From b36db49ae73db879fe00f73f2777077f33a68745 Mon Sep 17 00:00:00 2001 From: Michael Weiss Date: Tue, 20 Oct 2020 12:59:55 +0200 Subject: [PATCH] chromium: Add some brief documentation Wanted to do this for a long time to collect important knowledge and make it easier to pass maintainership. Only time will tell if this'll be useful or become outdated instead. --- .../networking/browsers/chromium/README.md | 56 +++++++++++++++++++ .../networking/browsers/chromium/browser.nix | 12 +--- .../networking/browsers/chromium/common.nix | 12 +--- 3 files changed, 60 insertions(+), 20 deletions(-) create mode 100644 pkgs/applications/networking/browsers/chromium/README.md diff --git a/pkgs/applications/networking/browsers/chromium/README.md b/pkgs/applications/networking/browsers/chromium/README.md new file mode 100644 index 000000000000..e7b7df7cd087 --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/README.md @@ -0,0 +1,56 @@ +# Maintainers + +- TODO: We need more maintainers: + - https://github.com/NixOS/nixpkgs/issues/78450 + - If you just want to help out without becoming a maintainer: + - Look for open Nixpkgs issues or PRs related to Chromium + - Make your own PRs (but please try to make reviews as easy as possible) +- Primary maintainer (responsible for updating Chromium): @primeos +- Testers (test all stable channel updates) + - `nixos-unstable`: + - `x86_64`: @danielfullmer + - `aarch64`: @thefloweringash + - Stable channel: + - `x86_64`: @Frostman +- Other relevant packages: + - `chromiumBeta` and `chromiumDev`: For testing purposes (not build on Hydra) + - `google-chrome`, `google-chrome-beta`, `google-chrome-dev`: Updated via + Chromium's `upstream-info.json` + - `ungoogled-chromium`: Based on `chromium` (the expressions are regularly + copied over and patched accordingly) + +# Updating Chromium + +Simply run `./pkgs/applications/networking/browsers/chromium/update.py` to +update `upstream-info.json`. After updates it is important to test at least +`nixosTests.chromium` (or basic manual testing) and `google-chrome` (which +reuses `upstream-info.json`). + +## Backports + +All updates are considered security critical and should be ported to the stable +channel ASAP. When there is a new stable release the old one should receive +security updates for roughly one month. After that it is important to mark +Chromium as insecure (see 69e4ae56c4b for an example; it is important that the +tested job still succeeds and that all browsers that use `upstream-info.json` +are marked as insecure). + +## Major version updates + +Unfortunately, Chromium regularly breaks on major updates and might need +various patches. Either due to issues with the Nix build sandbox (e.g. we cannot +fetch dependencies via the network and do not use standard FHS paths) or due to +missing upstream fixes that need to be backported. + +Good sources for such patches and other hints: +- https://github.com/archlinux/svntogit-packages/tree/packages/chromium/trunk +- https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium +- https://src.fedoraproject.org/rpms/chromium/tree/master + +If the build fails immediately due to unknown compiler flags this usually means +that a new major release of LLVM is required. + +## Beta and Dev channels + +Those channels are only used to test and fix builds in advance. They may be +broken at times and must not delay stable channel updates. diff --git a/pkgs/applications/networking/browsers/chromium/browser.nix b/pkgs/applications/networking/browsers/chromium/browser.nix index 3d87325984b4..d3953da71d28 100644 --- a/pkgs/applications/networking/browsers/chromium/browser.nix +++ b/pkgs/applications/networking/browsers/chromium/browser.nix @@ -77,18 +77,10 @@ mkChromiumDerivation (base: rec { of source code for Google Chrome (which has some additional features). ''; homepage = "https://www.chromium.org/"; - maintainers = with maintainers; [ bendlas thefloweringash primeos ]; - # Overview of the maintainer roles: - # nixos-unstable: - # - TODO: Need a new maintainer for x86_64 [0] - # - @thefloweringash: aarch64 - # - @primeos: Provisional maintainer (x86_64) - # Stable channel: - # - TODO (need someone to test backports [0]) - # [0]: https://github.com/NixOS/nixpkgs/issues/78450 + maintainers = with maintainers; [ primeos thefloweringash bendlas ]; # See README.md license = if enableWideVine then licenses.unfree else licenses.bsd3; platforms = platforms.linux; hydraPlatforms = if channel == "stable" then ["aarch64-linux" "x86_64-linux"] else []; - timeout = 172800; # 48 hours + timeout = 172800; # 48 hours (increased from the Hydra default of 10h) }; }) diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index 4341a419142c..a058ed6f18af 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -154,16 +154,8 @@ let ++ optionals useOzone [ libdrm wayland mesa_drivers libxkbcommon ]; patches = [ - ./patches/no-build-timestamps.patch - ./patches/widevine-79.patch - # Unfortunately, chromium regularly breaks on major updates and - # then needs various patches backported in order to be compiled with GCC. - # Good sources for such patches and other hints: - # - https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/ - # - https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/chromium - # - https://github.com/chromium/chromium/search?q=GCC&s=committer-date&type=Commits - # - # ++ optionals (channel == "dev") [ ( githubPatch "" "0000000000000000000000000000000000000000000000000000000000000000" ) ] + ./patches/no-build-timestamps.patch # Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed) + ./patches/widevine-79.patch # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags # ++ optional (versionRange "68" "72") ( githubPatch "" "0000000000000000000000000000000000000000000000000000000000000000" ) ] ++ optionals (useVaapi) [ # Check for enable-accelerated-video-decode on Linux: