nixpkgs/pkgs/applications/networking/browsers/chromium/common.nix

319 lines
13 KiB
Nix
Raw Normal View History

{ stdenv, ninja, which, nodejs, fetchurl, fetchpatch, gnutar
# default dependencies
, bzip2, flac, speex, libopus
, libevent, expat, libjpeg, snappy
, libpng, libcap
, xdg_utils, yasm, minizip, libwebp
, libusb1, pciutils, nss, re2, zlib, libvpx
2016-11-19 09:29:45 +00:00
, python2Packages, perl, pkgconfig
, nspr, systemd, kerberos
, utillinux, alsaLib
, bison, gperf
, glib, gtk2, gtk3, dbus-glib
, libXScrnSaver, libXcursor, libXtst, libGLU_combined
2014-12-07 13:52:36 +00:00
, protobuf, speechd, libXdamage, cups
, ffmpeg, harfbuzz, harfbuzz-icu, libxslt, libxml2
# optional dependencies
, libgcrypt ? null # gnomeSupport || cupsSupport
chromium: Update all channels to latest versions Overview of the updated versions: stable: 49.0.2623.87 -> 49.0.2623.110 beta: 50.0.2661.26 -> 50.0.2661.49 dev: 50.0.2661.18 -> 51.0.2693.2 Most notably, this includes a series of urgent security fixes: * CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab. * CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. * CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. * CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt working with HP's Zero Day Initiative / Pwn2Own. * CVE-2016-1650: Denial of service in PageCaptureSaveAsMHTMLFunction The official release announcement with details about these fixes can be found here: http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html Beta and stable could be also affected, although I didn't do a detailed check whether that's the case. As this introduces Chromium 51 as the dev version, I had to make the following changes to make it build: * libexif got removed, so let's do that on our end as well. See https://codereview.chromium.org/1803883002 for details. * Chromium doesn't seem to compile with our version of libpng, so let's resort to the bundled libpng for now. * site_engagement_ui.cc uses isnan outside of std namespace, so we're fixing that in postPatch using sed. I have successfully built all versions on i686-linux and x86_64-linux and tested it using the VM tests. Test reports can be found at the following evaluation of my Hydra: https://headcounter.org/hydra/eval/314584 Thanks to @grahamc for reporting this. Signed-off-by: aszlig <aszlig@redmoonstudios.org> Reported-by: Graham Christensen <graham@grahamc.com> Fixes: #14299
2016-03-30 00:05:07 +01:00
, libexif ? null # only needed for Chromium before version 51
# package customization
, enableNaCl ? false
, enableHotwording ? false
, enableWideVine ? false
, gnomeSupport ? false, gnome ? null
, gnomeKeyringSupport ? false, libgnome-keyring3 ? null
, proprietaryCodecs ? true
2014-12-07 13:52:36 +00:00
, cupsSupport ? true
, pulseSupport ? false, libpulseaudio ? null
, upstream-info
}:
buildFun:
with stdenv.lib;
# see http://www.linuxfromscratch.org/blfs/view/cvs/xsoft/chromium.html
let
# The additional attributes for creating derivations based on the chromium
# source tree.
extraAttrs = buildFun base;
gentooPatch = name: sha256: fetchpatch {
url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/files/${name}";
inherit sha256;
};
githubPatch = commit: sha256: fetchpatch {
url = "https://github.com/chromium/chromium/commit/${commit}.patch";
inherit sha256;
};
mkGnFlags =
let
# Serialize Nix types into GN types according to this document:
# https://chromium.googlesource.com/chromium/src/+/master/tools/gn/docs/language.md
mkGnString = value: "\"${escape ["\"" "$" "\\"] value}\"";
sanitize = value:
if value == true then "true"
else if value == false then "false"
else if isList value then "[${concatMapStringsSep ", " sanitize value}]"
else if isInt value then toString value
else if isString value then mkGnString value
else throw "Unsupported type for GN value `${value}'.";
toFlag = key: value: "${key}=${sanitize value}";
in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs));
gnSystemLibraries = [
"flac" "libwebp" "libxslt" "yasm" "opus" "snappy" "libpng" "zlib"
# "libjpeg" # fails with multiple undefined references to chromium_jpeg_*
# "re2" # fails with linker errors
# "ffmpeg" # https://crbug.com/731766
# "harfbuzz-ng" # in versions over 63 harfbuzz and freetype are being built together
# so we can't build with one from system and other from source
];
opusWithCustomModes = libopus.override {
withCustomModes = true;
};
defaultDependencies = [
bzip2 flac speex opusWithCustomModes
libevent expat libjpeg snappy
libpng libcap
xdg_utils yasm minizip libwebp
libusb1 re2 zlib
ffmpeg libxslt libxml2
# harfbuzz-icu # in versions over 63 harfbuzz and freetype are being built together
# so we can't build with one from system and other from source
];
# build paths and release info
packageName = extraAttrs.packageName or extraAttrs.name;
buildType = "Release";
buildPath = "out/${buildType}";
libExecPath = "$out/libexec/${packageName}";
freetype_source = fetchurl {
url = http://anduin.linuxfromscratch.org/BLFS/other/chromium-freetype.tar.xz;
sha256 = "1vhslc4xg0d6wzlsi99zpah2xzjziglccrxn55k7qna634wyxg77";
};
versionRange = min-version: upto-version:
let inherit (upstream-info) version;
result = versionAtLeast version min-version && versionOlder version upto-version;
stable-version = (import ./upstream-info.nix).stable.version;
in if versionAtLeast stable-version upto-version
then warn "chromium: stable version ${stable-version} is newer than a patchset bounded at ${upto-version}. You can safely delete it."
result
else result;
base = rec {
name = "${packageName}-${version}";
inherit (upstream-info) version;
inherit packageName buildType buildPath;
src = upstream-info.main;
nativeBuildInputs = [
ninja which python2Packages.python perl pkgconfig
python2Packages.ply python2Packages.jinja2 nodejs
gnutar
];
buildInputs = defaultDependencies ++ [
nspr nss systemd
utillinux alsaLib
bison gperf kerberos
glib gtk2 gtk3 dbus-glib
libXScrnSaver libXcursor libXtst libGLU_combined
pciutils protobuf speechd libXdamage
] ++ optional gnomeKeyringSupport libgnome-keyring3
++ optionals gnomeSupport [ gnome.GConf libgcrypt ]
2014-12-07 13:52:36 +00:00
++ optionals cupsSupport [ libgcrypt cups ]
++ optional pulseSupport libpulseaudio;
patches = [
./patches/nix_plugin_paths_52.patch
# As major versions are added, you can trawl the gentoo and arch repos at
# https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/
# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/chromium
# for updated patches and hints about build flags
# (gentooPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000")
] ++ optionals (versionRange "65" "66") [
(gentooPatch "chromium-stdint.patch" "037gjnc8h087g6dpxz53nqvzbpa9mq0z47h25vix9p62s9nhz2a8")
(gentooPatch "chromium-webrtc-r0.patch" "0wp4zivbv2wpgiwmiznbq1aw4w98mvwjvdy36cpfmnvr8yw430pd")
(gentooPatch "chromium-math.h-r0.patch" "0dlzbdj0lvp9qklgifsvgbn6p1ppxbl3hkwqqqfsw1d9jka9wy8x")
# To enable ChromeCast, go to chrome://flags and set "Load Media Router Component Extension" to Enabled
# Fixes Chromecast: https://bugs.chromium.org/p/chromium/issues/detail?id=734325
(githubPatch "1517db71cccaec48a05cdf30208e0cba7ab9b9a8" "08ac502cwwb05ml3w4wzn66i5c2d1h22xs5rzszwlnhxckxfc0fk")
# GCC 7 fixes
(githubPatch "f64fadcd79aebe5ed893ecbf258d1123609d28f8" "1h255w1v327r08cnifs19s4bwmkinqjmdmbwihddc5dyl43sjnvv")
(githubPatch "4d8468a07f374c11425494271256151fb6fe0c34" "0kqqq8kj0zv5bi1n9mm0vnn8wsgi98mjmj7snpav21fh3pgiqjrm")
(githubPatch "ede5178322ccd297b0ad82ae4c59119ceaab9ea5" "0rsal0dy0yhgs4lhn8h1vy1s77xcssy4f5wals7hvrz5m08jqizj")
(githubPatch "7d721f438acb38db556ae9a9e6e8b718bd503216" "13lzvxm63zq3rd8p387ylq4bm9wr4r09vk2w4p81f838pf0v1kbj")
# Following commit doesn't apply cleanly to stable branch, replace with handcrafted one
#(githubPatch "4f2b52281ce1649ea8347489443965ad33262ecc" "1g59izkicn9cpcphamdgrijs306h5b9i7i4pmy134asn1ifiax5z")
./patches/PlaybackImageProvider-copy-constructor.patch
# * base/optional.h
(githubPatch "f1c8789c71dbdaeeef98ecd52c9715495824e6b0" "0w3d82s10cl10r6zq9vpsscmdhbdkcy0vbdiqy5pvbr031nfxw5w")
(githubPatch "5cae9645215d02cb1f986a181a208f8a4817fc86" "052y0f9nwq6y6jh2gvr1pm8qdcqghyi3jj5svvrp5aqirlkwb7ri")
# * ConfigurationPolicyProviders
(githubPatch "1ee888aed9f9a6291570ce360bcdd2d06bcc68cb" "1bm34p3bsny44sk60j842ghhhx8qaibwpqnfnyndfj96f7nb2az0")
(githubPatch "76da73abaeede740fc97479c09c92a52972bc477" "03rkf514ddj9d32d3zfcnf96kzzdk6cwxvrqj8acyv93vp1hvckr")
#(gentooPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000")
] ++ optionals (versionRange "66" "67") [
(gentooPatch "chromium-webrtc-r0.patch" "0wp4zivbv2wpgiwmiznbq1aw4w98mvwjvdy36cpfmnvr8yw430pd")
(gentooPatch "chromium-ffmpeg-r1.patch" "1k8agaqsvg0w0s6s5wh346ih02cc86vr0vwyshw2q9vafa0jvmq4")
# GCC 7 fixes
(githubPatch "f64fadcd79aebe5ed893ecbf258d1123609d28f8" "1h255w1v327r08cnifs19s4bwmkinqjmdmbwihddc5dyl43sjnvv")
(githubPatch "ede5178322ccd297b0ad82ae4c59119ceaab9ea5" "0rsal0dy0yhgs4lhn8h1vy1s77xcssy4f5wals7hvrz5m08jqizj")
(githubPatch "7d721f438acb38db556ae9a9e6e8b718bd503216" "13lzvxm63zq3rd8p387ylq4bm9wr4r09vk2w4p81f838pf0v1kbj")
(githubPatch "ba4141e451f4e0b1b19410b1b503bd32e150df06" "1cjxw1f9fin6z12b0mcxnxf2mdjb0n3chwz7mgvmp9yij8qhqnxj")
(githubPatch "b34ed1e6524479d61ee944ebf6ca7389ea47e563" "1s13zw93nsyr259dzck6gbhg4x46qg5sg14djf4bvrrc6hlkiczw")
(githubPatch "4f2b52281ce1649ea8347489443965ad33262ecc" "1g59izkicn9cpcphamdgrijs306h5b9i7i4pmy134asn1ifiax5z")
] ++ optional enableWideVine ./patches/widevine.patch;
postPatch = ''
# We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \
--replace \
'return sandbox_binary;' \
'return base::FilePath(GetDevelSandboxPath());'
sed -i -e 's@"\(#!\)\?.*xdg-@"\1${xdg_utils}/bin/xdg-@' \
chrome/browser/shell_integration_linux.cc
sed -i -e '/lib_loader.*Load/s!"\(libudev\.so\)!"${systemd.lib}/lib/\1!' \
device/udev_linux/udev?_loader.cc
sed -i -e '/libpci_loader.*Load/s!"\(libpci\.so\)!"${pciutils}/lib/\1!' \
gpu/config/gpu_info_collector_linux.cc
chromium: Update all channels to latest versions Overview of the updated versions: stable: 49.0.2623.87 -> 49.0.2623.110 beta: 50.0.2661.26 -> 50.0.2661.49 dev: 50.0.2661.18 -> 51.0.2693.2 Most notably, this includes a series of urgent security fixes: * CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab. * CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. * CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. * CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt working with HP's Zero Day Initiative / Pwn2Own. * CVE-2016-1650: Denial of service in PageCaptureSaveAsMHTMLFunction The official release announcement with details about these fixes can be found here: http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html Beta and stable could be also affected, although I didn't do a detailed check whether that's the case. As this introduces Chromium 51 as the dev version, I had to make the following changes to make it build: * libexif got removed, so let's do that on our end as well. See https://codereview.chromium.org/1803883002 for details. * Chromium doesn't seem to compile with our version of libpng, so let's resort to the bundled libpng for now. * site_engagement_ui.cc uses isnan outside of std namespace, so we're fixing that in postPatch using sed. I have successfully built all versions on i686-linux and x86_64-linux and tested it using the VM tests. Test reports can be found at the following evaluation of my Hydra: https://headcounter.org/hydra/eval/314584 Thanks to @grahamc for reporting this. Signed-off-by: aszlig <aszlig@redmoonstudios.org> Reported-by: Graham Christensen <graham@grahamc.com> Fixes: #14299
2016-03-30 00:05:07 +01:00
sed -i -re 's/([^:])\<(isnan *\()/\1std::\2/g' \
chrome/browser/ui/webui/engagement/site_engagement_ui.cc
sed -i -e '/#include/ {
i #include <algorithm>
:l; n; bl
}' gpu/config/gpu_control_list.cc
# Allow to put extensions into the system-path.
sed -i -e 's,/usr,/run/current-system/sw,' chrome/common/chrome_paths.cc
patchShebangs .
# use our own nodejs
mkdir -p third_party/node/linux/node-linux-x64/bin
ln -s $(which node) third_party/node/linux/node-linux-x64/bin/node
# use patched freetype
# FIXME https://bugs.chromium.org/p/pdfium/issues/detail?id=733
# FIXME http://savannah.nongnu.org/bugs/?51156
tar -xJf ${freetype_source}
# remove unused third-party
for lib in ${toString gnSystemLibraries}; do
find -type f -path "*third_party/$lib/*" \
\! -path "*third_party/$lib/chromium/*" \
\! -path "*third_party/$lib/google/*" \
\! -path "*base/third_party/icu/*" \
\! -path "*base/third_party/libevent/*" \
\! -regex '.*\.\(gn\|gni\|isolate\|py\)' \
-delete
done
2018-01-21 13:31:54 +00:00
'' + optionalString stdenv.isAarch64 ''
substituteInPlace build/toolchain/linux/BUILD.gn \
--replace 'toolprefix = "aarch64-linux-gnu-"' 'toolprefix = ""'
'';
gnFlags = mkGnFlags ({
linux_use_bundled_binutils = false;
use_gold = true;
gold_path = "${stdenv.cc}/bin";
is_debug = false;
proprietary_codecs = false;
2015-12-29 18:32:30 +00:00
use_sysroot = false;
use_gnome_keyring = gnomeKeyringSupport;
## FIXME remove use_gconf after chromium 65 has become stable
use_gconf = gnomeSupport;
use_gio = gnomeSupport;
enable_nacl = enableNaCl;
enable_hotwording = enableHotwording;
enable_widevine = enableWideVine;
use_cups = cupsSupport;
treat_warnings_as_errors = false;
is_clang = false;
clang_use_chrome_plugins = false;
remove_webcore_debug_symbols = true;
use_gtk3 = true;
enable_swiftshader = false;
fieldtrial_testing_like_official_build = true;
# Google API keys, see:
# http://www.chromium.org/developers/how-tos/api-keys
# Note: These are for NixOS/nixpkgs use ONLY. For your own distribution,
# please get your own set of keys.
google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI";
google_default_client_id = "404761575300.apps.googleusercontent.com";
google_default_client_secret = "9rIFQjfnkykEmqb6FfjJQD1D";
} // optionalAttrs proprietaryCodecs {
# enable support for the H.264 codec
proprietary_codecs = true;
enable_hangout_services_extension = true;
ffmpeg_branding = "Chrome";
} // optionalAttrs pulseSupport {
use_pulseaudio = true;
link_pulseaudio = true;
} // (extraAttrs.gnFlags or {}));
configurePhase = ''
runHook preConfigure
# Build gn
python tools/gn/bootstrap/bootstrap.py -v -s --no-clean
PATH="$PWD/out/Release:$PATH"
# This is to ensure expansion of $out.
libExecPath="${libExecPath}"
python build/linux/unbundle/replace_gn_files.py \
--system-libraries ${toString gnSystemLibraries}
gn gen --args=${escapeShellArg gnFlags} out/Release
runHook postConfigure
'';
buildPhase = let
# Build paralelism: on Hydra the build was frequently running into memory
# exhaustion, and even other users might be running into similar issues.
# -j is halved to avoid memory problems, and -l is slightly increased
# so that the build gets slight preference before others
# (it will often be on "critical path" and at risk of timing out)
buildCommand = target: ''
ninja -C "${buildPath}" \
-j$(( ($NIX_BUILD_CORES+1) / 2 )) -l$(( $NIX_BUILD_CORES+1 )) \
"${target}"
(
source chrome/installer/linux/common/installer.include
PACKAGE=$packageName
MENUNAME="Chromium"
process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
)
'' + optionalString (target == "mksnapshot" || target == "chrome") ''
paxmark m "${buildPath}/${target}"
2014-04-25 02:58:33 +01:00
'';
targets = extraAttrs.buildTargets or [];
commands = map buildCommand targets;
in concatStringsSep "\n" commands;
};
# Remove some extraAttrs we supplied to the base attributes already.
in stdenv.mkDerivation (base // removeAttrs extraAttrs [
"name" "gnFlags" "buildTargets"
])