diff options
author | Marius Bakke <marius@gnu.org> | 2020-06-21 21:44:07 +0200 |
---|---|---|
committer | Marius Bakke <marius@gnu.org> | 2020-06-22 17:16:39 +0200 |
commit | 75527eb1cbbd0cad80d10743fb3b6e4ac0b4ba22 (patch) | |
tree | 922c7ee87f43b1601cf61e784d6ae28cc258e562 /gnu/packages/chromium.scm | |
parent | 8169cc736a6998fa33f7a86c5c13cd01cbafec92 (diff) | |
download | guix-75527eb1cbbd0cad80d10743fb3b6e4ac0b4ba22.tar guix-75527eb1cbbd0cad80d10743fb3b6e4ac0b4ba22.tar.gz |
gnu: ungoogled-chromium: Update to 83.0.4103.106-0.f08ce8b [security fixes].
This fixes CVE-2020-6465, CVE-2020-6466, CVE-2020-6467, CVE-2020-6468,
CVE-2020-6469, CVE-2020-6470, CVE-2020-6471, CVE-2020-6472, CVE-2020-6473,
CVE-2020-6474, CVE-2020-6475, CVE-2020-6476, CVE-2020-6477, CVE-2020-6478,
CVE-2020-6479, CVE-2020-6480, CVE-2020-6481, CVE-2020-6482, CVE-2020-6483,
CVE-2020-6484, CVE-2020-6485, CVE-2020-6486, CVE-2020-6487, CVE-2020-6488,
CVE-2020-6489, CVE-2020-6490, CVE-2020-6491, CVE-2020-6493, CVE-2020-6494,
CVE-2020-6495, CVE-2020-6496, CVE-2020-6497, and CVE-2020-6498.
* gnu/packages/patches/ungoogled-chromium-system-jsoncpp.patch,
gnu/packages/patches/ungoogled-chromium-system-zlib.patch: New files.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/chromium.scm (%preserved-third-party-files): Adjust for 83.
(%chromium-version): Set to 83.0.4103.106.
(%ungoogled-revision): Set to f08ce8b3f1300ef0750b5d6bf967b9cbbfd9a56d.
(%gentoo-revision, %gentoo-patches, %debian-patches): New variables.
(gentoo-patch, debian-patch): New procedures.
(%chromium-origin, %ungoogled-origin): Update hashes.
(ungoogled-chromium-source): Don't apply patches from %DEBIAN-ORIGIN, but take
%GENTOO-PATCHES, %DEBIAN-PATCHES, and the local patch files.
(ungoogled-chromium)[arguments]: Remove "enable_swiftshader=false" from
#:configure-flags. Add "icu_use_data_file=false". Set CFLAGS in phase.
Remove obsolete substitution. Adjust install phase to install .so files for
ANGLE and Swiftshader.
[native-inputs]: Change from CLANG-9 to CLANG-10.
[inputs]: Replace ICU4C with ICU4C-67.
(ungoogled-chromium/wayland): Remove obsolete substitution. Add
"ozone_platform_x11=true" in #:configure-flags.
Diffstat (limited to 'gnu/packages/chromium.scm')
-rw-r--r-- | gnu/packages/chromium.scm | 221 |
1 files changed, 114 insertions, 107 deletions
diff --git a/gnu/packages/chromium.scm b/gnu/packages/chromium.scm index 63a4ea6546..8b0b99aa19 100644 --- a/gnu/packages/chromium.scm +++ b/gnu/packages/chromium.scm @@ -98,6 +98,7 @@ "third_party/angle/src/third_party/compiler" ;BSD-2 "third_party/angle/src/third_party/libXNVCtrl" ;Expat "third_party/angle/src/third_party/trace_event" ;BSD-3 + "third_party/angle/src/third_party/volk" ;Expat "third_party/angle/third_party/vulkan-headers" ;ASL2.0 "third_party/angle/third_party/vulkan-loader" ;ASL2.0 "third_party/angle/third_party/vulkan-tools" ;ASL2.0 @@ -117,6 +118,7 @@ ;; XXX: This is a minified version of <https://d3js.org/>. "third_party/catapult/tracing/third_party/d3" ;BSD-3 "third_party/catapult/tracing/third_party/gl-matrix" ;Expat + "third_party/catapult/tracing/third_party/jpeg-js" ;ASL2.0 ;; XXX: Minified version of <https://github.com/Stuk/jszip>. "third_party/catapult/tracing/third_party/jszip" ;Expat or GPL3 "third_party/catapult/tracing/third_party/mannwhitneyu" ;Expat @@ -136,6 +138,7 @@ "third_party/depot_tools/owners.py" ;BSD-3 "third_party/devtools-frontend" ;BSD-3 "third_party/devtools-frontend/src/front_end/third_party/fabricjs" ;Expat + "third_party/devtools-frontend/src/front_end/third_party/lighthouse" ;ASL2.0 "third_party/devtools-frontend/src/front_end/third_party/wasmparser" ;ASL2.0 "third_party/devtools-frontend/src/third_party/axe-core" ;MPL2.0 "third_party/devtools-frontend/src/third_party/pyjson5" ;ASL2.0 @@ -148,6 +151,7 @@ "third_party/google_input_tools/third_party/closure_library" ;ASL2.0 "third_party/google_input_tools/third_party/closure_library/third_party/closure" ;Expat "third_party/googletest" ;BSD-3 + "third_party/harfbuzz-ng" ;Expat "third_party/hunspell" ;MPL1.1/GPL2+/LGPL2.1+ "third_party/iccjpeg" ;IJG "third_party/inspector_protocol" ;BSD-3 @@ -171,6 +175,7 @@ "third_party/libxml/chromium" ;BSD-3 "third_party/libyuv" ;BSD-3 "third_party/lss" ;BSD-3 + "third_party/mako" ;Expat "third_party/markupsafe" ;BSD-3 "third_party/mesa_headers" ;Expat, SGI "third_party/metrics_proto" ;BSD-3 @@ -199,6 +204,7 @@ "third_party/qcms" ;Expat "third_party/rnnoise" ;BSD-3 "third_party/s2cellid" ;ASL2.0 + "third_party/schema_org" ;CC-BY-SA3.0 "third_party/skia" ;BSD-3 "third_party/skia/include/third_party/skcms" ;BSD-3 "third_party/skia/third_party/skcms" ;BSD-3 @@ -208,6 +214,13 @@ "third_party/spirv-headers" ;ASL2.0 "third_party/SPIRV-Tools" ;ASL2.0 "third_party/sqlite" ;Public domain + "third_party/swiftshader" ;ASL2.0 + "third_party/swiftshader/third_party/astc-encoder" ;ASL2.0 + "third_party/swiftshader/third_party/llvm-7.0" ;NCSA + "third_party/swiftshader/third_party/llvm-subzero" ;NCSA + "third_party/swiftshader/third_party/marl" ;ASL2.0 + "third_party/swiftshader/third_party/subzero" ;NCSA + "third_party/swiftshader/third_party/SPIRV-Headers" ;X11-style "third_party/usb_ids" ;BSD-3 "third_party/usrsctp" ;BSD-2 "third_party/wayland/wayland_scanner_wrapper.py" ;BSD-3 @@ -248,14 +261,73 @@ from forcing GEXP-PROMISE." #:system system #:guile-for-build guile))) -(define %chromium-version "81.0.4044.138") -(define %ungoogled-revision "c2a89fb6b5b559c826796c811741fa8ed3e11de8") +(define %chromium-version "83.0.4103.106") +(define %ungoogled-revision "f08ce8b3f1300ef0750b5d6bf967b9cbbfd9a56d") (define %debian-revision "debian/81.0.4044.92-1") +(define %gentoo-revision "55ef09d6709f4e4cbe23418e4ade0f219fa2fa1f") (define package-revision "0") (define %package-version (string-append %chromium-version "-" package-revision "." (string-take %ungoogled-revision 7))) +(define (gentoo-patch name revision hash) + (origin + (method url-fetch) + (uri (string-append "https://gitweb.gentoo.org/repo/gentoo.git/plain" + "/www-client/chromium/files/" name "?id=" revision)) + (file-name (string-append "ungoogled-" name)) + (sha256 (base32 hash)))) + +(define %gentoo-patches + (list (gentoo-patch "chromium-fix-char_traits.patch" %gentoo-revision + "1zr9wj2rj5phwdiffykd8w3srmzn0xxgmznz762qp7rs7amnp8ns") + (gentoo-patch "chromium-blink-style_format.patch" %gentoo-revision + "098akk5l01m0n3zz08ycz1kp3xmjnbng6d399z1fnb2zigbf0b0z") + (gentoo-patch "chromium-78-protobuf-export.patch" %gentoo-revision + "1wbw29daqwyrnij4991v84955ydqfvvjpz4s2p40agnzmgdzwnsx") + (gentoo-patch "chromium-79-gcc-alignas.patch" %gentoo-revision + "1a6l4i9cicy8dpxxjamyw8cl2nmqfv3x9gbffrsr8571my6fh17s") + (gentoo-patch "chromium-80-gcc-quiche.patch" %gentoo-revision + "0rdlsymw6h8i6yhysiq4la53pwivzv1i9lh0gprh5cl367r1haww") + (gentoo-patch "chromium-82-gcc-noexcept.patch" %gentoo-revision + "0pljnysjvbv2ck0s159qssjhv1pfr32i0nb66smmfmfix2yaizqc") + (gentoo-patch "chromium-82-gcc-incomplete-type.patch" %gentoo-revision + "04751dnpmiasifhq29a1kyxlnq6f2fmd2qbkv7hxdlsxbzg3lhsv") + (gentoo-patch "chromium-82-gcc-template.patch" %gentoo-revision + "1ilmx9wmzyrwmfvr2mwc7m5z6lnbhjkms5k40i8yavqah6kcdbw2") + (gentoo-patch "chromium-82-gcc-iterator.patch" %gentoo-revision + "1xljai9cj99pf4q3l8hz90i8mhdbd8v6h1vj8y37v6j8p78n3zvj") + (gentoo-patch "chromium-83-gcc-template.patch" %gentoo-revision + "1bb1anqdrimza7d0gg4fmxij00563jd9k1azy8sz1ybd8gvrphqi") + (gentoo-patch "chromium-83-gcc-include.patch" %gentoo-revision + "0rs9jj71ridplndi967m0z47vqd8ryykg36gjx8iyf3580vr2hlw") + (gentoo-patch "chromium-83-gcc-permissive.patch" %gentoo-revision + "04mrmrg3pbwl3gph2n1dkbv4miz80xww1gysd39six028nxacjpg") + (gentoo-patch "chromium-83-gcc-iterator.patch" %gentoo-revision + "0q66399va607kjnk8n9xlcr740q7c522p2z7abyd2hgq2bxgglnv") + (gentoo-patch "chromium-83-gcc-serviceworker.patch" %gentoo-revision + "0klvcqqzldfhvqr3plja64qamgff1m2z1zcn325bj32gmpypqjx9") + (gentoo-patch "chromium-83-gcc-10.patch" %gentoo-revision + "0vfvh1jypqcb274bggacg165mw2q5gmn237cvrrwcjqalz0ahnry") + (gentoo-patch "chromium-83-icu67.patch" %gentoo-revision + "05spmjhg5f56mkq3f96vm4s2d9h6vqdxz5g8ibd9pf8ddnh4blnx"))) + +(define (debian-patch name revision hash) + (origin + (method url-fetch) + (uri (string-append "https://salsa.debian.org/chromium-team/chromium/-/raw/" + revision "/debian/patches/" name)) + (file-name (match (string-split name #\/) + ((category name) + (string-append "ungoogled-chromium-" category "-" name)))) + (sha256 (base32 hash)))) + +(define %debian-patches + (list (debian-patch "system/nspr.patch" %debian-revision + "1x6ydc8pfks2c1dlwf0c58par6znjknvs9815576ycx27jl633dy") + (debian-patch "system/openjpeg.patch" %debian-revision + "0zd6v5njx1pc7i0y6mslxvpx5j4cq01mmyx55qcqx8qzkm0gm48j"))) + (define %chromium-origin (origin (method url-fetch) @@ -264,7 +336,7 @@ from forcing GEXP-PROMISE." %chromium-version ".tar.xz")) (sha256 (base32 - "19kpzmqmld0m0nflx13w9flxfal19msnxhzl3lip1jqih65z4y7l")))) + "0bvy17ymlih87n4ymnzvyn0m34ghmr1yasvy7gxv02qbw6i57lfg")))) (define %ungoogled-origin (origin @@ -275,21 +347,7 @@ from forcing GEXP-PROMISE." (string-take %ungoogled-revision 7))) (sha256 (base32 - "0bbr4a2gkgm3ykdgpj8x58sd3dwam6qkifhzfs2997681g7b2v2q")))) - -(define %debian-origin - (origin - (method git-fetch) - (uri (git-reference - (url "https://salsa.debian.org/chromium-team/chromium.git") - (commit %debian-revision))) - (file-name (git-file-name "debian-chromium-packaging" - (match (string-split %debian-revision #\/) - ((_ revision) revision) - (_ (string-take %debian-revision 7))))) - (sha256 - (base32 - "0srgbcqga3l75bfkv3bnmjk416189nazsximvzdx2k5n8v5k4p3m")))) + "0kc40p8f7cls696gh6ign37l8j4x1pyyz32jkkli9cmrpbsjsadl")))) ;; This is a "computed" origin that does the following: ;; *) Runs the Ungoogled scripts on a pristine Chromium tarball. @@ -298,8 +356,7 @@ from forcing GEXP-PROMISE." ;; *) Adjusts "GN" build files such that system libraries are preferred. (define ungoogled-chromium-source (let ((chromium-source %chromium-origin) - (ungoogled-source %ungoogled-origin) - (debian-source %debian-origin)) + (ungoogled-source %ungoogled-origin)) (origin (method computed-origin-method) (file-name (string-append "ungoogled-chromium-" %package-version ".tar.xz")) @@ -313,7 +370,7 @@ from forcing GEXP-PROMISE." (srfi srfi-1) (srfi srfi-26)) (let ((chromium-dir (string-append "chromium-" #$%chromium-version)) - (preserved-files (list #$@%preserved-third-party-files))) + (preserved-files '#$%preserved-third-party-files)) (set-path-environment-variable "PATH" '("bin") @@ -330,20 +387,30 @@ from forcing GEXP-PROMISE." (force-output) (invoke "tar" "xf" #+chromium-source) - (format #t "Removing non-free file...~%") - (force-output) - ;; This file has a CC-BY-NC clause according to LICENSES from - ;; the same directory, making it non-free. - (delete-file - (string-append - chromium-dir - "/third_party/blink/perf_tests/svg/resources/HarveyRayner.svg")) - - ;; Ungoogled-Chromium contains a forked subset of the Debian - ;; patches. Disable those, as we apply newer versions later. - (substitute* "patches/series" - ((".*/debian/.*") - "")) + (with-directory-excursion chromium-dir + (format #t "Removing non-free file...~%") + (force-output) + ;; This file has a CC-BY-NC clause according to LICENSES from + ;; the same directory, making it non-free. + (delete-file + "third_party/blink/perf_tests/svg/resources/HarveyRayner.svg") + + ;; Apply patches before running the ungoogled scripts because + ;; domain substitution may break some of the patches. + (format #t "Applying assorted build fixes...~%") + (force-output) + (for-each + (lambda (patch) + (invoke "patch" "-p1" "--force" "--input" + patch "--no-backup-if-mismatch")) + (append + '#+%gentoo-patches '#+%debian-patches + '#+(list (local-file + (search-patch + "ungoogled-chromium-system-jsoncpp.patch")) + (local-file + (search-patch + "ungoogled-chromium-system-zlib.patch")))))) (format #t "Ungooglifying...~%") (force-output) @@ -356,47 +423,6 @@ from forcing GEXP-PROMISE." "-c" "/tmp/domainscache.tar.gz" chromium-dir) (with-directory-excursion chromium-dir - - (format #t "Applying Debian patches...~%") - (force-output) - (let* ((debian #+debian-source) - (patches (string-append debian "/debian/patches")) - (series (string-append patches "/series"))) - (with-input-from-file series - (lambda () - (let loop ((line (read-line))) - (unless (eof-object? line) - (when (and (> (string-length line) 1) - (not (string-prefix? "#" line)) - ;; Skip the Debian-specific ones. - (not (string-prefix? "debianization/" line)) - (not (string-prefix? "buster/" line)) - (not (any (cute string-suffix? <> line) - ;; These conflict with Ungoogled. - '("widevine-buildflag.patch" - "signin.patch" - "third-party-cookies.patch" - - ;; Disable workarounds for the - ;; Chromium "-lite" tarball. We - ;; use the "full" version and don't - ;; need these patches. - "closure.patch" - "owners.patch" - - ;; XXX: 'fixes/inspector.patch' - ;; makes v8 reuse the top-level - ;; third_party/inspector_protocol - ;; instead of its own bundled copy, - ;; but that does not work here for - ;; some reason. Ignore that patch - ;; and those that depend on it. - "inspector.patch")))) - (invoke "patch" "--force" "-p1" "--input" - (string-append patches "/" line) - "--no-backup-if-mismatch")) - (loop (read-line))))))) - (format #t "Pruning third party files...~%") (force-output) (apply invoke (string-append #+python-2 "/bin/python") @@ -412,7 +438,7 @@ from forcing GEXP-PROMISE." "libxslt" "openh264" "opus" "re2" "snappy" "yasm" "zlib")) - (format #t (string-append "Packing new ungoogled tarball ...~%")) + (format #t "Packing new ungoogled tarball ...~%") (force-output) (invoke "tar" "cvfa" #$output ;; Avoid non-determinism in the archive. @@ -481,7 +507,6 @@ from forcing GEXP-PROMISE." "enable_remoting=false" "enable_reporting=false" "enable_service_discovery=false" - "enable_swiftshader=false" "enable_vr=false" "enable_widevine=false" ;; Disable type-checking for the Web UI to avoid a Java dependency. @@ -505,6 +530,7 @@ from forcing GEXP-PROMISE." "use_openh264=true" "use_pulseaudio=true" "link_pulseaudio=true" + "icu_use_data_file=false" ;; VA-API acceleration is currently only supported on x86_64-linux. ,@(if (string-prefix? "x86_64" (or (%current-target-system) @@ -631,17 +657,6 @@ from forcing GEXP-PROMISE." (substitute* "device/udev_linux/udev1_loader.cc" (("libudev\\.so\\.1") (string-append udev "/lib/libudev.so.1"))) - (substitute* - '("ui/ozone/platform/x11/gl_ozone_glx.cc" - "ui/ozone/common/egl_util.cc" - "ui/gl/init/gl_initializer_x11.cc" - "third_party/angle/src/libANGLE/renderer/gl/glx/FunctionsGLX.cpp") - (("libGL\\.so\\.1") - (string-append mesa "/lib/libGL.so.1")) - (("libEGL\\.so\\.1") - (string-append mesa "/lib/libEGL.so.1")) - (("libGLESv2\\.so\\.2") - (string-append mesa "/lib/libGLESv2.so.2"))) #t))) (add-before 'configure 'prepare-build-environment (lambda* (#:key inputs #:allow-other-keys) @@ -658,14 +673,11 @@ from forcing GEXP-PROMISE." ;; Clang plugins or newer versions. "-Wno-unknown-warning-option"))) + (setenv "CFLAGS" "-Wno-unknown-warning-option") + ;; TODO: pre-compile instead. Avoids a race condition. (setenv "PYTHONDONTWRITEBYTECODE" "1") - (substitute* - ;; From Debians 'system/node.patch'. - "third_party/devtools-frontend/src/scripts/devtools_paths.py" - (("/usr/bin/nodejs") (which "node"))) - ;; XXX: How portable is this. (mkdir-p "third_party/node/linux/node-linux-x64") (symlink (string-append (assoc-ref inputs "node") "/bin") @@ -717,7 +729,7 @@ from forcing GEXP-PROMISE." (lib (string-append out "/lib")) (man (string-append out "/share/man/man1")) (applications (string-append out "/share/applications")) - (install-regexp (make-regexp "\\.(bin|pak)$")) + (install-regexp (make-regexp "\\.(bin|pak|so)$")) (locales (string-append lib "/locales")) (resources (string-append lib "/resources")) (preferences (assoc-ref inputs "master-preferences")) @@ -754,6 +766,10 @@ from forcing GEXP-PROMISE." (symlink "../lib/chromium" exe) (install-file "chromedriver" bin) + (for-each (lambda (so) + (install-file so (string-append lib "/swiftshader"))) + (find-files "swiftshader" "\\.so$")) + (wrap-program exe ;; Avoid file manager crash. See <https://bugs.gnu.org/26593>. `("XDG_DATA_DIRS" ":" prefix (,(string-append gtk+ "/share"))))) @@ -770,7 +786,7 @@ from forcing GEXP-PROMISE." #t)))))) (native-inputs `(("bison" ,bison) - ("clang" ,clang-9) + ("clang" ,clang-10) ("gn" ,gn) ("gperf" ,gperf) ("ninja" ,ninja) @@ -805,7 +821,7 @@ from forcing GEXP-PROMISE." ("glib" ,glib) ("gtk+" ,gtk+) ("harfbuzz" ,harfbuzz) - ("icu4c" ,icu4c) + ("icu4c" ,icu4c-67) ("jsoncpp" ,jsoncpp) ("lcms" ,lcms) ("libevent" ,libevent) @@ -881,19 +897,10 @@ disabled in order to protect the users privacy.") ,@(package-inputs ungoogled-chromium))) (arguments (substitute-keyword-arguments (package-arguments ungoogled-chromium) - ((#:phases phases) - `(modify-phases ,phases - (add-after 'unpack 'add-ozone-patch - (lambda _ - ;; Add missing include statement required when using libstdc++, - ;; Clang and Ozone. Fixed in M81. - (substitute* "ui/base/cursor/ozone/bitmap_cursor_factory_ozone.cc" - (("#include \"base/logging\\.h" all) - (string-append "#include <algorithm>\n" all))) - #t)))) ((#:configure-flags flags) `(append (list "use_ozone=true" "ozone_platform_wayland=true" + "ozone_platform_x11=true" "ozone_auto_platforms=false" "ozone_platform=\"wayland\"" "use_xkbcommon=true" |