- systemd puts all into one output now (except for man),
because I wasn't able to fix all systemd/udev refernces
for NixOS to work well
- libudev is now by default *copied* into another path,
which is what most packages will use as build input :-)
- pkgs.udev = [ libudev.out libudev.dev ]; because there are too many
references that just put `udev` into build inputs (to rewrite them all),
also this made "${udev}/foo" fail at *evaluation* time
so it's easier to catch and change to something more specific
It's another attempt to fix chromium builds.
See http://hydra.nixos.org/build/26086977/nixlog/4/raw
Unpacking sources is actually taking more than 2h so build fails.
Instead, rather build it remotely and then copy over the output as
we don't have limits for download time.
See 089bdce621 for reference
cc @aszlig
(cherry picked from commit cef54e7d67870ff68c9787ff60cd50ca4bf1d8af)
Signed-off-by: Domen Kožar <domen@dev.si>
Although I couldn't test this because I'm not using a DE, nobody else
than the one submitting the pull request has commented on this. So if it
should break the icon for other people, nobody would probably start an
assassination because of this and the commit can be easily reverted if
it should break the icon.
Overview of the updated versions:
beta: 45.0.2454.15 -> 45.0.2454.26
dev: 45.0.2454.15 -> 46.0.2471.2
Changes for getting beta and dev channel to build:
* The reference for chrome::FILE_FLASH_PLUGIN doesn't exist anymore in
version 46, because it has been dropped upstream, see the following
review URL:
https://codereview.chromium.org/1255943002
We set the PPAPI Flash path using a command line flag anyway, so it
doesn't hurt us if we don't patch that path (which was an old
artifact from the NSAPI->PPAPI conversion anyway).
Changes for the dev channel only:
* It seems that in the SCM, chrome/test/data/webui/ contains a lot of
files, however they are missing in the tarball.
This has been reported upstream at: https://crbug.com/515917
Our fix is to just not include webui/i18n_process_css_test.html at
all, to avoid the configure (gyp) phase to fail, because we're not
building tests anyway.
All channels built and tested by my Hydra instance at:
https://headcounter.org/hydra/eval/218978
Test reports:
x86: https://headcounter.org/hydra/build/723341/download/1/log.html
x86_64: https://headcounter.org/hydra/build/723342/download/1/log.html
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The only mirror left which still has the .deb for 44.0.2403.89 is
http://mirror.pcbeta.com/, but that one doesn't seem to be reachable
from certain contries.
And according to @CestDiego, it doesn't seem to be reachable from within
the US.
Closes#9021, thanks to @CestDiego for reporting.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: Diego Berrocal <cestdiego@gmail.com>
Tested-by: Diego Berrocal <cestdiego@gmail.com>
Overview of the updated versions:
stable: 43.0.2357.125 -> 43.0.2357.130
beta: 44.0.2403.52 -> 44.0.2403.61
For the beta channel the following changes were necessary:
* Drop all patches which were added in c290595 because they apply to
44.0.2403.52 only. The shipped version of Blink was older than the
one used for Chromium itself and thus contained just the
cherry-picked patches from upstream Blink.
* The ffmpegsumo library is now statically linked the same way as in
the dev version, so let's not try to put it into the output store
path.
All channels were built successfully on my Hydra at:
https://headcounter.org/hydra/eval/187176
VM tests did also pass and can be found at:
x86: https://headcounter.org/hydra/build/707636
x86_64: https://headcounter.org/hydra/build/707637
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Just silencing the error will not prevent Chromium from trying to start
up the SUID sandbox anyway, thus flooding stderr with:
LaunchProcess: failed to execvp:
After digging a bit in the source code I found out that the SUID sandbox
binary is indeed used, but only for setting oom_score_adj within the
user namespace (as "root"). So let's build the sandbox binary and of
course don't set setuid bit.
These annoying error messages were originally introduced by 0aad4b7 and
I'm deeply sorry for annoying you guys out there with them.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Since 0aad4b7, we no longer need to have an external sandbox binary,
because the upstream implementation of the user namespace sandbox no
longer needs an external sandbox binary.
In our implementation of the user namespace sandbox, we (ab)used the
setuid sandbox to run non-setuid and set up user namespaces instead.
Because our implementation is no longer needed, we can safely drop the
external binary entirely.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
There has been some recent news about that component extension on hacker
news:
https://news.ycombinator.com/item?id=9724409
Even though on our side it won't work, because we don't have NaCl
enabled by default or even working (I honestly haven't tested if it even
builds if enabled), we might get to the point where we can build with
NaCl enabled.
But until and even after that day, we want to have explicit control on
whether this extension is enabled.
Please also have a look at these two issues explaining the details
(about component extensions and the hotwording extension in particular):
https://crbug.com/491435https://crbug.com/500922
Fixes issue #8358.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The pepper effects plugin has been removed and migrated to NaCl, so I'm
just dropping the hunk of that patch.
Upstream reviow URL: https://codereview.chromium.org/1085393003
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Changes included:
- Update versions.
- Use gyp package not gyp_svn1977.
- Remove icu from buildInputs, since this causes a build error due to inferference with use_system_icu=false.
- Remove the hack that inserts the absolute path into gyp files, and pass `--depth .` to gyp. This resolves the `third_party/angle` gyp error.
- Do a normal copy of the source code not a symlink copy. This resolves some link error where the symlinks interfere with relative paths (seems like because gyp resolves symlinks first). Note, this used to be worked around with the absolute path insertion hack.
- Change the bucketURL in update.nix to https (for more secure updates).
Works around regression from a305e6855d.
We're also marking it lowPrio to make sure nobody will accidentally
reference it using nix-env -i.
Until we have fixed#7402, we're going to build with the old gyp version
to prevent being affected by https://crbug.com/462153.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We shouldn't make assumptions on what is set by NIX_PATH in order to
make it easier to rename that Nix path reference.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
After the pulseaudio refactor in NixOS/nixpkgs@a2a3508, libcap is no
longer propagated to chromium anymore. And we need to have libcap for
the renderer sandbox.
Build log: https://hydra.nixos.org/build/21689759/nixlog/1/raw
What makes me wonder is that given that this was propagated by
pulseaudio noone either seemed to have disabled pulseaudio support for
Chromium or just didn't report the build failure.
Half-assed testing done against all channels, because it builds the
sandbox and we can't break an already broken build twice (or maybe we
can, who knows...).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This reverts commit 0696b0ef78.
Okay, now finally, let's get this straight. We actually *want*
preferLocalBuild, *because* we have improved the source splitup in
c92dbffeac.
The idea is to use local builds in order to prevent the source being
pushed to a remote machine, splitted up there (and thus copied again)
and then being copied *again* FROM the remote machine.
"DOH!" - as @edolstra or @rbvermaa would call it... and good d^Hnight.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This reverts commit 26f024626c.
I actually wasn't reading the "remove" in the commit message, so sorry
for the brainfart/noise.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This reverts commit fdb5cf8107.
The reason I'm reverting this is that the implications this had on the
IO load of Hydra are fixed by c92dbffeac.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
So far we've done the source code split up by using the generic
unpackPhase and copying it all over into the different outputs.
However, this had the problem of generating the I/O load of about three
times the size of the source tree: First at fetchurl of the tarball
(although it's not as much because it's compressed), second at
unpackPhase and third at installPhase.
Now we don't use installPhase anymore and directly unpack into the
output paths, which unfortunately becomes quite a bit more complex
because we need to transform the paths of the tar file on the fly.
I've also tried using GNU Tar's --to-command option to even untar *and*
patch it at the same time, but forking for every single file in the
tarball gets REALLY slow and also gets even more complex than this two
stage approach because you need to make sure that the patch file is
applied correctly, for example for files that don't yet exist but are to
be created by the patch file.
We're using --anchored and --no-wildcards-match-slash here to prevent
accidentally excluding files we don't want to exclude. One example is
something like v8/tools/gyp/v8.gyp.
So the current approach is some compromise between complexity and speed
and should hopefully get rid of the Hydra build timeouts by lowering I/O
load.
See here for examples of builds having this issue:
http://hydra.nixos.org/build/19045023http://hydra.nixos.org/build/19044973http://hydra.nixos.org/build/19044968http://hydra.nixos.org/build/19045019
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Overview of the updated versions:
stable: 40.0.2214.91 -> 40.0.2214.115
beta: 41.0.2272.16 -> 41.0.2272.64
dev: 41.0.2272.16 -> 42.0.2305.3
Introduces 42.0.2305.3 as the new dev version, which no longer requires
our user namespaces sandbox patch. Thanks to everyone participating in
https://crbug.com/312380 for finally having this upstream.
In the course of supporting the official namespace sandbox (that's what
the user namespace sandbox is called), a few things needed to be fixed
for version 42:
* Add an updated nix_plugin_paths.patch, because the old
one tries to patch the path for libpdf, which is now natively included
in Chromium.
* Don't copy libpdf.so to libexec path for version 42, it's no longer
needed as it's completely built-in now.
* Disable SUID sandbox directly in the source instead of going the easy
route of passing --disable-setuid-sandbox. The reason is that with
the command line flag a nasty nagbar will appear.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We're propagating the plugin flags by importing from another Nix
expression file, which in turn exports the Nix path to the wrapper. This
causes that the store path isn't referenced in the wrapper and the path
isn't recognized by scanning the wrapper script (only those already
referenced at build time are).
So let's add the activated plugins to the buildInputs of the wrapper.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This brings a new stable version 40.0.2214.91 along with a beta update
to version 41.0.2272.16, the dev channel is still stuck at version
41.0.2272.12 and within the next days will jump to version 42.
For this reason, I've done some cheating here and brought the beta
channel in par with the dev channel, because dev is older than beta on
OmahaProxy.
Here's an overview of the channel upgrades:
stable: 39.0.2171.65 -> 40.0.2214.91 [1]
beta: 40.0.2214.10 -> 41.0.2272.16 [1] [2] [3]
dev: 41.0.2224.3 -> 41.0.2272.16 [1] [2] [3]
[1]: We needed to patch in locations of lib{pci,udev}.so, because
Chromium tries to load them at runtime. For version 41 startup will
fail if it is unable to load libudev, but it also has the advantage
that this fixes GPU detection using libpci in the stable version,
which in turn could fix a few bugs on NixOS.
[2]: The upstream Debian package for the binary plugins now uses XZ
compression for the enclosed data tarball.
[3]: Chromium 41 needs {shapshot,natives}_blob.bin in order to start up,
so let's cp it among with the .pak files to avoid adding a
conditional for version 40.
The release annoucement of the stable channel update can be found here:
http://googlechromereleases.blogspot.de/2015/01/stable-update.html
Note that this release contains 62 security fixes(!) and I'm hereby
apologizing for the delay of this update.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Writing the gid_map is already non-fatal, but the actual sandbox process
still tries to setresgid() to nogroup (usually 65534). This however
fails, because if user namespace sandboxing is present, the namespace
doesn't have CAP_SETGID at this point.
Fortunately, the effective GID is already 65534, so we just need to
check whether the target gid matches and only(!) setresgid() if it
doesn't.
So if someone would run a SUID version of the sandbox, it would still
work nonetheless without a negative impact on security.
Fixes#5730, thanks to @wizeman for reporting and initial debugging.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is more of an attempt rather than a real fix (or maybe it is? let's
see) for the corrupted .pyc files during build. I believe the reason we
get these are likely due to several instances of the Python interpreter
that run in parallel and one of these processes might still be writing
the .pyc file.
So, rather than deleting all .pyc files, we now precompile then in order
to avoid any build process trying to generate any .pyc file.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Thanks to @iElectric for the notification, although I'm not really sure
whether this will fix the following failed Hydra build:
http://hydra.nixos.org/build/17609086/nixlog/1/raw
The reason is that this failure doesn't happen on every build, but let's
see whether it will happen again now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is a response to 1fdefd5562.
We are already using bundled protobuf for the beta and dev channels and
it also breaks regularly with about every new Chromium release, so let's
use bundled protobuf for all channels now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We now create Nix expressions within the plugin output path(s) which
then will be imported and incorporated into the wrapper. This makes it
easier for other plugins to provide configuration settings to the main
Chromium wrapper.
Of course, in order to allow for external plugins we need to allow
passing a list of plugins to the Chromium derivation, but right now we
keep it internal and only use it for things such as NaCl (as soon as we
support it, of course).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The Chromium PDF plugin is now available as open source software and is
already included in the Chromium source tree in current stable, so there
is no need to extract it from the Chrome binary package anymore.
See release announcement at http://blog.foxitsoftware.com/?p=641
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Introduces environment variables to set plugin base paths. The schema
for these is like NIX_CHROMIUM_PLUGIN_PATH_<N>. Where <N> is the path
type we want to change, the supported (full) variable names are:
* NIX_CHROMIUM_PLUGIN_PATH_ALL
* NIX_CHROMIUM_PLUGIN_PATH_PEPPERFLASH
* NIX_CHROMIUM_PLUGIN_PATH_FILEFLASH
* NIX_CHROMIUM_PLUGIN_PATH_PDF
* NIX_CHROMIUM_PLUGIN_PATH_FILE_EFFECTS
* NIX_CHROMIUM_PLUGIN_PATH_NACL
* NIX_CHROMIUM_PLUGIN_PATH_PNACL
* NIX_CHROMIUM_PLUGIN_PATH_WIDEVINE
Whereas NIX_CHROMIUM_PLUGIN_PATH_ALL is the plugin base path for every
path which is not set explicitly, so by setting ..._ALL and not setting
..._WIDEVINE, the widevine plugin will be searched in the directory
specified using ..._ALL.
Right now, the only plugin where this is used is widevine, and it still
doesn't properly work yet.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 38.0.2125.101 -> 39.0.2171.65
beta: 39.0.2171.19 -> 40.0.2214.10
dev: 40.0.2182.3 -> 41.0.2224.3
We can now remove missing_alg_import.patch, because version 39 is nom
stable and thus fixes the missing include directive upstream.
However, starting with version 40, we hit a few bugs with system
protobuf, so we're disabling it for every version >=40 to avoid
runtime/startup errors.
Here is the stable channel announcement for version 39 on the official
blog:
http://googlechromereleases.blogspot.de/2014/11/stable-channel-update_18.html
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Seems to be needed in order to view Netflix content, but this only pulls
in the proprietary plugin and doesn't yet compile Chromium with support
for it, so this is only in preparation for the bright and shiny future
(where we all have rootkits implanted in our body).
Of course, this plugin is disabled by default as well as all the other
proprietary plugins.
For the plugin derivation, we now do the checkPhase _after_ the
installPhase, to make sure we also detect RPATHs pointing to the plugin
directory itself, because the shared object files only exist after the
installPhase.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 37.0.2062.94 -> 37.0.2062.120
beta: 38.0.2125.24 -> 38.0.2125.101
dev: 39.0.2138.3 -> 39.0.2171.7
All channels built fine on my machine and were tested against a few
sites.
The missing_alg_import.patch now is no longer needed for version 39, so
we're not applying it there anymore.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 36.0.1985.125 -> 37.0.2062.94
beta: 37.0.2062.58 -> 37.0.2062.94
dev: 38.0.2107.3 -> 38.0.2125.8
All channels built fine on my machine and were tested against a few
sites.
Stable and beta channel now contain the same release, because version
37 hit the stable channel. For release notes, please have a look at the
announcement:
http://googlechromereleases.blogspot.de/2014/08/stable-channel-update_26.html
Of course we're also dropping all version 36 specific crap, such as the
architecture-specific target suffix for builds, which now is no longer
needed.
The gyp flag use_mojo=0 is no longer needed, as it was a workaround
concerning version 37.0.2054.3 only.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We no longer need to supply compiler and binutils to the build process,
se we can safely remove them. In addition, we're now passing the new
options linux_use_gold_binary and linux_use_bundled_gold to gyp, for
details, see:
https://codereview.chromium.org/239163003
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
beta: 37.0.2062.44 -> 37.0.2062.58 (builds fine, tested)
dev: 38.0.2101.0 -> 38.0.2107.3 (builds fine, tested)
Drop patch for fixing angle build for the dev version, because it was
applied upstream already.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 35.0.1916.153 -> 36.0.1985.125
beta: 36.0.1985.84 -> 37.0.2062.44
dev: 37.0.2054.3 -> 38.0.2101.0
All builds were successfully tested on my machine, however in order to
update the beta and dev channels, a few additional modifications were
necessary:
* Don't update address_input_strings.grdp anymore because this has been
done/fixed upstream and was relevant in version 37.0.2054.3 _only_.
* No need to fix references to /usr/bin/gcc in version 38 anymore.
* Constrain patch for Angle (introduced in 4cbedd7) to version 37 only,
because it already has been applied upstream in version 38.
* Drop user namespaces patch for version 31 up until version 35,
because version 36 is already in stable.
* Don't try to build bundled Clang and/or even build using Clang.
* Remove obsolete patchPhase commands that are specific to version 35
and older.
While testing the dev version 38 I came accross a font rendering issue
which needs to be addressed ASAP (perhaps related to #3187), however the
browser works otherwise.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is because of a single file that symlinks to the source output
path:
libexec/chromium/resources/extension/demo/library.js
Target within source output path:
chrome/browser/resources/extension_resource/demo/library.js
So we just need to ensure that the cp command follows symlinks during
installPhase and we should no longer have this unnecessary dependency.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
After refactoring the updater we no longer did properly propagate the
exit code from the nix-prefetch-url call to the main script. So if the
newest version could not be fetched it didn't even bother to try the
previous release and we would end up with an empty hash.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 35.0.1916.114 -> 35.0.1916.153
beta: 35.0.1916.86 -> 36.0.1985.67
dev: 36.0.1964.2 -> 37.0.2054.3
All builds successfully tested on my machine, however in order to update
the beta and dev channels, a few additional modifications were
necessary:
* Update/rebase USER_NS sandbox patch for version 36 and higher.
* Create address_input_strings.grdp before running gyp in version 37.
* Remove an empty string leftover from 0517041.
* Add patch for building bundled Angle for version 37.
The patch for Angle is to remove reliance on git being present during
build and is from https://chromium-review.googlesource.com/202048 but
with own modifications to remove/fix Windows-specific parts within the
patch file.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Let's ensure we do all architecture-dependant stuff inside
mkChromiumDerivation and not pass archInfo around, so we can properly
decouple it from the main function.
This partially reverts 8d54dc6d13.
The main reason for doing this is because the architecture information
is no longer required in Chromium 37, so let's uglify and XXX it in
common.nix and remove it once version 37 hits the stable channel.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This fixes build for version 36, which i accidentally broke in commit
f6e31fadd8.
The reason this happened, was that my Hydra didn't pick up the latest
commit and I actually tested and built the parent commit instead of the
update commit.
So, this commit is the real "builds fine, tested" for all channels.
Also, the sandbox client initalization has moved into
setuid_sandbox_client.cc, so we need to move the lookup of the
CHROMIUM_SANDBOX_BINARY_PATH environment variable there.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The system attribute was already there in the function head of the
shared update helper but it actually wasn't used and thus later the
import of <nixpkgs> was done using builtins.currentSystem instead of the
system attribute inherited from the source derivation.
Now we correctly propagate the attribute, so that even when running a
64bit kernel you can run a 32bit Chromium with binary plugins.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
