aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/chromium.scm
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2020-06-21 21:44:07 +0200
committerMarius Bakke <marius@gnu.org>2020-06-22 17:16:39 +0200
commit75527eb1cbbd0cad80d10743fb3b6e4ac0b4ba22 (patch)
tree922c7ee87f43b1601cf61e784d6ae28cc258e562 /gnu/packages/chromium.scm
parent8169cc736a6998fa33f7a86c5c13cd01cbafec92 (diff)
downloadguix-75527eb1cbbd0cad80d10743fb3b6e4ac0b4ba22.tar
guix-75527eb1cbbd0cad80d10743fb3b6e4ac0b4ba22.tar.gz
gnu: ungoogled-chromium: Update to 83.0.4103.106-0.f08ce8b [security fixes].
This fixes CVE-2020-6465, CVE-2020-6466, CVE-2020-6467, CVE-2020-6468, CVE-2020-6469, CVE-2020-6470, CVE-2020-6471, CVE-2020-6472, CVE-2020-6473, CVE-2020-6474, CVE-2020-6475, CVE-2020-6476, CVE-2020-6477, CVE-2020-6478, CVE-2020-6479, CVE-2020-6480, CVE-2020-6481, CVE-2020-6482, CVE-2020-6483, CVE-2020-6484, CVE-2020-6485, CVE-2020-6486, CVE-2020-6487, CVE-2020-6488, CVE-2020-6489, CVE-2020-6490, CVE-2020-6491, CVE-2020-6493, CVE-2020-6494, CVE-2020-6495, CVE-2020-6496, CVE-2020-6497, and CVE-2020-6498. * gnu/packages/patches/ungoogled-chromium-system-jsoncpp.patch, gnu/packages/patches/ungoogled-chromium-system-zlib.patch: New files. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/chromium.scm (%preserved-third-party-files): Adjust for 83. (%chromium-version): Set to 83.0.4103.106. (%ungoogled-revision): Set to f08ce8b3f1300ef0750b5d6bf967b9cbbfd9a56d. (%gentoo-revision, %gentoo-patches, %debian-patches): New variables. (gentoo-patch, debian-patch): New procedures. (%chromium-origin, %ungoogled-origin): Update hashes. (ungoogled-chromium-source): Don't apply patches from %DEBIAN-ORIGIN, but take %GENTOO-PATCHES, %DEBIAN-PATCHES, and the local patch files. (ungoogled-chromium)[arguments]: Remove "enable_swiftshader=false" from #:configure-flags. Add "icu_use_data_file=false". Set CFLAGS in phase. Remove obsolete substitution. Adjust install phase to install .so files for ANGLE and Swiftshader. [native-inputs]: Change from CLANG-9 to CLANG-10. [inputs]: Replace ICU4C with ICU4C-67. (ungoogled-chromium/wayland): Remove obsolete substitution. Add "ozone_platform_x11=true" in #:configure-flags.
Diffstat (limited to 'gnu/packages/chromium.scm')
-rw-r--r--gnu/packages/chromium.scm221
1 files changed, 114 insertions, 107 deletions
diff --git a/gnu/packages/chromium.scm b/gnu/packages/chromium.scm
index 63a4ea6546..8b0b99aa19 100644
--- a/gnu/packages/chromium.scm
+++ b/gnu/packages/chromium.scm
@@ -98,6 +98,7 @@
"third_party/angle/src/third_party/compiler" ;BSD-2
"third_party/angle/src/third_party/libXNVCtrl" ;Expat
"third_party/angle/src/third_party/trace_event" ;BSD-3
+ "third_party/angle/src/third_party/volk" ;Expat
"third_party/angle/third_party/vulkan-headers" ;ASL2.0
"third_party/angle/third_party/vulkan-loader" ;ASL2.0
"third_party/angle/third_party/vulkan-tools" ;ASL2.0
@@ -117,6 +118,7 @@
;; XXX: This is a minified version of <https://d3js.org/>.
"third_party/catapult/tracing/third_party/d3" ;BSD-3
"third_party/catapult/tracing/third_party/gl-matrix" ;Expat
+ "third_party/catapult/tracing/third_party/jpeg-js" ;ASL2.0
;; XXX: Minified version of <https://github.com/Stuk/jszip>.
"third_party/catapult/tracing/third_party/jszip" ;Expat or GPL3
"third_party/catapult/tracing/third_party/mannwhitneyu" ;Expat
@@ -136,6 +138,7 @@
"third_party/depot_tools/owners.py" ;BSD-3
"third_party/devtools-frontend" ;BSD-3
"third_party/devtools-frontend/src/front_end/third_party/fabricjs" ;Expat
+ "third_party/devtools-frontend/src/front_end/third_party/lighthouse" ;ASL2.0
"third_party/devtools-frontend/src/front_end/third_party/wasmparser" ;ASL2.0
"third_party/devtools-frontend/src/third_party/axe-core" ;MPL2.0
"third_party/devtools-frontend/src/third_party/pyjson5" ;ASL2.0
@@ -148,6 +151,7 @@
"third_party/google_input_tools/third_party/closure_library" ;ASL2.0
"third_party/google_input_tools/third_party/closure_library/third_party/closure" ;Expat
"third_party/googletest" ;BSD-3
+ "third_party/harfbuzz-ng" ;Expat
"third_party/hunspell" ;MPL1.1/GPL2+/LGPL2.1+
"third_party/iccjpeg" ;IJG
"third_party/inspector_protocol" ;BSD-3
@@ -171,6 +175,7 @@
"third_party/libxml/chromium" ;BSD-3
"third_party/libyuv" ;BSD-3
"third_party/lss" ;BSD-3
+ "third_party/mako" ;Expat
"third_party/markupsafe" ;BSD-3
"third_party/mesa_headers" ;Expat, SGI
"third_party/metrics_proto" ;BSD-3
@@ -199,6 +204,7 @@
"third_party/qcms" ;Expat
"third_party/rnnoise" ;BSD-3
"third_party/s2cellid" ;ASL2.0
+ "third_party/schema_org" ;CC-BY-SA3.0
"third_party/skia" ;BSD-3
"third_party/skia/include/third_party/skcms" ;BSD-3
"third_party/skia/third_party/skcms" ;BSD-3
@@ -208,6 +214,13 @@
"third_party/spirv-headers" ;ASL2.0
"third_party/SPIRV-Tools" ;ASL2.0
"third_party/sqlite" ;Public domain
+ "third_party/swiftshader" ;ASL2.0
+ "third_party/swiftshader/third_party/astc-encoder" ;ASL2.0
+ "third_party/swiftshader/third_party/llvm-7.0" ;NCSA
+ "third_party/swiftshader/third_party/llvm-subzero" ;NCSA
+ "third_party/swiftshader/third_party/marl" ;ASL2.0
+ "third_party/swiftshader/third_party/subzero" ;NCSA
+ "third_party/swiftshader/third_party/SPIRV-Headers" ;X11-style
"third_party/usb_ids" ;BSD-3
"third_party/usrsctp" ;BSD-2
"third_party/wayland/wayland_scanner_wrapper.py" ;BSD-3
@@ -248,14 +261,73 @@ from forcing GEXP-PROMISE."
#:system system
#:guile-for-build guile)))
-(define %chromium-version "81.0.4044.138")
-(define %ungoogled-revision "c2a89fb6b5b559c826796c811741fa8ed3e11de8")
+(define %chromium-version "83.0.4103.106")
+(define %ungoogled-revision "f08ce8b3f1300ef0750b5d6bf967b9cbbfd9a56d")
(define %debian-revision "debian/81.0.4044.92-1")
+(define %gentoo-revision "55ef09d6709f4e4cbe23418e4ade0f219fa2fa1f")
(define package-revision "0")
(define %package-version (string-append %chromium-version "-"
package-revision "."
(string-take %ungoogled-revision 7)))
+(define (gentoo-patch name revision hash)
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://gitweb.gentoo.org/repo/gentoo.git/plain"
+ "/www-client/chromium/files/" name "?id=" revision))
+ (file-name (string-append "ungoogled-" name))
+ (sha256 (base32 hash))))
+
+(define %gentoo-patches
+ (list (gentoo-patch "chromium-fix-char_traits.patch" %gentoo-revision
+ "1zr9wj2rj5phwdiffykd8w3srmzn0xxgmznz762qp7rs7amnp8ns")
+ (gentoo-patch "chromium-blink-style_format.patch" %gentoo-revision
+ "098akk5l01m0n3zz08ycz1kp3xmjnbng6d399z1fnb2zigbf0b0z")
+ (gentoo-patch "chromium-78-protobuf-export.patch" %gentoo-revision
+ "1wbw29daqwyrnij4991v84955ydqfvvjpz4s2p40agnzmgdzwnsx")
+ (gentoo-patch "chromium-79-gcc-alignas.patch" %gentoo-revision
+ "1a6l4i9cicy8dpxxjamyw8cl2nmqfv3x9gbffrsr8571my6fh17s")
+ (gentoo-patch "chromium-80-gcc-quiche.patch" %gentoo-revision
+ "0rdlsymw6h8i6yhysiq4la53pwivzv1i9lh0gprh5cl367r1haww")
+ (gentoo-patch "chromium-82-gcc-noexcept.patch" %gentoo-revision
+ "0pljnysjvbv2ck0s159qssjhv1pfr32i0nb66smmfmfix2yaizqc")
+ (gentoo-patch "chromium-82-gcc-incomplete-type.patch" %gentoo-revision
+ "04751dnpmiasifhq29a1kyxlnq6f2fmd2qbkv7hxdlsxbzg3lhsv")
+ (gentoo-patch "chromium-82-gcc-template.patch" %gentoo-revision
+ "1ilmx9wmzyrwmfvr2mwc7m5z6lnbhjkms5k40i8yavqah6kcdbw2")
+ (gentoo-patch "chromium-82-gcc-iterator.patch" %gentoo-revision
+ "1xljai9cj99pf4q3l8hz90i8mhdbd8v6h1vj8y37v6j8p78n3zvj")
+ (gentoo-patch "chromium-83-gcc-template.patch" %gentoo-revision
+ "1bb1anqdrimza7d0gg4fmxij00563jd9k1azy8sz1ybd8gvrphqi")
+ (gentoo-patch "chromium-83-gcc-include.patch" %gentoo-revision
+ "0rs9jj71ridplndi967m0z47vqd8ryykg36gjx8iyf3580vr2hlw")
+ (gentoo-patch "chromium-83-gcc-permissive.patch" %gentoo-revision
+ "04mrmrg3pbwl3gph2n1dkbv4miz80xww1gysd39six028nxacjpg")
+ (gentoo-patch "chromium-83-gcc-iterator.patch" %gentoo-revision
+ "0q66399va607kjnk8n9xlcr740q7c522p2z7abyd2hgq2bxgglnv")
+ (gentoo-patch "chromium-83-gcc-serviceworker.patch" %gentoo-revision
+ "0klvcqqzldfhvqr3plja64qamgff1m2z1zcn325bj32gmpypqjx9")
+ (gentoo-patch "chromium-83-gcc-10.patch" %gentoo-revision
+ "0vfvh1jypqcb274bggacg165mw2q5gmn237cvrrwcjqalz0ahnry")
+ (gentoo-patch "chromium-83-icu67.patch" %gentoo-revision
+ "05spmjhg5f56mkq3f96vm4s2d9h6vqdxz5g8ibd9pf8ddnh4blnx")))
+
+(define (debian-patch name revision hash)
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://salsa.debian.org/chromium-team/chromium/-/raw/"
+ revision "/debian/patches/" name))
+ (file-name (match (string-split name #\/)
+ ((category name)
+ (string-append "ungoogled-chromium-" category "-" name))))
+ (sha256 (base32 hash))))
+
+(define %debian-patches
+ (list (debian-patch "system/nspr.patch" %debian-revision
+ "1x6ydc8pfks2c1dlwf0c58par6znjknvs9815576ycx27jl633dy")
+ (debian-patch "system/openjpeg.patch" %debian-revision
+ "0zd6v5njx1pc7i0y6mslxvpx5j4cq01mmyx55qcqx8qzkm0gm48j")))
+
(define %chromium-origin
(origin
(method url-fetch)
@@ -264,7 +336,7 @@ from forcing GEXP-PROMISE."
%chromium-version ".tar.xz"))
(sha256
(base32
- "19kpzmqmld0m0nflx13w9flxfal19msnxhzl3lip1jqih65z4y7l"))))
+ "0bvy17ymlih87n4ymnzvyn0m34ghmr1yasvy7gxv02qbw6i57lfg"))))
(define %ungoogled-origin
(origin
@@ -275,21 +347,7 @@ from forcing GEXP-PROMISE."
(string-take %ungoogled-revision 7)))
(sha256
(base32
- "0bbr4a2gkgm3ykdgpj8x58sd3dwam6qkifhzfs2997681g7b2v2q"))))
-
-(define %debian-origin
- (origin
- (method git-fetch)
- (uri (git-reference
- (url "https://salsa.debian.org/chromium-team/chromium.git")
- (commit %debian-revision)))
- (file-name (git-file-name "debian-chromium-packaging"
- (match (string-split %debian-revision #\/)
- ((_ revision) revision)
- (_ (string-take %debian-revision 7)))))
- (sha256
- (base32
- "0srgbcqga3l75bfkv3bnmjk416189nazsximvzdx2k5n8v5k4p3m"))))
+ "0kc40p8f7cls696gh6ign37l8j4x1pyyz32jkkli9cmrpbsjsadl"))))
;; This is a "computed" origin that does the following:
;; *) Runs the Ungoogled scripts on a pristine Chromium tarball.
@@ -298,8 +356,7 @@ from forcing GEXP-PROMISE."
;; *) Adjusts "GN" build files such that system libraries are preferred.
(define ungoogled-chromium-source
(let ((chromium-source %chromium-origin)
- (ungoogled-source %ungoogled-origin)
- (debian-source %debian-origin))
+ (ungoogled-source %ungoogled-origin))
(origin
(method computed-origin-method)
(file-name (string-append "ungoogled-chromium-" %package-version ".tar.xz"))
@@ -313,7 +370,7 @@ from forcing GEXP-PROMISE."
(srfi srfi-1)
(srfi srfi-26))
(let ((chromium-dir (string-append "chromium-" #$%chromium-version))
- (preserved-files (list #$@%preserved-third-party-files)))
+ (preserved-files '#$%preserved-third-party-files))
(set-path-environment-variable
"PATH" '("bin")
@@ -330,20 +387,30 @@ from forcing GEXP-PROMISE."
(force-output)
(invoke "tar" "xf" #+chromium-source)
- (format #t "Removing non-free file...~%")
- (force-output)
- ;; This file has a CC-BY-NC clause according to LICENSES from
- ;; the same directory, making it non-free.
- (delete-file
- (string-append
- chromium-dir
- "/third_party/blink/perf_tests/svg/resources/HarveyRayner.svg"))
-
- ;; Ungoogled-Chromium contains a forked subset of the Debian
- ;; patches. Disable those, as we apply newer versions later.
- (substitute* "patches/series"
- ((".*/debian/.*")
- ""))
+ (with-directory-excursion chromium-dir
+ (format #t "Removing non-free file...~%")
+ (force-output)
+ ;; This file has a CC-BY-NC clause according to LICENSES from
+ ;; the same directory, making it non-free.
+ (delete-file
+ "third_party/blink/perf_tests/svg/resources/HarveyRayner.svg")
+
+ ;; Apply patches before running the ungoogled scripts because
+ ;; domain substitution may break some of the patches.
+ (format #t "Applying assorted build fixes...~%")
+ (force-output)
+ (for-each
+ (lambda (patch)
+ (invoke "patch" "-p1" "--force" "--input"
+ patch "--no-backup-if-mismatch"))
+ (append
+ '#+%gentoo-patches '#+%debian-patches
+ '#+(list (local-file
+ (search-patch
+ "ungoogled-chromium-system-jsoncpp.patch"))
+ (local-file
+ (search-patch
+ "ungoogled-chromium-system-zlib.patch"))))))
(format #t "Ungooglifying...~%")
(force-output)
@@ -356,47 +423,6 @@ from forcing GEXP-PROMISE."
"-c" "/tmp/domainscache.tar.gz" chromium-dir)
(with-directory-excursion chromium-dir
-
- (format #t "Applying Debian patches...~%")
- (force-output)
- (let* ((debian #+debian-source)
- (patches (string-append debian "/debian/patches"))
- (series (string-append patches "/series")))
- (with-input-from-file series
- (lambda ()
- (let loop ((line (read-line)))
- (unless (eof-object? line)
- (when (and (> (string-length line) 1)
- (not (string-prefix? "#" line))
- ;; Skip the Debian-specific ones.
- (not (string-prefix? "debianization/" line))
- (not (string-prefix? "buster/" line))
- (not (any (cute string-suffix? <> line)
- ;; These conflict with Ungoogled.
- '("widevine-buildflag.patch"
- "signin.patch"
- "third-party-cookies.patch"
-
- ;; Disable workarounds for the
- ;; Chromium "-lite" tarball. We
- ;; use the "full" version and don't
- ;; need these patches.
- "closure.patch"
- "owners.patch"
-
- ;; XXX: 'fixes/inspector.patch'
- ;; makes v8 reuse the top-level
- ;; third_party/inspector_protocol
- ;; instead of its own bundled copy,
- ;; but that does not work here for
- ;; some reason. Ignore that patch
- ;; and those that depend on it.
- "inspector.patch"))))
- (invoke "patch" "--force" "-p1" "--input"
- (string-append patches "/" line)
- "--no-backup-if-mismatch"))
- (loop (read-line)))))))
-
(format #t "Pruning third party files...~%")
(force-output)
(apply invoke (string-append #+python-2 "/bin/python")
@@ -412,7 +438,7 @@ from forcing GEXP-PROMISE."
"libxslt" "openh264" "opus" "re2" "snappy" "yasm"
"zlib"))
- (format #t (string-append "Packing new ungoogled tarball ...~%"))
+ (format #t "Packing new ungoogled tarball ...~%")
(force-output)
(invoke "tar" "cvfa" #$output
;; Avoid non-determinism in the archive.
@@ -481,7 +507,6 @@ from forcing GEXP-PROMISE."
"enable_remoting=false"
"enable_reporting=false"
"enable_service_discovery=false"
- "enable_swiftshader=false"
"enable_vr=false"
"enable_widevine=false"
;; Disable type-checking for the Web UI to avoid a Java dependency.
@@ -505,6 +530,7 @@ from forcing GEXP-PROMISE."
"use_openh264=true"
"use_pulseaudio=true"
"link_pulseaudio=true"
+ "icu_use_data_file=false"
;; VA-API acceleration is currently only supported on x86_64-linux.
,@(if (string-prefix? "x86_64" (or (%current-target-system)
@@ -631,17 +657,6 @@ from forcing GEXP-PROMISE."
(substitute* "device/udev_linux/udev1_loader.cc"
(("libudev\\.so\\.1")
(string-append udev "/lib/libudev.so.1")))
- (substitute*
- '("ui/ozone/platform/x11/gl_ozone_glx.cc"
- "ui/ozone/common/egl_util.cc"
- "ui/gl/init/gl_initializer_x11.cc"
- "third_party/angle/src/libANGLE/renderer/gl/glx/FunctionsGLX.cpp")
- (("libGL\\.so\\.1")
- (string-append mesa "/lib/libGL.so.1"))
- (("libEGL\\.so\\.1")
- (string-append mesa "/lib/libEGL.so.1"))
- (("libGLESv2\\.so\\.2")
- (string-append mesa "/lib/libGLESv2.so.2")))
#t)))
(add-before 'configure 'prepare-build-environment
(lambda* (#:key inputs #:allow-other-keys)
@@ -658,14 +673,11 @@ from forcing GEXP-PROMISE."
;; Clang plugins or newer versions.
"-Wno-unknown-warning-option")))
+ (setenv "CFLAGS" "-Wno-unknown-warning-option")
+
;; TODO: pre-compile instead. Avoids a race condition.
(setenv "PYTHONDONTWRITEBYTECODE" "1")
- (substitute*
- ;; From Debians 'system/node.patch'.
- "third_party/devtools-frontend/src/scripts/devtools_paths.py"
- (("/usr/bin/nodejs") (which "node")))
-
;; XXX: How portable is this.
(mkdir-p "third_party/node/linux/node-linux-x64")
(symlink (string-append (assoc-ref inputs "node") "/bin")
@@ -717,7 +729,7 @@ from forcing GEXP-PROMISE."
(lib (string-append out "/lib"))
(man (string-append out "/share/man/man1"))
(applications (string-append out "/share/applications"))
- (install-regexp (make-regexp "\\.(bin|pak)$"))
+ (install-regexp (make-regexp "\\.(bin|pak|so)$"))
(locales (string-append lib "/locales"))
(resources (string-append lib "/resources"))
(preferences (assoc-ref inputs "master-preferences"))
@@ -754,6 +766,10 @@ from forcing GEXP-PROMISE."
(symlink "../lib/chromium" exe)
(install-file "chromedriver" bin)
+ (for-each (lambda (so)
+ (install-file so (string-append lib "/swiftshader")))
+ (find-files "swiftshader" "\\.so$"))
+
(wrap-program exe
;; Avoid file manager crash. See <https://bugs.gnu.org/26593>.
`("XDG_DATA_DIRS" ":" prefix (,(string-append gtk+ "/share")))))
@@ -770,7 +786,7 @@ from forcing GEXP-PROMISE."
#t))))))
(native-inputs
`(("bison" ,bison)
- ("clang" ,clang-9)
+ ("clang" ,clang-10)
("gn" ,gn)
("gperf" ,gperf)
("ninja" ,ninja)
@@ -805,7 +821,7 @@ from forcing GEXP-PROMISE."
("glib" ,glib)
("gtk+" ,gtk+)
("harfbuzz" ,harfbuzz)
- ("icu4c" ,icu4c)
+ ("icu4c" ,icu4c-67)
("jsoncpp" ,jsoncpp)
("lcms" ,lcms)
("libevent" ,libevent)
@@ -881,19 +897,10 @@ disabled in order to protect the users privacy.")
,@(package-inputs ungoogled-chromium)))
(arguments
(substitute-keyword-arguments (package-arguments ungoogled-chromium)
- ((#:phases phases)
- `(modify-phases ,phases
- (add-after 'unpack 'add-ozone-patch
- (lambda _
- ;; Add missing include statement required when using libstdc++,
- ;; Clang and Ozone. Fixed in M81.
- (substitute* "ui/base/cursor/ozone/bitmap_cursor_factory_ozone.cc"
- (("#include \"base/logging\\.h" all)
- (string-append "#include <algorithm>\n" all)))
- #t))))
((#:configure-flags flags)
`(append (list "use_ozone=true"
"ozone_platform_wayland=true"
+ "ozone_platform_x11=true"
"ozone_auto_platforms=false"
"ozone_platform=\"wayland\""
"use_xkbcommon=true"