh
 
 .PHONY: test-compile
-test-compile: dist config.mk
-        cd test/compile; ./compile.sh $(TARNAME)-$(VERSION)
+test-compile: dist config.sh
+        cd test/compile; ./compile.sh
 
 .PHONY: rpms
-rpms: src/man config.mk
-        ./platform/rpm/mkrpm.sh $(TARNAME) $(VERSION)
+rpms: src/man config.sh
+        ./platform/rpm/mkrpm.sh
 
 .PHONY: extras
 extras: all
diff --git a/RELNOTES b/RELNOTES
index ac0136239..d6ffdc3b2 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -38,6 +38,8 @@ firejail (0.9.73) baseline; urgency=low
     make
   * build: simplify code related to man pages (#5898)
   * build: fix hardcoded make & remove unnecessary distclean targets (#5911)
+  * build: dist and asc improvements (#5916)
+  * build: fix some shellcheck issues & use config.sh in more scripts (#5927)
   * ci: always update the package db before installing packages (#5742)
   * ci: fix codeql unable to download its own bundle (#5783)
   * ci: split configure/build/install commands on gitlab (#5784)
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh
index 17a595350..dbfbf24f5 100755
--- a/ci/check/profiles/sort-firecfg.config.sh
+++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -1,2 +1,5 @@
 #!/bin/sh
-tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
+# See ../../../src/firecfg/firecfg.config
+
+sed -E -e '/^#$/d' -e '/^# /d' -e 's/^#([^ ])/\1/' "$1" |
+LC_ALL=C sort -c -u
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index b0d1b7a66..38ab7221e 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -142,6 +142,7 @@ blacklist ${HOME}/.cache/inkscape
 blacklist ${HOME}/.cache/inox
 blacklist ${HOME}/.cache/io.github.lainsce.Notejot
 blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/journal-viewer
 blacklist ${HOME}/.cache/kcmshell5
 blacklist ${HOME}/.cache/kdenlive
 blacklist ${HOME}/.cache/keepassxc
@@ -171,6 +172,7 @@ blacklist ${HOME}/.cache/mirage
 blacklist ${HOME}/.cache/moonchild productions/basilisk
 blacklist ${HOME}/.cache/moonchild productions/pale moon
 blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/mpv
 blacklist ${HOME}/.cache/ms-excel-online
 blacklist ${HOME}/.cache/ms-office-online
 blacklist ${HOME}/.cache/ms-onenote-online
@@ -472,6 +474,7 @@ blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
 blacklist ${HOME}/.config/gpicview
+blacklist ${HOME}/.config/gramps
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
 blacklist ${HOME}/.config/guvcview2
@@ -899,6 +902,7 @@ blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/chatterino
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
 blacklist ${HOME}/.local/share/contacts
 blacklist ${HOME}/.local/share/cor-games
 blacklist ${HOME}/.local/share/data/Mendeley Ltd.
@@ -1046,6 +1050,7 @@ blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
 blacklist ${HOME}/.local/state/ani-cli
 blacklist ${HOME}/.local/state/audacity
+blacklist ${HOME}/.local/state/mpv
 blacklist ${HOME}/.local/state/pipewire
 blacklist ${HOME}/.lv2
 blacklist ${HOME}/.lyx
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 48a2afdf2..9ec2f2ad1 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/0ad
 noblacklist ${HOME}/.config/0ad
 noblacklist ${HOME}/.local/share/0ad
 
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
 blacklist /usr/libexec
 
 include disable-common.inc
diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile
index 2df03b10b..2a77b6fd6 100644
--- a/etc/profile-a-l/chatterino.profile
+++ b/etc/profile-a-l/chatterino.profile
@@ -12,11 +12,13 @@ include globals.local
 #whitelist ${MUSIC}
 
 # Also allow access to mpv/vlc, they're usable via streamlink.
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/pulse
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/chatterino
 noblacklist ${HOME}/.local/share/vlc
+noblacklist ${HOME}/.local/state/mpv
 
 # Allow Lua for mpv (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/etc/profile-a-l/clac.profile b/etc/profile-a-l/clac.profile
new file mode 100644
index 000000000..b654b3890
--- /dev/null
+++ b/etc/profile-a-l/clac.profile
@@ -0,0 +1,63 @@
+# Firejail profile for clac
+# Description: Simple command-line calculator
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include clac.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+#include disable-X11.inc - x11 none
+include disable-xdg.inc
+
+#include whitelist-common.inc - see #903
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+# block socket syscall to simulate empty protocol option (see #639)
+seccomp socket
+seccomp.block-secondary
+tracelog
+x11 none
+
+disable-mnt
+private
+private-bin clac
+#private-cache
+private-dev
+private-etc
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/daisy.profile b/etc/profile-a-l/daisy.profile
new file mode 100644
index 000000000..40b29a1f5
--- /dev/null
+++ b/etc/profile-a-l/daisy.profile
@@ -0,0 +1,63 @@
+# Firejail profile for daisy
+# Description: TUI scientific calculator with support for units
+# This file is overwritten after every install/update
+# Persistent local customizations
+include daisy.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+#include disable-X11.inc # x11 none
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+# block socket syscall to simulate empty protocol option (see #639)
+seccomp socket
+seccomp.block-secondary
+tracelog
+x11 none
+
+disable-mnt
+private-bin daisy
+private-cache
+private-dev
+private-etc
+private-lib
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 80790bb0c..70bd7370d 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -19,7 +19,7 @@ include disable-shell.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -28,8 +28,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-# Breaks abstract sockets
-#net none
+#net none # breaks abstract sockets
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index bd6fb6dcc..bea114dd6 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index f12750fda..566e88bf8 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -11,6 +11,7 @@ ignore include whitelist-runuser-common.inc
 
 ignore private-cache
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/kgetrc
 noblacklist ${HOME}/.config/mpv
@@ -32,9 +33,11 @@ noblacklist ${HOME}/.local/share/kget
 noblacklist ${HOME}/.local/share/kxmlgui5/okular
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.netrc
 
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
 whitelist ${HOME}/.config/gnome-mplayer
 whitelist ${HOME}/.config/kgetrc
@@ -62,6 +65,7 @@ whitelist ${HOME}/.local/share/kxmlgui5/okular
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.local/share/tridactyl
+whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index baf8f614e..2d0511cf6 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index ddfe57879..e6fe27774 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/libgweather
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 025cb74b6..0c4ca35ac 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/gnubik
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
index 5073e79c9..4b142e404 100644
--- a/etc/profile-a-l/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -6,6 +6,7 @@ include gramps.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/gramps
 noblacklist ${HOME}/.gramps
 
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -19,7 +20,9 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.config/gramps
 mkdir ${HOME}/.gramps
+whitelist ${HOME}/.config/gramps
 whitelist ${HOME}/.gramps
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index 19af7c0b9..5ccce8447 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -15,7 +15,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/gravity-beams-and-evaporating-stars
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index 7eabbca84..e73ca44a8 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
 
-# include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/journal-viewer.profile b/etc/profile-a-l/journal-viewer.profile
new file mode 100644
index 000000000..f73595fb1
--- /dev/null
+++ b/etc/profile-a-l/journal-viewer.profile
@@ -0,0 +1,68 @@
+# Firejail profile for journal-viewer
+# Description: Visualize systemd logs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include journal-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/journal-viewer
+noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/journal-viewer
+mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer
+whitelist ${HOME}/.cache/journal-viewer
+whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer
+whitelist /run/log/journal
+whitelist /var/log/journal
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin journal-viewer
+private-cache
+private-dev
+private-etc machine-id
+private-lib webkit2gtk-*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
+read-only ${HOME}
+read-write ${HOME}/.cache/journal-viewer
+read-write ${HOME}/.local/share/com.vmingueza.journal-viewer
+writable-var-log
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index f8b5cec13..0e18b3cdf 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.config/QMediathekView
 noblacklist ${HOME}/.local/share/QMediathekView
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/totem
@@ -16,6 +17,7 @@ noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.config/xplayer
 noblacklist ${HOME}/.local/share/totem
 noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
 
@@ -35,6 +37,7 @@ whitelist ${HOME}/.local/share/QMediathekView
 whitelist ${DOWNLOADS}
 whitelist ${VIDEOS}
 
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/smplayer
 whitelist ${HOME}/.config/totem
@@ -42,6 +45,7 @@ whitelist ${HOME}/.config/vlc
 whitelist ${HOME}/.config/xplayer
 whitelist ${HOME}/.local/share/totem
 whitelist ${HOME}/.local/share/xplayer
+whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.mplayer
 whitelist /usr/share/qtchooser
 include whitelist-common.inc
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 2fc1d1b8a..0c3d4c1da 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -16,7 +16,7 @@ include globals.local
 #
 
 whitelist /var/lib/xkb
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 
 caps.drop all
 # Xephyr needs to be allowed access to the abstract Unix socket namespace.
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index ee19fa3b0..2bb9f171a 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -19,7 +19,7 @@ include globals.local
 #
 
 whitelist /var/lib/xkb
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 
 caps.drop all
 # Xvfb needs to be allowed access to the abstract Unix socket namespace.
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index 19ce6fcd1..ef0c8bcc9 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -6,6 +6,7 @@ include mediathekview.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/totem
@@ -13,6 +14,7 @@ noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.config/xplayer
 noblacklist ${HOME}/.local/share/totem
 noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.mediathek3
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index 4943a80af..a8c6e3533 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -39,7 +39,6 @@ seccomp
 tracelog
 
 disable-mnt
-private
 private-bin mirrormagic
 private-cache
 private-dev
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index e73e3142c..e4f76855e 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -6,9 +6,11 @@ include mpsyt.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mps-youtube
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/mps
@@ -32,13 +34,13 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/mps-youtube
-mkdir ${HOME}/.config/mpv
-mkdir ${HOME}/.config/youtube-dl
 mkdir ${HOME}/.mplayer
 mkdir ${HOME}/mps
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.config/mps-youtube
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.mplayer
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/mps
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index fd35483be..af8f00c0c 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -24,10 +24,12 @@ include globals.local
 #include allow-bin-sh.inc
 #private-bin sh
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.config/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp.conf
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf.txt
@@ -49,12 +51,16 @@ include disable-programs.inc
 include disable-shell.inc
 
 read-only ${DESKTOP}
+mkdir ${HOME}/.cache/mpv
 mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.local/state/mpv
 mkfile ${HOME}/.netrc
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.config/yt-dlp
 whitelist ${HOME}/.config/yt-dlp.conf
+whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/yt-dlp.conf
 whitelist ${HOME}/yt-dlp.conf.txt
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index f0f2cca2e..5ec81c2ac 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index 4520ac2fa..d563064e1 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-X11.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/reader.profile b/etc/profile-m-z/reader.profile
new file mode 100644
index 000000000..31c45fe84
--- /dev/null
+++ b/etc/profile-m-z/reader.profile
@@ -0,0 +1,63 @@
+# Firejail profile for reader
+# Description: Better readability of web pages on the CLI
+# This file is overwritten after every install/update
+# Persistent local customizations
+include reader.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+#include whitelist-common.inc # see #903
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet
+seccomp
+seccomp.block-secondary
+tracelog
+x11 none
+
+disable-mnt
+private
+private-bin reader
+private-cache
+private-dev
+private-etc @network,@tls-ca
+private-lib
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile
index cc6db5043..3098cf0a0 100644
--- a/etc/profile-m-z/rtv-addons.profile
+++ b/etc/profile-m-z/rtv-addons.profile
@@ -11,13 +11,17 @@ ignore nosound
 ignore private-bin
 ignore dbus-user none
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.local/state/mpv
 noblacklist ${HOME}/.mailcap
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/.w3m
 
+whitelist ${HOME}/.cache/mpv
 whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
 whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.local/state/mpv
 whitelist ${HOME}/.mailcap
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/.w3m
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 5985e0da3..49d98d9f5 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -23,7 +23,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/seahorse-adventures
 whitelist /usr/share/games/seahorse-adventures
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile
index b617444af..7debd4057 100644
--- a/etc/profile-m-z/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -6,12 +6,14 @@ include smtube.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/mpv
+noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/smtube
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/vlc
+noblacklist ${HOME}/.local/state/mpv
+noblacklist ${HOME}/.mplayer
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index f2405a7d3..17e2f0856 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -8,9 +8,17 @@ include globals.local
 
 ignore include whitelist-runuser-common.inc
 
-# writable-run-user and dbus are needed by enigmail
+# TB stopped supporting enigmail in 2020 (v78) - let's harden D-Bus
+# https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
 ignore dbus-user none
-ignore dbus-system none
+dbus-user filter
+dbus-user.own org.mozilla.thunderbird.*
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+# e2ee email needs writable-run-user
+# https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption
 writable-run-user
 
 # If you want to read local mail stored in /var/mail edit /etc/apparmor.d/firejail-default accordingly
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index 310e8b470..970063f93 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -40,7 +40,6 @@ seccomp
 tracelog
 
 disable-mnt
-private
 private-bin wordwarvi
 private-cache
 private-dev
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index e85bb9f18..46e3e81bc 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -16,7 +16,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/xbill
 whitelist /var/games/xbill/scores
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index c9d2ea53b..5950c3639 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -7,8 +7,10 @@ include youtube-viewers-common.local
 # added by caller profile
 #include globals.local
 
+noblacklist ${HOME}/.cache/mpv
 noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.local/state/mpv
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/mkasc.sh b/mkasc.sh
index 62c1b1180..0314c20e5 100755
--- a/mkasc.sh
+++ b/mkasc.sh
@@ -3,7 +3,7 @@
 # Copyright (C) 2014-2023 Firejail Authors
 # License GPL v2
 
-. "$(dirname "$0")/config.sh"
+. "$(dirname "$0")/config.sh" || exit 1
 
 printf 'Calculating SHA256 for all files in /transfer - %s version %s' "$TARNAME" "$VERSION"
 
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index d32ccd360..0572480c6 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -3,23 +3,26 @@
 # Copyright (C) 2014-2023 Firejail Authors
 # License GPL v2
 #
-# Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>"
+# Usage: ./platform/rpm/mkrpm.sh <config options>
 #
 # Builds rpms in a temporary directory then places the result in the
 # current working directory.
 
-name=$1
+# shellcheck source=config.sh
+. "$(dirname "$0")/../../config.sh" || exit 1
+
+name="$TARNAME"
 # Strip any trailing prefix from the version like -rc1 etc
-version=$(echo "$2" | sed 's/\-.*//g')
-config_opt=$3
+version="$(printf '%s\n' "$VERSION" | sed 's/\-.*//g')"
+config_opt="$*"
 
-if [[ ! -f platform/rpm/${name}.spec ]]; then
-    echo error: spec file not found for name \"${name}\"
+if [[ ! -f "platform/rpm/${name}.spec" ]]; then
+    printf 'error: spec file not found for name %s\n' "${name}" >&2
     exit 1
 fi
 
 if [[ -z "${version}" ]]; then
-    echo error: version must be given
+    printf 'error: version must be given\n' >&2
     exit 1
 fi
 
@@ -28,26 +31,27 @@ if [[ -z "${config_opt}" ]]; then
 fi
 
 # Make a temporary directory and arrange to clean up on exit
-tmpdir=$(mktemp -d)
-mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
+tmpdir="$(mktemp -d)"
+mkdir -p "${tmpdir}"/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
 function cleanup {
-    rm -rf ${tmpdir}
+    rm -rf "${tmpdir}"
 }
 trap cleanup EXIT
 
 # Create the spec file
-tmp_spec_file=${tmpdir}/SPECS/${name}.spec
+tmp_spec_file="${tmpdir}/SPECS/${name}.spec"
 sed -e "s/__NAME__/${name}/g" \
     -e "s/__VERSION__/${version}/g" \
     -e "s/__CONFIG_OPT__/${config_opt}/g" \
-    platform/rpm/${name}.spec >${tmp_spec_file}
+    "platform/rpm/${name}.spec" >"${tmp_spec_file}"
 # FIXME: We could parse RELNOTES and create a %changelog section here
 
 # Copy the source to build into a tarball
-tar --exclude='./.git*' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz .
+tar --exclude='./.git*' --transform "s/^./${name}-${version}/" \
+    -czf "${tmpdir}/SOURCES/${name}-${version}.tar.gz" .
 
 # Build the files (rpm, debug rpm and source rpm)
-rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file}
+rpmbuild --quiet --define "_topdir ${tmpdir}" -ba "${tmp_spec_file}"
 
 # Copy the results to cwd
-mv ${tmpdir}/SRPMS/*.rpm ${tmpdir}/RPMS/*/*rpm .
+mv "${tmpdir}/SRPMS"/*.rpm "${tmpdir}/RPMS"/*/*rpm .
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index ce69738eb..7db4480b6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,6 +1,8 @@
 # /etc/firejail/firecfg.config - firecfg utility configuration file
 # This is the list of programs in alphabetical order handled by firecfg utility
 #
+# Note: Normal comment lines should start with `# ` and commented code lines
+# should start with just `#` (no spaces).
 0ad
 1password
 2048-qt
@@ -51,7 +53,7 @@ ani-cli
 anydesk
 apktool
 apostrophe
-# ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#ar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
 archaudit-report
 ardour4
@@ -63,9 +65,9 @@ arm
 artha
 assogiate
 asunder
-# atom
-# atom-beta
-# atool - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#atom
+#atom-beta
+#atool # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 atril
 atril-previewer
 atril-thumbnailer
@@ -112,10 +114,10 @@ brave-browser-beta
 brave-browser-dev
 brave-browser-nightly
 brave-browser-stable
-# bunzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#bunzip2 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#bzcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 bzflag
-# bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#bzip2 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 cachy-browser
 calibre
 calligra
@@ -145,12 +147,13 @@ chromium-freeworld
 cin
 cinelerra
 cinelerra-gg
+clac
 clamdscan
 clamdtop
 clamscan
 clamtk
-clawsker
 claws-mail
+clawsker
 clementine
 clion
 clion-eap
@@ -182,6 +185,8 @@ crow
 cryptocat
 cvlc
 cyberfox
+d-feet
+daisy
 darktable
 dconf-editor
 ddgr
@@ -191,7 +196,6 @@ deluge
 desktopeditors
 devhelp
 dex2jar
-d-feet
 dia
 dig
 digikam
@@ -235,14 +239,14 @@ enpass
 eog
 eom
 ephemeral
-#epiphany - see #2995
+#epiphany # see #2995
 equalx
 et
 etr
 evince
 evince-previewer
 evince-thumbnailer
-#evolution - see #3647
+#evolution # see #3647
 exfalso
 exiftool
 falkon
@@ -270,8 +274,8 @@ flacsplt
 flameshot
 flashpeak-slimjet
 flowblade
-fontforge
 font-manager
+fontforge
 fossamail
 four-in-a-row
 fractal
@@ -318,7 +322,7 @@ git-cola
 gitg
 github-desktop
 gitter
-# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
+#gjs # https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
 gl-117
 glaxium
 globaltime
@@ -383,12 +387,12 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
-gtk2-youtube-viewer
-gtk3-youtube-viewer
 gtk-lbry-viewer
 gtk-pipe-viewer
 gtk-straw-viewer
 gtk-youtube-viewer
+gtk2-youtube-viewer
+gtk3-youtube-viewer
 guayadeque
 gucharmap
 gummi
@@ -409,8 +413,8 @@ icecat
 icedove
 iceweasel
 idea
-ideaIC
 idea.sh
+ideaIC
 imagej
 img2txt
 impressive
@@ -429,6 +433,7 @@ jdownloader
 jerry
 jitsi
 jitsi-meet-desktop
+journal-viewer
 jumpnbump
 jumpnbump-menu
 k3b
@@ -439,7 +444,7 @@ karbon
 kate
 kazam
 kcalc
-# kdeinit4
+#kdeinit4
 kdenlive
 kdiff3
 keepass
@@ -449,7 +454,7 @@ keepassx2
 keepassxc
 keepassxc-cli
 keepassxc-proxy
-# kfind
+#kfind
 kget
 kid3
 kid3-cli
@@ -466,15 +471,15 @@ kodi
 konversation
 kopete
 krita
-# krunner
+#krunner
 ktorrent
 ktouch
 kube
-# kwin_x11
+#kwin_x11
 kwrite
 lbry-viewer
 leafpad
-# less - breaks man
+#less # breaks man
 librecad
 libreoffice
 librewolf
@@ -499,12 +504,12 @@ lollypop
 lomath
 loweb
 lowriter
-# lrunzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrz - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrunzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrz # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrzcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrztar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#lrzuntar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 luminance-hdr
 lximage-qt
 lxmusic
@@ -558,7 +563,6 @@ mp3wrap
 mpDris2
 mpg123
 mpg123-alsa
-mpg123.bin
 mpg123-id3dump
 mpg123-jack
 mpg123-nas
@@ -567,6 +571,7 @@ mpg123-oss
 mpg123-portaudio
 mpg123-pulse
 mpg123-strip
+mpg123.bin
 mplayer
 mpsyt
 mpv
@@ -635,11 +640,11 @@ onionshare-cli
 onionshare-gui
 ooffice
 ooviewdoc
+open-invaders
 openarena
 openarena_ded
 opencity
 openclonk
-open-invaders
 openmw
 openmw-launcher
 openoffice.org
@@ -696,9 +701,9 @@ profanity
 psi
 psi-plus
 pybitmessage
-# pycharm-community - FB note: may enable later
-# pycharm-professional
-# pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#pycharm-community # FB note: may enable later
+#pycharm-professional
+#pzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 qbittorrent
 qcomicbook
 qemu-launcher
@@ -720,6 +725,7 @@ qupzilla
 qutebrowser
 raincat
 rambox
+reader
 redeclipse
 rednotebook
 redshift
@@ -778,22 +784,22 @@ sniffnet
 snox
 soffice
 sol
-soundconverter
 sound-juicer
+soundconverter
 spectacle
 spectral
 spotify
 sqlitebrowser
 ssh
-# ssh-agent - problems on Arch with Fish shell (#1568)
+#ssh-agent # problems on Arch with Fish shell (#1568)
 standardnotes-desktop
 start-tor-browser
 steam
 steam-native
 steam-runtime
 stellarium
-strawberry
 straw-viewer
+strawberry
 strings
 studio.sh
 subdownloader
@@ -824,7 +830,6 @@ thunderbird-beta
 thunderbird-wayland
 tilp
 tor-browser
-torbrowser
 tor-browser-ar
 tor-browser-ca
 tor-browser-cs
@@ -846,7 +851,6 @@ tor-browser-it
 tor-browser-ja
 tor-browser-ka
 tor-browser-ko
-torbrowser-launcher
 tor-browser-nb
 tor-browser-nl
 tor-browser-pl
@@ -857,6 +861,8 @@ tor-browser-tr
 tor-browser-vi
 tor-browser-zh-cn
 tor-browser-zh-tw
+torbrowser
+torbrowser-launcher
 torcs
 totem
 tracker
@@ -886,7 +892,7 @@ uget-gtk
 unbound
 unf
 unknown-horizons
-# unzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#unzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 url-eater
 utox
 uudeview
@@ -899,10 +905,10 @@ vivaldi-beta
 vivaldi-snapshot
 vivaldi-stable
 vlc
-#vmplayer - unable to install kernel modules (see #5861)
-#vmware - unable to install kernel modules (see #5861)
-#vmware-player - unable to install kernel modules (see #5861)
-#vmware-workstation - unable to install kernel modules (see #5861)
+#vmplayer # unable to install kernel modules (see #5861)
+#vmware # unable to install kernel modules (see #5861)
+#vmware-player # unable to install kernel modules (see #5861)
+#vmware-workstation # unable to install kernel modules (see #5861)
 vscodium
 vulturesclaw
 vultureseye
@@ -966,8 +972,8 @@ yelp
 youtube
 youtube-dl
 youtube-dl-gui
-youtubemusic-nativefier
 youtube-viewer
+youtubemusic-nativefier
 yt-dlp
 ytmdesktop
 zaproxy
@@ -977,10 +983,10 @@ zeal
 zim
 zlib-flate
 zoom
-# zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdgrep - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdless - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
-# zstdmt - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zpaq # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdgrep # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdless # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+#zstdmt # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 zulip
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index da6e43a5a..0e3425f8d 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -11,7 +11,8 @@
 #                          install contrib scripts
 #  --enable-analyzer       enable GCC 10 static analyzer
 
-
+# shellcheck source=config.sh
+. "$(dirname "$0")/../../config.sh" || exit 1
 
 arr[1]="TEST 1: standard compilation"
 arr[2]="TEST 2: compile dbus proxy disabled"
@@ -51,7 +52,7 @@ print_title() {
         echo "**************************************************"
 }
 
-DIST="$1"
+DIST="$(TARNAME)-$(VERSION)"
 while [[ $# -gt 0 ]]; do    # Until you run out of parameters . . .
         case "$1" in
         --clean)
@@ -79,7 +80,7 @@ echo "$DIST"
 tar -xJvf ../../"$DIST.tar.xz"
 mv "$DIST" firejail
 
-cd firejail
+cd firejail || exit 1
 ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
 cd ..
@@ -95,7 +96,7 @@ rm output-configure output-make
 # - disable dbus proxy configuration
 #*****************************************************************
 print_title "${arr[2]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -112,7 +113,7 @@ rm output-configure output-make
 # - disable chroot configuration
 #*****************************************************************
 print_title "${arr[3]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -129,7 +130,7 @@ rm output-configure output-make
 # - disable firetunnel configuration
 #*****************************************************************
 print_title "${arr[4]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -146,7 +147,7 @@ rm output-configure output-make
 # - disable user namespace configuration
 #*****************************************************************
 print_title "${arr[5]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -164,7 +165,7 @@ rm output-configure output-make
 # - check compilation
 #*****************************************************************
 print_title "${arr[6]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -181,7 +182,7 @@ rm output-configure output-make
 # - disable X11 support
 #*****************************************************************
 print_title "${arr[7]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -198,7 +199,7 @@ rm output-configure output-make
 # - enable selinux
 #*****************************************************************
 print_title "${arr[8]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --enable-selinux --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -215,7 +216,7 @@ rm output-configure output-make
 # - disable file transfer
 #*****************************************************************
 print_title "${arr[9]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -232,7 +233,7 @@ rm output-configure output-make
 # - disable whitelist
 #*****************************************************************
 print_title "${arr[10]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -249,7 +250,7 @@ rm output-configure output-make
 # - disable global config
 #*****************************************************************
 print_title "${arr[11]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -266,7 +267,7 @@ rm output-configure output-make
 # - enable apparmor
 #*****************************************************************
 print_title "${arr[12]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -283,7 +284,7 @@ rm output-configure output-make
 # - enable busybox workaround
 #*****************************************************************
 print_title "${arr[13]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -300,7 +301,7 @@ rm output-configure output-make
 # - disable overlayfs
 #*****************************************************************
 print_title "${arr[14]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -317,7 +318,7 @@ rm output-configure output-make
 # - disable private home
 #*****************************************************************
 print_title "${arr[15]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -334,7 +335,7 @@ rm output-configure output-make
 # - disable manpages
 #*****************************************************************
 print_title "${arr[16]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-man --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -351,7 +352,7 @@ rm output-configure output-make
 # - disable tmpfs as regular user"
 #*****************************************************************
 print_title "${arr[17]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -368,7 +369,7 @@ rm output-configure output-make
 # - disable private home feature
 #*****************************************************************
 print_title "${arr[18]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
@@ -385,7 +386,7 @@ rm output-configure output-make
 # - enable ids
 #*****************************************************************
 print_title "${arr[19]}"
-cd firejail
+cd firejail || exit 1
 make distclean
 ./configure --prefix=/usr --enable-ids --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make