The wrapper script in the AUR (Arch Linux) package is inconsistent with the upstream wrapper script

[Stebalien]

The AUR package (https://aur.archlinux.org/packages/brave-bin) uses a custom wrapper (https://aur.archlinux.org/cgit/aur.git/tree/brave-bin.sh?h=brave-bin) that's out-of-date with the upstream wrapper. E.g., it:

• It doesn't set CHROME_WRAPPER so PWAs installed through brave don't use the correct wrapper. Instead, they use the upstream wrapper (installed in /opt/brave-bin/brave-browser).
• It doesn't disable the gnome crash dialog as the upstream wrapper does.
• It doesn't sanitize stdin/stdout/stderr as the upstream wrapper does (which is apparently a security issue? see http://crbug.com/376567).

On the other hand, the built-in wrapper (https://github.com/brave/chromium/blob/master/chrome/installer/linux/common/wrapper):

1. Unnecessarily overrides the default xdg utilities (unnecessary on Arch Linux, at least).
2. Doesn't load command-line flags from ~/.config/brave-flags.conf (whereas the wrapper script in the AUR package does).
3. Adds /opt/brave-browser/lib to the LD_LIBRARY_PATH which doesn't even exist.

I'm not sure how you want to reconcile this but I'd recommend:

1. Keeping the custom launcher script, removing the upstream launcher script when building the package.
2. Modifying the script & PKGBUILD as follows (diff applies to https://aur.archlinux.org/packages/brave-bin).

diff --git a/PKGBUILD b/PKGBUILD
index 95a60db..e09de1a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -33,7 +33,7 @@ source_x86_64=(${pkgname}-${pkgver}-x86_64.zip::https://github.com/brave/brave-b
 source_aarch64=(${pkgname}-${pkgver}-aarch64.zip::https://github.com/brave/brave-browser/releases/download/v${pkgver}/brave-browser-${pkgver}-linux-arm64.zip)
 
 noextract=(${pkgname}-${pkgver}-x86_64.zip ${pkgname}-${pkgver}-aarch64.zip)
-sha256sums=('75a87dd17b42fcc6f27adfd16c82bed1c08e9251b07d2012f8d49f7412fa1d00'
+sha256sums=('09687965472b4ed29c3fefcccca85012cd9544814b164e192f980472e360418b'
             'c07276b69c7304981525ecb022f92daf7ae125a4fb05ac3442157b50826e257a')
 sha256sums_x86_64=('f8acbb4bb65b35b695f74e8555c359102f38bd6151e0223f1036faf2448bc858')
 sha256sums_aarch64=('788ac784d5e0eb3acae320c2ec5b0da1b1880c235cf12b424f4aa6d15ddcda41')
@@ -48,8 +48,15 @@ package() {
        install -dm0755 "$pkgdir/opt"
        cp -a brave "$pkgdir/opt/$pkgname"
 
+        # Remove bundled XDG settings, we manage this ourselves.
+        rm "$pkgdir/opt/$pkgname/xdg-mime"
+        rm "$pkgdir/opt/$pkgname/xdg-settings"
+
+        # Remove the wrapper script, we have our own.
+        rm "$pkgdir/opt/$pkgname/brave-browser"
+
        # allow firejail users to get the suid sandbox working
-       chmod 4755 "$pkgdir/opt/brave-bin/chrome-sandbox"
+       chmod 4755 "$pkgdir/opt/$pkgname/chrome-sandbox"
 
        install -Dm0755 "$pkgname.sh" "$pkgdir/usr/bin/brave"
        install -Dm0644 -t "$pkgdir/usr/share/applications/" "brave-browser.desktop"
diff --git a/brave-bin.sh b/brave-bin.sh
index 31c435c..5654eb1 100644
--- a/brave-bin.sh
+++ b/brave-bin.sh
@@ -21,5 +21,13 @@ do
 done
 
 export CHROME_VERSION_EXTRA='stable'
+export CHROME_WRAPPER="`readlink -f "$0"`"
+export GNOME_DISABLE_CRASH_DIALOG=SET_BY_GOOGLE_CHROME
+
+# Sanitize std{in,out,err} because they'll be shared with untrusted child
+# processes (http://crbug.com/376567).
+exec < /dev/null
+exec > >(exec cat)
+exec 2> >(exec cat >&2)
 
 exec /opt/brave-bin/brave "${FLAG_LIST[@]}" "${@}"