diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index a12f5443c6de..b2187c8fb8f1 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -7184,6 +7184,12 @@ githubId = 1414088; name = "Spencer Whitt"; }; + squalus = { + email = "squalus@tuta.io"; + github = "squalus"; + githubId = 36899624; + name = "squalus"; + }; srghma = { email = "srghma@gmail.com"; github = "srghma"; diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/browser.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/browser.nix new file mode 100644 index 000000000000..87248013a9af --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/browser.nix @@ -0,0 +1,94 @@ +{ stdenv, mkChromiumDerivation, channel, enableWideVine }: + +with stdenv.lib; + +mkChromiumDerivation (base: rec { + name = "chromium-browser"; + packageName = "chromium"; + buildTargets = [ "mksnapshot" "chrome_sandbox" "chrome" ]; + + outputs = ["out" "sandbox"]; + + sandboxExecutableName = "__chromium-suid-sandbox"; + + installPhase = '' + mkdir -p "$libExecPath" + cp -v "$buildPath/"*.pak "$buildPath/"*.bin "$libExecPath/" + cp -v "$buildPath/icudtl.dat" "$libExecPath/" + cp -vLR "$buildPath/locales" "$buildPath/resources" "$libExecPath/" + cp -v "$buildPath/chrome" "$libExecPath/$packageName" + + # Swiftshader + # See https://stackoverflow.com/a/4264351/263061 for the find invocation. + if [ -n "$(find "$buildPath/swiftshader/" -maxdepth 1 -name '*.so' -print -quit)" ]; then + echo "Swiftshader files found; installing" + mkdir -p "$libExecPath/swiftshader" + cp -v "$buildPath/swiftshader/"*.so "$libExecPath/swiftshader/" + else + echo "Swiftshader files not found" + fi + + mkdir -p "$sandbox/bin" + cp -v "$buildPath/chrome_sandbox" "$sandbox/bin/${sandboxExecutableName}" + + mkdir -vp "$out/share/man/man1" + cp -v "$buildPath/chrome.1" "$out/share/man/man1/$packageName.1" + + for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do + num_and_suffix="''${icon_file##*logo_}" + icon_size="''${num_and_suffix%.*}" + expr "$icon_size" : "^[0-9][0-9]*$" || continue + logo_output_prefix="$out/share/icons/hicolor" + logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps" + mkdir -vp "$logo_output_path" + cp -v "$icon_file" "$logo_output_path/$packageName.png" + done + + # Install Desktop Entry + install -D chrome/installer/linux/common/desktop.template \ + $out/share/applications/chromium-browser.desktop + + substituteInPlace $out/share/applications/chromium-browser.desktop \ + --replace "@@MENUNAME@@" "Chromium" \ + --replace "@@PACKAGE@@" "chromium" \ + --replace "Exec=/usr/bin/@@USR_BIN_SYMLINK_NAME@@" "Exec=chromium" + + # Append more mime types to the end + sed -i '/^MimeType=/ s,$,x-scheme-handler/webcal;x-scheme-handler/mailto;x-scheme-handler/about;x-scheme-handler/unknown,' \ + $out/share/applications/chromium-browser.desktop + + # See https://github.com/NixOS/nixpkgs/issues/12433 + sed -i \ + -e '/\[Desktop Entry\]/a\' \ + -e 'StartupWMClass=chromium-browser' \ + $out/share/applications/chromium-browser.desktop + ''; + + passthru = { inherit sandboxExecutableName; }; + + requiredSystemFeatures = [ "big-parallel" ]; + + meta = { + description = "An open source web browser from Google, with dependencies on Google web services removed"; + longDescription = '' + Chromium is an open source web browser from Google that aims to build a + safer, faster, and more stable way for all Internet users to experience + the web. It has a minimalist user interface and provides the vast majority + of source code for Google Chrome (which has some additional features). + ''; + homepage = https://github.com/Eloston/ungoogled-chromium; + maintainers = with maintainers; [ squalus ]; + # Overview of the maintainer roles: + # nixos-unstable: + # - TODO: Need a new maintainer for x86_64 [0] + # - @thefloweringash: aarch64 + # - @primeos: Provisional maintainer (x86_64) + # Stable channel: + # - TODO (need someone to test backports [0]) + # [0]: https://github.com/NixOS/nixpkgs/issues/78450 + license = if enableWideVine then licenses.unfree else licenses.bsd3; + platforms = platforms.linux; + hydraPlatforms = if channel == "stable" then ["aarch64-linux" "x86_64-linux"] else []; + timeout = 172800; # 48 hours + }; +}) diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/common.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/common.nix new file mode 100644 index 000000000000..d07da2b3b07a --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/common.nix @@ -0,0 +1,361 @@ +{ stdenv, llvmPackages, gnChromium, ninja, which, nodejs, fetchpatch, gnutar + +# default dependencies +, bzip2, flac, speex, libopus +, libevent, expat, libjpeg, snappy +, libpng, libcap +, xdg_utils, yasm, minizip, libwebp +, libusb1, pciutils, nss, re2, zlib + +, python2Packages, perl, pkgconfig +, nspr, systemd, kerberos +, utillinux, alsaLib +, bison, gperf +, glib, gtk3, dbus-glib +, glibc +, libXScrnSaver, libXcursor, libXtst, libGLU, libGL +, protobuf, speechd, libXdamage, cups +, ffmpeg, libxslt, libxml2, at-spi2-core +, jre + +# optional dependencies +, libgcrypt ? null # gnomeSupport || cupsSupport +, libva ? null # useVaapi +, libdrm ? null, wayland ? null, mesa_drivers ? null, libxkbcommon ? null # useOzone + +# package customization +, useVaapi ? false +, useOzone ? false +, gnomeSupport ? false, gnome ? null +, gnomeKeyringSupport ? false, libgnome-keyring3 ? null +, proprietaryCodecs ? true +, cupsSupport ? true +, pulseSupport ? false, libpulseaudio ? null +, ungoogled-chromium +, ungoogled ? false + +, upstream-info +}: + +buildFun: + +with stdenv.lib; + +# see http://www.linuxfromscratch.org/blfs/view/cvs/xsoft/chromium.html + +let + # The additional attributes for creating derivations based on the chromium + # source tree. + extraAttrs = buildFun base; + + githubPatch = commit: sha256: fetchpatch { + url = "https://github.com/chromium/chromium/commit/${commit}.patch"; + inherit sha256; + }; + + mkGnFlags = + let + # Serialize Nix types into GN types according to this document: + # https://chromium.googlesource.com/chromium/src/+/master/tools/gn/docs/language.md + mkGnString = value: "\"${escape ["\"" "$" "\\"] value}\""; + sanitize = value: + if value == true then "true" + else if value == false then "false" + else if isList value then "[${concatMapStringsSep ", " sanitize value}]" + else if isInt value then toString value + else if isString value then mkGnString value + else throw "Unsupported type for GN value `${value}'."; + toFlag = key: value: "${key}=${sanitize value}"; + in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs)); + + gnSystemLibraries = [ + "flac" "libwebp" "libxslt" "yasm" "opus" "snappy" "libpng" + # "zlib" # version 77 reports unresolved dependency on //third_party/zlib:zlib_config + # "libjpeg" # fails with multiple undefined references to chromium_jpeg_* + # "re2" # fails with linker errors + # "ffmpeg" # https://crbug.com/731766 + # "harfbuzz-ng" # in versions over 63 harfbuzz and freetype are being built together + # so we can't build with one from system and other from source + ]; + + opusWithCustomModes = libopus.override { + withCustomModes = true; + }; + + defaultDependencies = [ + bzip2 flac speex opusWithCustomModes + libevent expat libjpeg snappy + libpng libcap + xdg_utils yasm minizip libwebp + libusb1 re2 zlib + ffmpeg libxslt libxml2 + # harfbuzz # in versions over 63 harfbuzz and freetype are being built together + # so we can't build with one from system and other from source + ]; + + # build paths and release info + packageName = extraAttrs.packageName or extraAttrs.name; + buildType = "Release"; + buildPath = "out/${buildType}"; + libExecPath = "$out/libexec/${packageName}"; + + versionRange = min-version: upto-version: + let inherit (upstream-info) version; + result = versionAtLeast version min-version && versionOlder version upto-version; + stable-version = (import ./upstream-info.nix).stable.version; + in if versionAtLeast stable-version upto-version + then warn "chromium: stable version ${stable-version} is newer than a patchset bounded at ${upto-version}. You can safely delete it." + result + else result; + + ungoogler = + let versionEntry = (import ./ungoogled-src.nix)."${upstream-info.version}"; + in ungoogled-chromium { + inherit (versionEntry) rev sha256; + }; + base = rec { + name = "${packageName}-unwrapped-${version}"; + inherit (upstream-info) channel version; + inherit packageName buildType buildPath; + + src = upstream-info.main; + + nativeBuildInputs = [ + ninja which python2Packages.python perl pkgconfig + python2Packages.ply python2Packages.jinja2 nodejs + gnutar + ] ++ optional (versionAtLeast version "83") python2Packages.setuptools; + + buildInputs = defaultDependencies ++ [ + nspr nss systemd + utillinux alsaLib + bison gperf kerberos + glib gtk3 dbus-glib + libXScrnSaver libXcursor libXtst libGLU libGL + pciutils protobuf speechd libXdamage at-spi2-core + jre + ] ++ optional gnomeKeyringSupport libgnome-keyring3 + ++ optionals gnomeSupport [ gnome.GConf libgcrypt ] + ++ optionals cupsSupport [ libgcrypt cups ] + ++ optional useVaapi libva + ++ optional pulseSupport libpulseaudio + ++ optionals useOzone [ libdrm wayland mesa_drivers libxkbcommon ]; + + patches = [ + ./patches/nix_plugin_paths_68.patch + ./patches/remove-webp-include-69.patch + ./patches/no-build-timestamps.patch + ./patches/widevine-79.patch + ./patches/dont-use-ANGLE-by-default.patch + # Unfortunately, chromium regularly breaks on major updates and + # then needs various patches backported in order to be compiled with GCC. + # Good sources for such patches and other hints: + # - https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/ + # - https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/chromium + # - https://github.com/chromium/chromium/search?q=GCC&s=committer-date&type=Commits + # + # ++ optionals (channel == "dev") [ ( githubPatch "" "0000000000000000000000000000000000000000000000000000000000000000" ) ] + # ++ optional (versionRange "68" "72") ( githubPatch "" "0000000000000000000000000000000000000000000000000000000000000000" ) + ] ++ optionals (useVaapi) ([ + # source: https://aur.archlinux.org/cgit/aur.git/tree/vaapi-fix.patch?h=chromium-vaapi + ./patches/vaapi-fix.patch + ] ++ optionals (versionRange "81" "82") [ + (githubPatch "5b2ff215473e0526b5b24aeff4ad90d369b21c75" "0n00vh8wfpn2ay5fqsxcsx0zadnv7mihm72bcvnrfzh75nzbg902") + (githubPatch "98e343ab369e4262511b5fce547728e3e5eefba8" "00wwp653jk0k0yvix00vr7ymgck9dj7fxjwx4nc67ynn84dh6064") + ]); + + postPatch = '' + # We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX + substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \ + --replace \ + 'return sandbox_binary;' \ + 'return base::FilePath(GetDevelSandboxPath());' + + substituteInPlace services/audio/audio_sandbox_hook_linux.cc \ + --replace \ + '/usr/share/alsa/' \ + '${alsaLib}/share/alsa/' \ + --replace \ + '/usr/lib/x86_64-linux-gnu/gconv/' \ + '${glibc}/lib/gconv/' \ + --replace \ + '/usr/share/locale/' \ + '${glibc}/share/locale/' + + sed -i -e 's@"\(#!\)\?.*xdg-@"\1${xdg_utils}/bin/xdg-@' \ + chrome/browser/shell_integration_linux.cc + + sed -i -e '/lib_loader.*Load/s!"\(libudev\.so\)!"${systemd.lib}/lib/\1!' \ + device/udev_linux/udev?_loader.cc + + sed -i -e '/libpci_loader.*Load/s!"\(libpci\.so\)!"${pciutils}/lib/\1!' \ + gpu/config/gpu_info_collector_linux.cc + + sed -i -re 's/([^:])\<(isnan *\()/\1std::\2/g' \ + chrome/browser/ui/webui/engagement/site_engagement_ui.cc + + sed -i -e '/#include/ { + i #include + :l; n; bl + }' gpu/config/gpu_control_list.cc + + # Allow to put extensions into the system-path. + sed -i -e 's,/usr,/run/current-system/sw,' chrome/common/chrome_paths.cc + + patchShebangs . + # use our own nodejs + mkdir -p third_party/node/linux/node-linux-x64/bin + ln -s $(which node) third_party/node/linux/node-linux-x64/bin/node + + # remove unused third-party + # in third_party/crashpad third_party/zlib contains just a header-adapter + for lib in ${toString gnSystemLibraries}; do + find -type f -path "*third_party/$lib/*" \ + \! -path "*third_party/crashpad/crashpad/third_party/zlib/*" \ + \! -path "*third_party/$lib/chromium/*" \ + \! -path "*third_party/$lib/google/*" \ + \! -path "*base/third_party/icu/*" \ + \! -path "*base/third_party/libevent/*" \ + \! -regex '.*\.\(gn\|gni\|isolate\|py\)' \ + -delete + done + '' + optionalString stdenv.isAarch64 '' + substituteInPlace build/toolchain/linux/BUILD.gn \ + --replace 'toolprefix = "aarch64-linux-gnu-"' 'toolprefix = ""' + '' + optionalString stdenv.cc.isClang '' + mkdir -p third_party/llvm-build/Release+Asserts/bin + ln -s ${stdenv.cc}/bin/clang third_party/llvm-build/Release+Asserts/bin/clang + ln -s ${stdenv.cc}/bin/clang++ third_party/llvm-build/Release+Asserts/bin/clang++ + ln -s ${llvmPackages.llvm}/bin/llvm-ar third_party/llvm-build/Release+Asserts/bin/llvm-ar + '' + optionalString ungoogled '' + ${ungoogler}/utils/prune_binaries.py . ${ungoogler}/pruning.list || echo "some errors" + ${ungoogler}/utils/patches.py . ${ungoogler}/patches + ${ungoogler}/utils/domain_substitution.py apply -r ${ungoogler}/domain_regex.list -f ${ungoogler}/domain_substitution.list -c ./ungoogled-domsubcache.tar.gz . + ''; + + gnFlags = mkGnFlags ({ + linux_use_bundled_binutils = false; + use_lld = false; + use_gold = true; + gold_path = "${stdenv.cc}/bin"; + is_debug = false; + + proprietary_codecs = false; + use_sysroot = false; + use_gnome_keyring = gnomeKeyringSupport; + use_gio = gnomeSupport; + # ninja: error: '../../native_client/toolchain/linux_x86/pnacl_newlib/bin/x86_64-nacl-objcopy', + # needed by 'nacl_irt_x86_64.nexe', missing and no known rule to make it + enable_nacl = false; + # Enabling the Widevine component here doesn't affect whether we can + # redistribute the chromium package; the Widevine component is either + # added later in the wrapped -wv build or downloaded from Google. + enable_widevine = true; + use_cups = cupsSupport; + + treat_warnings_as_errors = false; + is_clang = stdenv.cc.isClang; + clang_use_chrome_plugins = false; + blink_symbol_level = 0; + fieldtrial_testing_like_official_build = true; + + # Google API keys, see: + # http://www.chromium.org/developers/how-tos/api-keys + # Note: These are for NixOS/nixpkgs use ONLY. For your own distribution, + # please get your own set of keys. + google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI"; + google_default_client_id = "404761575300.apps.googleusercontent.com"; + google_default_client_secret = "9rIFQjfnkykEmqb6FfjJQD1D"; + } // optionalAttrs proprietaryCodecs { + # enable support for the H.264 codec + proprietary_codecs = true; + enable_hangout_services_extension = true; + ffmpeg_branding = "Chrome"; + } // optionalAttrs useVaapi { + use_vaapi = true; + } // optionalAttrs pulseSupport { + use_pulseaudio = true; + link_pulseaudio = true; + } // optionalAttrs useOzone { + use_ozone = true; + ozone_platform_gbm = false; + use_xkbcommon = true; + use_glib = true; + use_gtk = true; + use_system_libwayland = true; + use_system_minigbm = true; + use_system_libdrm = true; + system_wayland_scanner_path = "${wayland}/bin/wayland-scanner"; + } // optionalAttrs ungoogled { + closure_compile = false; + enable_hangout_services_extension = false; + enable_mdns = false; + enable_nacl_nonsfi = false; + enable_one_click_signin = false; + enable_reading_list = false; + enable_remoting = false; + enable_reporting = false; + enable_service_discovery = false; + exclude_unwind_tables = true; + google_api_key = ""; + google_default_client_id = ""; + google_default_client_secret = ""; + optimize_webui = false; + safe_browsing_mode = 0; + use_official_google_api_keys = false; + use_unofficial_version_number = false; + } // (extraAttrs.gnFlags or {})); + + configurePhase = '' + runHook preConfigure + + # This is to ensure expansion of $out. + libExecPath="${libExecPath}" + python build/linux/unbundle/replace_gn_files.py \ + --system-libraries ${toString gnSystemLibraries} + ${gnChromium}/bin/gn gen --args=${escapeShellArg gnFlags} out/Release | tee gn-gen-outputs.txt + + # Fail if `gn gen` contains a WARNING. + grep -o WARNING gn-gen-outputs.txt && echo "Found gn WARNING, exiting nix build" && exit 1 + + runHook postConfigure + ''; + + # Don't spam warnings about unknown warning options. This is useful because + # our Clang is always older than Chromium's and the build logs have a size + # of approx. 25 MB without this option (and this saves e.g. 66 %). + NIX_CFLAGS_COMPILE = "-Wno-unknown-warning-option"; + + buildPhase = let + # Build paralelism: on Hydra the build was frequently running into memory + # exhaustion, and even other users might be running into similar issues. + # -j is halved to avoid memory problems, and -l is slightly increased + # so that the build gets slight preference before others + # (it will often be on "critical path" and at risk of timing out) + buildCommand = target: '' + ninja -C "${buildPath}" \ + -j$(( ($NIX_BUILD_CORES+1) / 2 )) -l$(( $NIX_BUILD_CORES+1 )) \ + "${target}" + ( + source chrome/installer/linux/common/installer.include + PACKAGE=$packageName + MENUNAME="Chromium" + process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1" + ) + ''; + targets = extraAttrs.buildTargets or []; + commands = map buildCommand targets; + in concatStringsSep "\n" commands; + + postFixup = '' + # Make sure that libGLESv2 is found by dlopen (if using EGL). + chromiumBinary="$libExecPath/$packageName" + origRpath="$(patchelf --print-rpath "$chromiumBinary")" + patchelf --set-rpath "${libGL}/lib:$origRpath" "$chromiumBinary" + ''; + }; + +# Remove some extraAttrs we supplied to the base attributes already. +in stdenv.mkDerivation (base // removeAttrs extraAttrs [ + "name" "gnFlags" "buildTargets" +]) diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/default.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/default.nix new file mode 100644 index 000000000000..f172e7c09ce2 --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/default.nix @@ -0,0 +1,205 @@ +{ newScope, config, stdenv, llvmPackages_9, llvmPackages_10 +, makeWrapper, ed +, glib, gtk3, gnome3, gsettings-desktop-schemas, gn, fetchgit +, libva ? null +, gcc, nspr, nss, patchelfUnstable, runCommand +, lib + +# package customization +, channel ? "stable" +, gnomeSupport ? false, gnome ? null +, gnomeKeyringSupport ? false +, proprietaryCodecs ? true +, enablePepperFlash ? false +, enableWideVine ? false +, ungoogled ? true +, useVaapi ? false # test video on radeon, before enabling this +, useOzone ? false +, cupsSupport ? true +, pulseSupport ? config.pulseaudio or stdenv.isLinux +, commandLineArgs ? "" +}: + +let + llvmPackages = if channel == "dev" + then llvmPackages_10 + else llvmPackages_9; + stdenv = llvmPackages.stdenv; + + callPackage = newScope chromium; + + chromium = { + inherit stdenv llvmPackages; + + upstream-info = (callPackage ./update.nix {}).getChannel channel; + + mkChromiumDerivation = callPackage ./common.nix ({ + inherit gnome gnomeSupport gnomeKeyringSupport proprietaryCodecs cupsSupport pulseSupport useVaapi useOzone ungoogled; + gnChromium = gn; + } // lib.optionalAttrs (channel == "dev") { + # TODO: Remove after we can update gn for the stable channel (backward incompatible changes): + gnChromium = gn.overrideAttrs (oldAttrs: { + version = "2020-03-23"; + src = fetchgit { + url = "https://gn.googlesource.com/gn"; + rev = "5ed3c9cc67b090d5e311e4bd2aba072173e82db9"; + sha256 = "00y2d35wvqmx9glaqhfb62wdgbfpwr77v0934nnvh9ks71vnsjqy"; + }; + }); + }); + + browser = callPackage ./browser.nix { inherit channel enableWideVine; }; + + plugins = callPackage ./plugins.nix { + inherit enablePepperFlash; + }; + + ungoogled-chromium = callPackage ./ungoogled.nix {}; + }; + + mkrpath = p: "${lib.makeSearchPathOutput "lib" "lib64" p}:${lib.makeLibraryPath p}"; + widevineCdm = let upstream-info = chromium.upstream-info; in stdenv.mkDerivation { + name = "chrome-widevine-cdm"; + + # The .deb file for Google Chrome + src = upstream-info.binary; + + nativeBuildInputs = [ patchelfUnstable ]; + + phases = [ "unpackPhase" "patchPhase" "installPhase" "checkPhase" ]; + + unpackCmd = let + widevineCdmPath = + if upstream-info.channel == "stable" then + "./opt/google/chrome/WidevineCdm" + else if upstream-info.channel == "beta" then + "./opt/google/chrome-beta/WidevineCdm" + else if upstream-info.channel == "dev" then + "./opt/google/chrome-unstable/WidevineCdm" + else + throw "Unknown chromium channel."; + in '' + # Extract just WidevineCdm from upstream's .deb file + ar p "$src" data.tar.xz | tar xJ "${widevineCdmPath}" + + # Move things around so that we don't have to reference a particular + # chrome-* directory later. + mv "${widevineCdmPath}" ./ + + # unpackCmd wants a single output directory; let it take WidevineCdm/ + rm -rf opt + ''; + + doCheck = true; + checkPhase = '' + ! find -iname '*.so' -exec ldd {} + | grep 'not found' + ''; + + PATCH_RPATH = mkrpath [ gcc.cc glib nspr nss ]; + + patchPhase = '' + patchelf --set-rpath "$PATCH_RPATH" _platform_specific/linux_x64/libwidevinecdm.so + ''; + + installPhase = '' + mkdir -p $out/WidevineCdm + cp -a * $out/WidevineCdm/ + ''; + + meta = { + platforms = [ "x86_64-linux" ]; + license = lib.licenses.unfree; + }; + }; + + suffix = if channel != "stable" then "-" + channel else ""; + + sandboxExecutableName = chromium.browser.passthru.sandboxExecutableName; + + version = chromium.browser.version; + + # We want users to be able to enableWideVine without rebuilding all of + # chromium, so we have a separate derivation here that copies chromium + # and adds the unfree WidevineCdm. + chromiumWV = let browser = chromium.browser; in if enableWideVine then + runCommand (browser.name + "-wv") { version = browser.version; } + '' + mkdir -p $out + cp -a ${browser}/* $out/ + chmod u+w $out/libexec/chromium + cp -a ${widevineCdm}/WidevineCdm $out/libexec/chromium/ + '' + else browser; +in stdenv.mkDerivation { + name = "chromium${suffix}-${version}"; + inherit version; + + buildInputs = [ + makeWrapper ed + + # needed for GSETTINGS_SCHEMAS_PATH + gsettings-desktop-schemas glib gtk3 + + # needed for XDG_ICON_DIRS + gnome3.adwaita-icon-theme + ]; + + outputs = ["out" "sandbox"]; + + buildCommand = let + browserBinary = "${chromiumWV}/libexec/chromium/chromium"; + getWrapperFlags = plugin: "$(< \"${plugin}/nix-support/wrapper-flags\")"; + libPath = stdenv.lib.makeLibraryPath ([] + ++ stdenv.lib.optional useVaapi libva + ); + + in with stdenv.lib; '' + mkdir -p "$out/bin" + + eval makeWrapper "${browserBinary}" "$out/bin/chromium" \ + --add-flags ${escapeShellArg (escapeShellArg commandLineArgs)} \ + ${concatMapStringsSep " " getWrapperFlags chromium.plugins.enabled} + + ed -v -s "$out/bin/chromium" << EOF + 2i + + if [ -x "/run/wrappers/bin/${sandboxExecutableName}" ] + then + export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${sandboxExecutableName}" + else + export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}" + fi + + '' + lib.optionalString (libPath != "") '' + # To avoid loading .so files from cwd, LD_LIBRARY_PATH here must not + # contain an empty section before or after a colon. + export LD_LIBRARY_PATH="\$LD_LIBRARY_PATH\''${LD_LIBRARY_PATH:+:}${libPath}" + '' + '' + + # libredirect causes chromium to deadlock on startup + export LD_PRELOAD="\$(echo -n "\$LD_PRELOAD" | tr ':' '\n' | grep -v /lib/libredirect\\\\.so$ | tr '\n' ':')" + + export XDG_DATA_DIRS=$XDG_ICON_DIRS:$GSETTINGS_SCHEMAS_PATH\''${XDG_DATA_DIRS:+:}\$XDG_DATA_DIRS + + . + w + EOF + + ln -sv "${chromium.browser.sandbox}" "$sandbox" + + ln -s "$out/bin/chromium" "$out/bin/chromium-browser" + + mkdir -p "$out/share" + for f in '${chromium.browser}'/share/*; do # hello emacs */ + ln -s -t "$out/share/" "$f" + done + ''; + + inherit (chromium.browser) packageName; + meta = chromium.browser.meta; + passthru = { + inherit (chromium) upstream-info browser; + mkDerivation = chromium.mkChromiumDerivation; + inherit sandboxExecutableName; + }; +} diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/patches/dont-use-ANGLE-by-default.patch b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/dont-use-ANGLE-by-default.patch new file mode 100644 index 000000000000..9f14a304eb34 --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/dont-use-ANGLE-by-default.patch @@ -0,0 +1,26 @@ +A field trial currently enables the passthrough command decoder, which causes +gl_factory.cc to try kGLImplementationEGLANGLE first, which causes Chromium to fail +to load libGLESv2.so on NixOS. It somehow does not try kGLImplementationDesktopGL, +and so there is no GL support at all. + +Revert to using the validating command decoder, which prevents gl_factory.cc +from touching allowed_impls, allowing it to successfully use kGLImplementationDesktopGL. + +diff --git a/ui/gl/gl_utils.cc b/ui/gl/gl_utils.cc +index 697cbed5fe2d..8419bdb21a2f 100644 +--- a/ui/gl/gl_utils.cc ++++ b/ui/gl/gl_utils.cc +@@ -71,9 +71,10 @@ bool UsePassthroughCommandDecoder(const base::CommandLine* command_line) { + } else if (switch_value == kCmdDecoderValidatingName) { + return false; + } else { +- // Unrecognized or missing switch, use the default. +- return base::FeatureList::IsEnabled( +- features::kDefaultPassthroughCommandDecoder); ++ // Ignore the field trial that enables it; disable it until ++ // gl_factory.cc kGLImplementationEGLANGLE issues are sorted ++ // out on NixOS. ++ return false; + } + } + } diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/patches/nix_plugin_paths_68.patch b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/nix_plugin_paths_68.patch new file mode 100644 index 000000000000..da6a4c92b460 --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/nix_plugin_paths_68.patch @@ -0,0 +1,61 @@ +diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc +index f4e119d..d9775bd 100644 +--- a/chrome/common/chrome_paths.cc ++++ b/chrome/common/chrome_paths.cc +@@ -68,21 +68,14 @@ static base::LazyInstance + g_invalid_specified_user_data_dir = LAZY_INSTANCE_INITIALIZER; + + // Gets the path for internal plugins. +-bool GetInternalPluginsDirectory(base::FilePath* result) { +-#if defined(OS_MACOSX) +- // If called from Chrome, get internal plugins from a subdirectory of the +- // framework. +- if (base::mac::AmIBundled()) { +- *result = chrome::GetFrameworkBundlePath(); +- DCHECK(!result->empty()); +- *result = result->Append("Internet Plug-Ins"); +- return true; +- } +- // In tests, just look in the module directory (below). +-#endif +- +- // The rest of the world expects plugins in the module directory. +- return base::PathService::Get(base::DIR_MODULE, result); ++bool GetInternalPluginsDirectory(base::FilePath* result, ++ const std::string& ident) { ++ std::string full_env = std::string("NIX_CHROMIUM_PLUGIN_PATH_") + ident; ++ const char* value = getenv(full_env.c_str()); ++ if (value == NULL) ++ return base::PathService::Get(base::DIR_MODULE, result); ++ else ++ *result = base::FilePath(value); + } + + // Gets the path for bundled implementations of components. Note that these +@@ -272,7 +265,7 @@ bool PathProvider(int key, base::FilePath* result) { + create_dir = true; + break; + case chrome::DIR_INTERNAL_PLUGINS: +- if (!GetInternalPluginsDirectory(&cur)) ++ if (!GetInternalPluginsDirectory(&cur, "ALL")) + return false; + break; + case chrome::DIR_COMPONENTS: +@@ -280,7 +273,7 @@ bool PathProvider(int key, base::FilePath* result) { + return false; + break; + case chrome::DIR_PEPPER_FLASH_PLUGIN: +- if (!GetInternalPluginsDirectory(&cur)) ++ if (!GetInternalPluginsDirectory(&cur, "PEPPERFLASH")) + return false; + cur = cur.Append(kPepperFlashBaseDirectory); + break; +@@ -358,7 +351,7 @@ bool PathProvider(int key, base::FilePath* result) { + cur = cur.DirName(); + } + #else +- if (!GetInternalPluginsDirectory(&cur)) ++ if (!GetInternalPluginsDirectory(&cur, "PNACL")) + return false; + #endif + cur = cur.Append(FILE_PATH_LITERAL("pnacl")); diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/patches/no-build-timestamps.patch b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/no-build-timestamps.patch new file mode 100644 index 000000000000..6b788f43d29c --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/no-build-timestamps.patch @@ -0,0 +1,17 @@ +--- chromium-70.0.3538.67/build/compute_build_timestamp.py.orig 2018-11-02 16:00:34.368933077 +0200 ++++ chromium-70.0.3538.67/build/compute_build_timestamp.py 2018-11-08 04:06:21.658105129 +0200 +@@ -94,6 +94,14 @@ + 'build_type', help='The type of build', choices=('official', 'default')) + args = argument_parser.parse_args() + ++ # I don't trust LASTCHANGE magic, and I definelly want something deterministic here ++ SOURCE_DATE_EPOCH = os.getenv("SOURCE_DATE_EPOCH", None) ++ if SOURCE_DATE_EPOCH is not None: ++ print(SOURCE_DATE_EPOCH) ++ return 0 ++ else: ++ raise RuntimeError("SOURCE_DATE_EPOCH not set") ++ + # The mtime of the revision in build/util/LASTCHANGE is stored in a file + # next to it. Read it, to get a deterministic time close to "now". + # That date is then modified as described at the top of the file so that diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/patches/remove-webp-include-69.patch b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/remove-webp-include-69.patch new file mode 100644 index 000000000000..07572cf7ee94 --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/remove-webp-include-69.patch @@ -0,0 +1,11 @@ +--- a/third_party/blink/renderer/platform/image-encoders/image_encoder.cc ++++ b/third_party/blink/renderer/platform/image-encoders/image_encoder.cc +@@ -13,7 +13,7 @@ + + #include "jpeglib.h" // for JPEG_MAX_DIMENSION + +-#include "third_party/libwebp/src/webp/encode.h" // for WEBP_MAX_DIMENSION ++#define WEBP_MAX_DIMENSION 16383 + + namespace blink { + diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/patches/vaapi-fix.patch b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/vaapi-fix.patch new file mode 100644 index 000000000000..b5372d1a2556 --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/vaapi-fix.patch @@ -0,0 +1,74 @@ +--- a/media/gpu/vaapi/vaapi_video_decode_accelerator.cc ++++ b/media/gpu/vaapi/vaapi_video_decode_accelerator.cc +@@ -641,6 +641,7 @@ void VaapiVideoDecodeAccelerator::AssignPictureBuffers( + // |vpp_vaapi_wrapper_| for VaapiPicture to DownloadFromSurface() the VA's + // internal decoded frame. + if (buffer_allocation_mode_ != BufferAllocationMode::kNone && ++ buffer_allocation_mode_ != BufferAllocationMode::kWrapVdpau && + !vpp_vaapi_wrapper_) { + vpp_vaapi_wrapper_ = VaapiWrapper::Create( + VaapiWrapper::kVideoProcess, VAProfileNone, +@@ -665,7 +666,8 @@ void VaapiVideoDecodeAccelerator::AssignPictureBuffers( + PictureBuffer buffer = buffers[i]; + buffer.set_size(requested_pic_size_); + std::unique_ptr picture = vaapi_picture_factory_->Create( +- (buffer_allocation_mode_ == BufferAllocationMode::kNone) ++ ((buffer_allocation_mode_ == BufferAllocationMode::kNone) || ++ (buffer_allocation_mode_ == BufferAllocationMode::kWrapVdpau)) + ? vaapi_wrapper_ + : vpp_vaapi_wrapper_, + make_context_current_cb_, bind_image_cb_, buffer); +@@ -1093,6 +1095,12 @@ VaapiVideoDecodeAccelerator::GetSupportedProfiles() { + + VaapiVideoDecodeAccelerator::BufferAllocationMode + VaapiVideoDecodeAccelerator::DecideBufferAllocationMode() { ++ // NVIDIA blobs use VDPAU ++ if (VaapiWrapper::GetImplementationType() == VAImplementation::kNVIDIAVDPAU) { ++ LOG(INFO) << "VA-API driver on VDPAU backend"; ++ return BufferAllocationMode::kWrapVdpau; ++ } ++ + // TODO(crbug.com/912295): Enable a better BufferAllocationMode for IMPORT + // |output_mode_| as well. + if (output_mode_ == VideoDecodeAccelerator::Config::OutputMode::IMPORT) +@@ -1105,7 +1113,7 @@ VaapiVideoDecodeAccelerator::DecideBufferAllocationMode() { + // depends on the bitstream and sometimes it's not enough to cover the amount + // of frames needed by the client pipeline (see b/133733739). + // TODO(crbug.com/911754): Enable for VP9 Profile 2. +- if (IsGeminiLakeOrLater() && ++ if (false && IsGeminiLakeOrLater() && + (profile_ == VP9PROFILE_PROFILE0 || profile_ == VP8PROFILE_ANY)) { + // Add one to the reference frames for the one being currently egressed, and + // an extra allocation for both |client_| and |decoder_|, see +--- a/media/gpu/vaapi/vaapi_video_decode_accelerator.h ++++ b/media/gpu/vaapi/vaapi_video_decode_accelerator.h +@@ -204,6 +204,7 @@ class MEDIA_GPU_EXPORT VaapiVideoDecodeAccelerator + // Using |client_|s provided PictureBuffers and as many internally + // allocated. + kNormal, ++ kWrapVdpau, + }; + + // Decides the concrete buffer allocation mode, depending on the hardware +--- a/media/gpu/vaapi/vaapi_wrapper.cc ++++ b/media/gpu/vaapi/vaapi_wrapper.cc +@@ -131,6 +131,9 @@ media::VAImplementation VendorStringToImplementationType( + } else if (base::StartsWith(va_vendor_string, "Intel iHD driver", + base::CompareCase::SENSITIVE)) { + return media::VAImplementation::kIntelIHD; ++ } else if (base::StartsWith(va_vendor_string, "Splitted-Desktop Systems VDPAU", ++ base::CompareCase::SENSITIVE)) { ++ return media::VAImplementation::kNVIDIAVDPAU; + } + return media::VAImplementation::kOther; + } +--- a/media/gpu/vaapi/vaapi_wrapper.h ++++ b/media/gpu/vaapi/vaapi_wrapper.h +@@ -79,6 +79,7 @@ enum class VAImplementation { + kIntelIHD, + kOther, + kInvalid, ++ kNVIDIAVDPAU, + }; + + // This class handles VA-API calls and ensures proper locking of VA-API calls diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/patches/widevine-79.patch b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/widevine-79.patch new file mode 100644 index 000000000000..32f0ae2fb5e6 --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/widevine-79.patch @@ -0,0 +1,13 @@ +diff --git a/third_party/widevine/cdm/BUILD.gn b/third_party/widevine/cdm/BUILD.gn +index ed0e2f5208b..5b431a030d5 100644 +--- a/third_party/widevine/cdm/BUILD.gn ++++ b/third_party/widevine/cdm/BUILD.gn +@@ -14,7 +14,7 @@ buildflag_header("buildflags") { + + flags = [ + "ENABLE_WIDEVINE=$enable_widevine", +- "BUNDLE_WIDEVINE_CDM=$bundle_widevine_cdm", ++ "BUNDLE_WIDEVINE_CDM=true", + "ENABLE_WIDEVINE_CDM_COMPONENT=$enable_widevine_cdm_component", + ] + } diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/plugins.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/plugins.nix new file mode 100644 index 000000000000..434bd77b6d18 --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/plugins.nix @@ -0,0 +1,93 @@ +{ stdenv, gcc +, jshon +, glib +, nspr +, nss +, fetchzip +, patchelfUnstable +, enablePepperFlash ? false + +, upstream-info +}: + +with stdenv.lib; + +let + mkrpath = p: "${makeSearchPathOutput "lib" "lib64" p}:${makeLibraryPath p}"; + + # Generate a shell fragment that emits flags appended to the + # final makeWrapper call for wrapping the browser's main binary. + # + # Note that this is shell-escaped so that only the variable specified + # by the "output" attribute is substituted. + mkPluginInfo = { output ? "out", allowedVars ? [ output ] + , flags ? [], envVars ? {} + }: let + shSearch = ["'"] ++ map (var: "@${var}@") allowedVars; + shReplace = ["'\\''"] ++ map (var: "'\"\${${var}}\"'") allowedVars; + # We need to triple-escape "val": + # * First because makeWrapper doesn't do any quoting of its arguments by + # itself. + # * Second because it's passed to the makeWrapper call separated by IFS but + # not by the _real_ arguments, for example the Widevine plugin flags + # contain spaces, so they would end up as separate arguments. + # * Third in order to be correctly quoted for the "echo" call below. + shEsc = val: "'${replaceStrings ["'"] ["'\\''"] val}'"; + mkSh = val: "'${replaceStrings shSearch shReplace (shEsc val)}'"; + mkFlag = flag: ["--add-flags" (shEsc flag)]; + mkEnvVar = key: val: ["--set" (shEsc key) (shEsc val)]; + envList = mapAttrsToList mkEnvVar envVars; + quoted = map mkSh (flatten ((map mkFlag flags) ++ envList)); + in '' + mkdir -p "''$${output}/nix-support" + echo ${toString quoted} > "''$${output}/nix-support/wrapper-flags" + ''; + + flash = stdenv.mkDerivation rec { + pname = "flashplayer-ppapi"; + version = "32.0.0.344"; + + src = fetchzip { + url = "https://fpdownload.adobe.com/pub/flashplayer/pdc/${version}/flash_player_ppapi_linux.x86_64.tar.gz"; + sha256 = "05ijlgsby9zxx0qs6f3vav1z0p6xr1cg6idl4akxvfmsl6hn6hkq"; + stripRoot = false; + }; + + patchPhase = '' + chmod +x libpepflashplayer.so + patchelf --set-rpath "${mkrpath [ gcc.cc ]}" libpepflashplayer.so + ''; + + doCheck = true; + checkPhase = '' + ! find -iname '*.so' -exec ldd {} + | grep 'not found' + ''; + + installPhase = '' + flashVersion="$( + "${jshon}/bin/jshon" -F manifest.json -e version -u + )" + + install -vD libpepflashplayer.so "$out/lib/libpepflashplayer.so" + + ${mkPluginInfo { + allowedVars = [ "out" "flashVersion" ]; + flags = [ + "--ppapi-flash-path=@out@/lib/libpepflashplayer.so" + "--ppapi-flash-version=@flashVersion@" + ]; + }} + ''; + + dontStrip = true; + + meta = { + license = stdenv.lib.licenses.unfree; + maintainers = with stdenv.lib.maintainers; [ taku0 ]; + platforms = platforms.x86_64; + }; + }; + +in { + enabled = optional enablePepperFlash flash; +} diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix new file mode 100644 index 000000000000..9b5c76f53429 --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix @@ -0,0 +1,6 @@ +{ + "81.0.4044.92" = { + rev = "81.0.4044.92-2"; + sha256 = "071a33idn2zcix6z8skn7y85mhb9w5s0bh0fvrjm269y7cmjrh3l"; + }; +} diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled.nix new file mode 100644 index 000000000000..17418c90af49 --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled.nix @@ -0,0 +1,42 @@ +{ stdenv +, fetchFromGitHub +, python3Packages +, makeWrapper +, patch +}: +{ rev +, sha256 +}: + +stdenv.mkDerivation rec { + name = "ungoogled-chromium-${version}"; + + version = rev; + + src = fetchFromGitHub { + owner = "Eloston"; + repo = "ungoogled-chromium"; + inherit rev sha256; + }; + + dontBuild = true; + + buildInputs = [ + python3Packages.python + patch + ]; + + nativeBuildInputs = [ + makeWrapper + ]; + + patchPhase = '' + sed -i '/chromium-widevine/d' patches/series + ''; + + installPhase = '' + mkdir $out + cp -R * $out/ + wrapProgram $out/utils/patches.py --add-flags "apply" --prefix PATH : "${patch}/bin" + ''; +} diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/update.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/update.nix new file mode 100644 index 000000000000..6dff17c69ddb --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/update.nix @@ -0,0 +1,271 @@ +let maybePkgs = import ../../../../../. {}; in + +{ stdenv ? maybePkgs.stdenv +, runCommand ? maybePkgs.runCommand +, fetchurl ? maybePkgs.fetchurl +, writeText ? maybePkgs.writeText +, curl ? maybePkgs.curl +, cacert ? maybePkgs.cacert +, nix ? maybePkgs.nix +}: + +let + inherit (stdenv) lib; + + sources = if builtins.pathExists ./upstream-info.nix + then import ./upstream-info.nix + else {}; + + bucketURL = "https://commondatastorage.googleapis.com/" + + "chromium-browser-official"; + + mkVerURL = version: "${bucketURL}/chromium-${version}.tar.xz"; + + debURL = "https://dl.google.com/linux/chrome/deb/pool/main/g"; + + getDebURL = channelName: version: arch: mirror: let + packageSuffix = if channelName == "dev" then "unstable" else channelName; + packageName = "google-chrome-${packageSuffix}"; + in "${mirror}/${packageName}/${packageName}_${version}-1_${arch}.deb"; + + # Untrusted mirrors, don't try to update from them! + debMirrors = [ + "http://95.31.35.30/chrome/pool/main/g" + "http://mirror.pcbeta.com/google/chrome/deb/pool/main/g" + "http://repo.fdzh.org/chrome/deb/pool/main/g" + ]; + +in { + getChannel = channel: let + chanAttrs = builtins.getAttr channel sources; + in { + inherit channel; + inherit (chanAttrs) version; + + main = fetchurl { + url = mkVerURL chanAttrs.version; + inherit (chanAttrs) sha256; + }; + + binary = fetchurl (let + mkUrls = arch: let + mkURLForMirror = getDebURL channel chanAttrs.version arch; + in map mkURLForMirror ([ debURL ] ++ debMirrors); + in if stdenv.is64bit && chanAttrs ? sha256bin64 then { + urls = mkUrls "amd64"; + sha256 = chanAttrs.sha256bin64; + } else if !stdenv.is64bit && chanAttrs ? sha256bin32 then { + urls = mkUrls "i386"; + sha256 = chanAttrs.sha256bin32; + } else throw "No Chrome plugins are available for your architecture."); + }; + + update = let + csv2nix = name: src: import (runCommand "${name}.nix" { + src = builtins.fetchurl src; + } '' + esc() { echo "\"$(echo "$1" | sed -e 's/"\\$/\\&/')\""; } # ohai emacs " + IFS=, read -r -a headings <<< "$(head -n1 "$src")" + echo "[" > "$out" + tail -n +2 "$src" | while IFS=, read -r -a line; do + echo " {" + for idx in "''${!headings[@]}"; do + echo " $(esc "''${headings[idx]}") = $(esc ''${line[$idx]});" + done + echo " }" + done >> "$out" + echo "]" >> "$out" + ''); + + channels = lib.fold lib.recursiveUpdate {} (map (attrs: { + ${attrs.os}.${attrs.channel} = attrs // { + history = let + drvName = "omahaproxy-${attrs.os}.${attrs.channel}-info"; + history = csv2nix drvName "http://omahaproxy.appspot.com/history"; + cond = h: attrs.os == h.os && attrs.channel == h.channel + && lib.versionOlder h.version attrs.current_version; + # Note that this is a *reverse* sort! + sorter = a: b: lib.versionOlder b.version a.version; + sorted = builtins.sort sorter (lib.filter cond history); + in map (lib.flip removeAttrs ["os" "channel"]) sorted; + version = attrs.current_version; + }; + }) (csv2nix "omahaproxy-info" "http://omahaproxy.appspot.com/all?csv=1")); + + /* + XXX: This is essentially the same as: + + builtins.tryEval (builtins.fetchurl url) + + ... except that tryEval on fetchurl isn't working and doesn't catch + errors for fetchurl, so we go for a different approach. + + We only have fixed-output derivations that can have networking access, so + we abuse SHA1 and its weaknesses to forge a fixed-output derivation which + is not so fixed, because it emits different contents that have the same + SHA1 hash. + + Using this method, we can distinguish whether the URL is available or + whether it's not based on the actual content. + + So let's use tryEval as soon as it's working with fetchurl in Nix. + */ + tryFetch = url: let + # SHA1 hash collisions from https://shattered.io/static/shattered.pdf: + collisions = runCommand "sha1-collisions" { + outputs = [ "out" "good" "bad" ]; + base64 = '' + QlpoOTFBWSZTWbL5V5MABl///////9Pv///v////+/////HDdK739/677r+W3/75rUNr4 + Aa/AAAAAAACgEVTRtQDQAaA0AAyGmjTQGmgAAANGgAaMIAYgGgAABo0AAAAAADQAIAGQ0 + MgDIGmjQA0DRk0AaMQ0DQAGIANGgAAGRoNGQMRpo0GIGgBoGQAAIAGQ0MgDIGmjQA0DRk + 0AaMQ0DQAGIANGgAAGRoNGQMRpo0GIGgBoGQAAIAGQ0MgDIGmjQA0DRk0AaMQ0DQAGIAN + GgAAGRoNGQMRpo0GIGgBoGQAAIAGQ0MgDIGmjQA0DRk0AaMQ0DQAGIANGgAAGRoNGQMRp + o0GIGgBoGQAABVTUExEZATTICnkxNR+p6E09JppoyamjGhkm0ammIyaekbUejU9JiGnqZ + qaaDxJ6m0JkZMQ2oaYmJ6gxqMyE2TUzJqfItligtJQJfYbl9Zy9QjQuB5mHQRdSSXCCTH + MgmSDYmdOoOmLTBJWiCpOhMQYpQlOYpJjn+wQUJSTCEpOMekaFaaNB6glCC0hKEJdHr6B + mUIHeph7YxS8WJYyGwgWnMTFJBDFSxSCCYljiEk7HZgJzJVDHJxMgY6tCEIIWgsKSlSZ0 + S8GckoIIF+551Ro4RCw260VCEpWJSlpWx/PMrLyVoyhWMAneDilBcUIeZ1j6NCkus0qUC + Wnahhk5KT4GpWMh3vm2nJWjTL9Qg+84iExBJhNKpbV9tvEN265t3fu/TKkt4rXFTsV+Nc + upJXhOhOhJMQQktrqt4K8mSh9M2DAO2X7uXGVL9YQxUtzQmS7uBndL7M6R7vX869VxqPu + renSuHYNq1yTXOfNWLwgvKlRlFYqLCs6OChDp0HuTzCWscmGudLyqUuwVGG75nmyZhKpJ + yOE/pOZyHyrZxGM51DYIN+Jc8yVJgAykxKCEtW55MlfudLg3KG6TtozalunXrroSxUpVL + StWrWLFihMnVpkyZOrQnUrE6xq1CGtJlbAb5ShMbV1CZgqlKC0wCFCpMmUKSEkvFLaZC8 + wHOCVAlvzaJQ/T+XLb5Dh5TNM67p6KZ4e4ZSGyVENx2O27LzrTIteAreTkMZpW95GS0CE + JYhMc4nToTJ0wQhKEyddaLb/rTqmgJSlkpnALxMhlNmuKEpkEkqhKUoEq3SoKUpIQcDgW + lC0rYahMmLuPQ0fHqZaF4v2W8IoJ2EhMhYmSw7qql27WJS+G4rUplToFi2rSv0NSrVvDU + pltQ8Lv6F8pXyxmFBSxiLSxglNC4uvXVKmAtusXy4YXGX1ixedEvXF1aX6t8adYnYCpC6 + rW1ZzdZYlCCxKEv8vpbqdSsXl8v1jCQv0KEPxPTa/5rtWSF1dSgg4z4KjfIMNtgwWoWLE + sRhKxsSA9ji7V5LRPwtumeQ8V57UtFSPIUmtQdOQfseI2Ly1DMtk4Jl8n927w34zrWG6P + i4jzC82js/46Rt2IZoadWxOtMInS2xYmcu8mOw9PLYxQ4bdfFw3ZPf/g2pzSwZDhGrZAl + 9lqky0W+yeanadC037xk496t0Dq3ctfmqmjgie8ln9k6Q0K1krb3dK9el4Xsu44LpGcen + r2eQZ1s1IhOhnE56WnXf0BLWn9Xz15fMkzi4kpVxiTKGEpffErEEMvEeMZhUl6yD1SdeJ + YbxzGNM3ak2TAaglLZlDCVnoM6wV5DRrycwF8Zh/fRsdmhkMfAO1duwknrsFwrzePWeMw + l107DWzymxdQwiSXx/lncnn75jL9mUzw2bUDqj20LTgtawxK2SlQg1CCZDQMgSpEqLjRM + sykM9zbSIUqil0zNk7Nu+b5J0DKZlhl9CtpGKgX5uyp0idoJ3we9bSrY7PupnUL5eWiDp + V5mmnNUhOnYi8xyClkLbNmAXyoWk7GaVrM2umkbpqHDzDymiKjetgzTocWNsJ2E0zPcfh + t46J4ipaXGCfF7fuO0a70c82bvqo3HceIcRlshgu73seO8BqlLIap2z5jTOY+T2ucCnBt + Atva3aHdchJg9AJ5YdKHz7LoA3VKmeqxAlFyEnQLBxB2PAhAZ8KvmuR6ELXws1Qr13Nd1 + i4nsp189jqvaNzt+0nEnIaniuP1+/UOZdyfoZh57ku8sYHKdvfW/jYSUks+0rK+qtte+p + y8jWL9cOJ0fV8rrH/t+85/p1z2N67p/ZsZ3JmdyliL7lrNxZUlx0MVIl6PxXOUuGOeArW + 3vuEvJ2beoh7SGyZKHKbR2bBWO1d49JDIcVM6lQtu9UO8ec8pOnXmkcponBPLNM2CwZ9k + NC/4ct6rQkPkQHMcV/8XckU4UJCy+VeTA== + ''; + } '' + echo "$base64" | base64 -d | tar xj + mv good.pdf "$good" + mv bad.pdf "$bad" + touch "$out" + ''; + + cacheVal = let + urlHash = builtins.hashString "sha256" url; + timeSlice = builtins.currentTime / 600; + in "${urlHash}-${toString timeSlice}"; + + in { + success = import (runCommand "check-success" { + result = stdenv.mkDerivation { + name = "tryfetch-${cacheVal}"; + inherit url; + + outputHash = "d00bbe65d80f6d53d5c15da7c6b4f0a655c5a86a"; + outputHashMode = "flat"; + outputHashAlgo = "sha1"; + + nativeBuildInputs = [ curl ]; + preferLocalBuild = true; + + inherit (collisions) good bad; + + buildCommand = '' + if SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt" \ + curl -s -L -f -I "$url" > /dev/null; then + cp "$good" "$out" + else + cp "$bad" "$out" + fi + ''; + + impureEnvVars = lib.fetchers.proxyImpureEnvVars; + }; + inherit (collisions) good; + } '' + if cmp -s "$result" "$good"; then + echo true > "$out" + else + echo false > "$out" + fi + ''); + value = builtins.fetchurl url; + }; + + fetchLatest = channel: let + result = tryFetch (mkVerURL channel.version); + in if result.success then result.value else fetchLatest (channel // { + version = if channel.history != [] + then (lib.head channel.history).version + else throw "Unfortunately there's no older version than " + + "${channel.version} available for channel " + + "${channel.channel} on ${channel.os}."; + history = lib.tail channel.history; + }); + + getHash = path: import (runCommand "gethash.nix" { + inherit path; + nativeBuildInputs = [ nix ]; + } '' + sha256="$(nix-hash --flat --base32 --type sha256 "$path")" + echo "\"$sha256\"" > "$out" + ''); + + isLatest = channel: version: let + ourVersion = sources.${channel}.version or null; + in if ourVersion == null then false + else lib.versionOlder version sources.${channel}.version + || version == sources.${channel}.version; + + # We only support GNU/Linux right now. + linuxChannels = let + genLatest = channelName: channel: let + newUpstream = { + inherit (channel) version; + sha256 = getHash (fetchLatest channel); + }; + keepOld = let + oldChannel = sources.${channelName}; + in { + inherit (oldChannel) version sha256; + } // lib.optionalAttrs (oldChannel ? sha256bin32) { + inherit (oldChannel) sha256bin32; + } // lib.optionalAttrs (oldChannel ? sha256bin64) { + inherit (oldChannel) sha256bin64; + }; + in if isLatest channelName channel.version then keepOld else newUpstream; + in lib.mapAttrs genLatest channels.linux; + + getLinuxFlash = channelName: channel: let + inherit (channel) version; + fetchArch = arch: tryFetch (getDebURL channelName version arch debURL); + packages = lib.genAttrs ["i386" "amd64"] fetchArch; + isNew = arch: attr: !(builtins.hasAttr attr channel) + && packages.${arch}.success; + in channel // lib.optionalAttrs (isNew "i386" "sha256bin32") { + sha256bin32 = getHash (packages.i386.value); + } // lib.optionalAttrs (isNew "amd64" "sha256bin64") { + sha256bin64 = getHash (packages.amd64.value); + }; + + newChannels = lib.mapAttrs getLinuxFlash linuxChannels; + + dumpAttrs = indent: attrs: let + mkVal = val: if lib.isAttrs val then dumpAttrs (indent + 1) val + else "\"${lib.escape ["$" "\\" "\""] (toString val)}\""; + mkIndent = level: lib.concatStrings (builtins.genList (_: " ") level); + mkAttr = key: val: "${mkIndent (indent + 1)}${key} = ${mkVal val};\n"; + attrLines = lib.mapAttrsToList mkAttr attrs; + in "{\n" + (lib.concatStrings attrLines) + (mkIndent indent) + "}"; + in writeText "chromium-new-upstream-info.nix" '' + # This file is autogenerated from update.sh in the same directory. + ${dumpAttrs 0 newChannels} + ''; +} diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/update.sh b/pkgs/applications/networking/browsers/ungoogled-chromium/update.sh new file mode 100755 index 000000000000..ea67a62c107a --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/update.sh @@ -0,0 +1,4 @@ +#!/bin/sh -e +cd "$(dirname "$0")" +sp="$(nix-build --builders "" -Q --no-out-link update.nix -A update)" +cat "$sp" > upstream-info.nix diff --git a/pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.nix b/pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.nix new file mode 100644 index 000000000000..c5f9d60122dc --- /dev/null +++ b/pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.nix @@ -0,0 +1,18 @@ +# This file is autogenerated from update.sh in the same directory. +{ + beta = { + sha256 = "0i0szd749ihb08rxnsmsbxq75b6x952wpk94jwc0ncv6gb83zkx2"; + sha256bin64 = "1y70kmfz9nv507b0zdda7zfk2ac9qh9m2gq00aphdmzd0al7skj8"; + version = "81.0.4044.92"; + }; + dev = { + sha256 = "1rydvjmv62zj95sf0fgsyipqz2hphbxm60y8q0813wq9ym35d4yy"; + sha256bin64 = "1m6740lw7xjjp1lplwp9ii4d3l7dfa9jrv5bysm4ar5pb9kywrai"; + version = "83.0.4100.3"; + }; + stable = { + sha256 = "0i0szd749ihb08rxnsmsbxq75b6x952wpk94jwc0ncv6gb83zkx2"; + sha256bin64 = "1ig899cpahw1xfhdff5xj6w4k8jja5smxvrcbw6b0jcjmawdrf72"; + version = "81.0.4044.92"; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 86c4a5507032..209bf1848453 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -22276,6 +22276,8 @@ in uefitoolPackages = recurseIntoAttrs (callPackage ../tools/system/uefitool/variants.nix {}); uefitool = uefitoolPackages.new-engine; + ungoogled-chromium = callPackage ../applications/networking/browsers/ungoogled-chromium (config.chromium or {}); + unigine-valley = callPackage ../applications/graphics/unigine-valley { }; unison = callPackage ../applications/networking/sync/unison {