summary refs log tree commit diff
path: root/gnu/packages/chromium.scm
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2020-06-21 21:44:07 +0200
committerMarius Bakke <marius@gnu.org>2020-06-22 17:16:39 +0200
commit75527eb1cbbd0cad80d10743fb3b6e4ac0b4ba22 (patch)
tree922c7ee87f43b1601cf61e784d6ae28cc258e562 /gnu/packages/chromium.scm
parent8169cc736a6998fa33f7a86c5c13cd01cbafec92 (diff)
downloadguix-75527eb1cbbd0cad80d10743fb3b6e4ac0b4ba22.tar.gz
gnu: ungoogled-chromium: Update to 83.0.4103.106-0.f08ce8b [security fixes].
This fixes CVE-2020-6465, CVE-2020-6466, CVE-2020-6467, CVE-2020-6468,
CVE-2020-6469, CVE-2020-6470, CVE-2020-6471, CVE-2020-6472, CVE-2020-6473,
CVE-2020-6474, CVE-2020-6475, CVE-2020-6476, CVE-2020-6477, CVE-2020-6478,
CVE-2020-6479, CVE-2020-6480, CVE-2020-6481, CVE-2020-6482, CVE-2020-6483,
CVE-2020-6484, CVE-2020-6485, CVE-2020-6486, CVE-2020-6487, CVE-2020-6488,
CVE-2020-6489, CVE-2020-6490, CVE-2020-6491, CVE-2020-6493, CVE-2020-6494,
CVE-2020-6495, CVE-2020-6496, CVE-2020-6497, and CVE-2020-6498.

* gnu/packages/patches/ungoogled-chromium-system-jsoncpp.patch,
gnu/packages/patches/ungoogled-chromium-system-zlib.patch: New files.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/chromium.scm (%preserved-third-party-files): Adjust for 83.
(%chromium-version): Set to 83.0.4103.106.
(%ungoogled-revision): Set to f08ce8b3f1300ef0750b5d6bf967b9cbbfd9a56d.
(%gentoo-revision, %gentoo-patches, %debian-patches): New variables.
(gentoo-patch, debian-patch): New procedures.
(%chromium-origin, %ungoogled-origin): Update hashes.
(ungoogled-chromium-source): Don't apply patches from %DEBIAN-ORIGIN, but take
%GENTOO-PATCHES, %DEBIAN-PATCHES, and the local patch files.
(ungoogled-chromium)[arguments]: Remove "enable_swiftshader=false" from
 #:configure-flags.  Add "icu_use_data_file=false".  Set CFLAGS in phase.
Remove obsolete substitution.  Adjust install phase to install .so files for
ANGLE and Swiftshader.
[native-inputs]: Change from CLANG-9 to CLANG-10.
[inputs]: Replace ICU4C with ICU4C-67.
(ungoogled-chromium/wayland): Remove obsolete substitution.  Add
"ozone_platform_x11=true" in #:configure-flags.
Diffstat (limited to 'gnu/packages/chromium.scm')
-rw-r--r--gnu/packages/chromium.scm221
1 files changed, 114 insertions, 107 deletions
diff --git a/gnu/packages/chromium.scm b/gnu/packages/chromium.scm
index 63a4ea6546..8b0b99aa19 100644
--- a/gnu/packages/chromium.scm
+++ b/gnu/packages/chromium.scm
@@ -98,6 +98,7 @@
     "third_party/angle/src/third_party/compiler" ;BSD-2
     "third_party/angle/src/third_party/libXNVCtrl" ;Expat
     "third_party/angle/src/third_party/trace_event" ;BSD-3
+    "third_party/angle/src/third_party/volk" ;Expat
     "third_party/angle/third_party/vulkan-headers" ;ASL2.0
     "third_party/angle/third_party/vulkan-loader" ;ASL2.0
     "third_party/angle/third_party/vulkan-tools" ;ASL2.0
@@ -117,6 +118,7 @@
     ;; XXX: This is a minified version of <https://d3js.org/>.
     "third_party/catapult/tracing/third_party/d3" ;BSD-3
     "third_party/catapult/tracing/third_party/gl-matrix" ;Expat
+    "third_party/catapult/tracing/third_party/jpeg-js" ;ASL2.0
     ;; XXX: Minified version of <https://github.com/Stuk/jszip>.
     "third_party/catapult/tracing/third_party/jszip" ;Expat or GPL3
     "third_party/catapult/tracing/third_party/mannwhitneyu" ;Expat
@@ -136,6 +138,7 @@
     "third_party/depot_tools/owners.py" ;BSD-3
     "third_party/devtools-frontend" ;BSD-3
     "third_party/devtools-frontend/src/front_end/third_party/fabricjs" ;Expat
+    "third_party/devtools-frontend/src/front_end/third_party/lighthouse" ;ASL2.0
     "third_party/devtools-frontend/src/front_end/third_party/wasmparser" ;ASL2.0
     "third_party/devtools-frontend/src/third_party/axe-core" ;MPL2.0
     "third_party/devtools-frontend/src/third_party/pyjson5" ;ASL2.0
@@ -148,6 +151,7 @@
     "third_party/google_input_tools/third_party/closure_library" ;ASL2.0
     "third_party/google_input_tools/third_party/closure_library/third_party/closure" ;Expat
     "third_party/googletest" ;BSD-3
+    "third_party/harfbuzz-ng" ;Expat
     "third_party/hunspell" ;MPL1.1/GPL2+/LGPL2.1+
     "third_party/iccjpeg" ;IJG
     "third_party/inspector_protocol" ;BSD-3
@@ -171,6 +175,7 @@
     "third_party/libxml/chromium" ;BSD-3
     "third_party/libyuv" ;BSD-3
     "third_party/lss" ;BSD-3
+    "third_party/mako" ;Expat
     "third_party/markupsafe" ;BSD-3
     "third_party/mesa_headers" ;Expat, SGI
     "third_party/metrics_proto" ;BSD-3
@@ -199,6 +204,7 @@
     "third_party/qcms" ;Expat
     "third_party/rnnoise" ;BSD-3
     "third_party/s2cellid" ;ASL2.0
+    "third_party/schema_org" ;CC-BY-SA3.0
     "third_party/skia" ;BSD-3
     "third_party/skia/include/third_party/skcms" ;BSD-3
     "third_party/skia/third_party/skcms" ;BSD-3
@@ -208,6 +214,13 @@
     "third_party/spirv-headers" ;ASL2.0
     "third_party/SPIRV-Tools" ;ASL2.0
     "third_party/sqlite" ;Public domain
+    "third_party/swiftshader" ;ASL2.0
+    "third_party/swiftshader/third_party/astc-encoder" ;ASL2.0
+    "third_party/swiftshader/third_party/llvm-7.0" ;NCSA
+    "third_party/swiftshader/third_party/llvm-subzero" ;NCSA
+    "third_party/swiftshader/third_party/marl" ;ASL2.0
+    "third_party/swiftshader/third_party/subzero" ;NCSA
+    "third_party/swiftshader/third_party/SPIRV-Headers" ;X11-style
     "third_party/usb_ids" ;BSD-3
     "third_party/usrsctp" ;BSD-2
     "third_party/wayland/wayland_scanner_wrapper.py" ;BSD-3
@@ -248,14 +261,73 @@ from forcing GEXP-PROMISE."
                       #:system system
                       #:guile-for-build guile)))
 
-(define %chromium-version "81.0.4044.138")
-(define %ungoogled-revision "c2a89fb6b5b559c826796c811741fa8ed3e11de8")
+(define %chromium-version "83.0.4103.106")
+(define %ungoogled-revision "f08ce8b3f1300ef0750b5d6bf967b9cbbfd9a56d")
 (define %debian-revision "debian/81.0.4044.92-1")
+(define %gentoo-revision "55ef09d6709f4e4cbe23418e4ade0f219fa2fa1f")
 (define package-revision "0")
 (define %package-version (string-append %chromium-version "-"
                                         package-revision "."
                                         (string-take %ungoogled-revision 7)))
 
+(define (gentoo-patch name revision hash)
+  (origin
+    (method url-fetch)
+    (uri (string-append "https://gitweb.gentoo.org/repo/gentoo.git/plain"
+                        "/www-client/chromium/files/" name "?id=" revision))
+    (file-name (string-append "ungoogled-" name))
+    (sha256 (base32 hash))))
+
+(define %gentoo-patches
+  (list (gentoo-patch "chromium-fix-char_traits.patch" %gentoo-revision
+                      "1zr9wj2rj5phwdiffykd8w3srmzn0xxgmznz762qp7rs7amnp8ns")
+        (gentoo-patch "chromium-blink-style_format.patch" %gentoo-revision
+                      "098akk5l01m0n3zz08ycz1kp3xmjnbng6d399z1fnb2zigbf0b0z")
+        (gentoo-patch "chromium-78-protobuf-export.patch" %gentoo-revision
+                      "1wbw29daqwyrnij4991v84955ydqfvvjpz4s2p40agnzmgdzwnsx")
+        (gentoo-patch "chromium-79-gcc-alignas.patch" %gentoo-revision
+                      "1a6l4i9cicy8dpxxjamyw8cl2nmqfv3x9gbffrsr8571my6fh17s")
+        (gentoo-patch "chromium-80-gcc-quiche.patch" %gentoo-revision
+                      "0rdlsymw6h8i6yhysiq4la53pwivzv1i9lh0gprh5cl367r1haww")
+        (gentoo-patch "chromium-82-gcc-noexcept.patch" %gentoo-revision
+                      "0pljnysjvbv2ck0s159qssjhv1pfr32i0nb66smmfmfix2yaizqc")
+        (gentoo-patch "chromium-82-gcc-incomplete-type.patch" %gentoo-revision
+                      "04751dnpmiasifhq29a1kyxlnq6f2fmd2qbkv7hxdlsxbzg3lhsv")
+        (gentoo-patch "chromium-82-gcc-template.patch" %gentoo-revision
+                      "1ilmx9wmzyrwmfvr2mwc7m5z6lnbhjkms5k40i8yavqah6kcdbw2")
+        (gentoo-patch "chromium-82-gcc-iterator.patch" %gentoo-revision
+                      "1xljai9cj99pf4q3l8hz90i8mhdbd8v6h1vj8y37v6j8p78n3zvj")
+        (gentoo-patch "chromium-83-gcc-template.patch" %gentoo-revision
+                      "1bb1anqdrimza7d0gg4fmxij00563jd9k1azy8sz1ybd8gvrphqi")
+        (gentoo-patch "chromium-83-gcc-include.patch" %gentoo-revision
+                      "0rs9jj71ridplndi967m0z47vqd8ryykg36gjx8iyf3580vr2hlw")
+        (gentoo-patch "chromium-83-gcc-permissive.patch" %gentoo-revision
+                      "04mrmrg3pbwl3gph2n1dkbv4miz80xww1gysd39six028nxacjpg")
+        (gentoo-patch "chromium-83-gcc-iterator.patch" %gentoo-revision
+                      "0q66399va607kjnk8n9xlcr740q7c522p2z7abyd2hgq2bxgglnv")
+        (gentoo-patch "chromium-83-gcc-serviceworker.patch" %gentoo-revision
+                      "0klvcqqzldfhvqr3plja64qamgff1m2z1zcn325bj32gmpypqjx9")
+        (gentoo-patch "chromium-83-gcc-10.patch" %gentoo-revision
+                      "0vfvh1jypqcb274bggacg165mw2q5gmn237cvrrwcjqalz0ahnry")
+        (gentoo-patch "chromium-83-icu67.patch" %gentoo-revision
+                      "05spmjhg5f56mkq3f96vm4s2d9h6vqdxz5g8ibd9pf8ddnh4blnx")))
+
+(define (debian-patch name revision hash)
+  (origin
+    (method url-fetch)
+    (uri (string-append "https://salsa.debian.org/chromium-team/chromium/-/raw/"
+                        revision "/debian/patches/" name))
+    (file-name (match (string-split name #\/)
+                 ((category name)
+                  (string-append "ungoogled-chromium-" category "-" name))))
+    (sha256 (base32 hash))))
+
+(define %debian-patches
+  (list (debian-patch "system/nspr.patch" %debian-revision
+                      "1x6ydc8pfks2c1dlwf0c58par6znjknvs9815576ycx27jl633dy")
+        (debian-patch "system/openjpeg.patch" %debian-revision
+                      "0zd6v5njx1pc7i0y6mslxvpx5j4cq01mmyx55qcqx8qzkm0gm48j")))
+
 (define %chromium-origin
   (origin
     (method url-fetch)
@@ -264,7 +336,7 @@ from forcing GEXP-PROMISE."
                         %chromium-version ".tar.xz"))
     (sha256
      (base32
-      "19kpzmqmld0m0nflx13w9flxfal19msnxhzl3lip1jqih65z4y7l"))))
+      "0bvy17ymlih87n4ymnzvyn0m34ghmr1yasvy7gxv02qbw6i57lfg"))))
 
 (define %ungoogled-origin
   (origin
@@ -275,21 +347,7 @@ from forcing GEXP-PROMISE."
                               (string-take %ungoogled-revision 7)))
     (sha256
      (base32
-      "0bbr4a2gkgm3ykdgpj8x58sd3dwam6qkifhzfs2997681g7b2v2q"))))
-
-(define %debian-origin
-  (origin
-    (method git-fetch)
-    (uri (git-reference
-          (url "https://salsa.debian.org/chromium-team/chromium.git")
-          (commit %debian-revision)))
-    (file-name (git-file-name "debian-chromium-packaging"
-                              (match (string-split %debian-revision #\/)
-                                ((_ revision) revision)
-                                (_ (string-take %debian-revision 7)))))
-    (sha256
-     (base32
-      "0srgbcqga3l75bfkv3bnmjk416189nazsximvzdx2k5n8v5k4p3m"))))
+      "0kc40p8f7cls696gh6ign37l8j4x1pyyz32jkkli9cmrpbsjsadl"))))
 
 ;; This is a "computed" origin that does the following:
 ;; *) Runs the Ungoogled scripts on a pristine Chromium tarball.
@@ -298,8 +356,7 @@ from forcing GEXP-PROMISE."
 ;; *) Adjusts "GN" build files such that system libraries are preferred.
 (define ungoogled-chromium-source
   (let ((chromium-source %chromium-origin)
-        (ungoogled-source %ungoogled-origin)
-        (debian-source %debian-origin))
+        (ungoogled-source %ungoogled-origin))
     (origin
       (method computed-origin-method)
       (file-name (string-append "ungoogled-chromium-" %package-version ".tar.xz"))
@@ -313,7 +370,7 @@ from forcing GEXP-PROMISE."
                             (srfi srfi-1)
                             (srfi srfi-26))
                (let ((chromium-dir    (string-append "chromium-" #$%chromium-version))
-                     (preserved-files (list #$@%preserved-third-party-files)))
+                     (preserved-files '#$%preserved-third-party-files))
 
                  (set-path-environment-variable
                   "PATH" '("bin")
@@ -330,20 +387,30 @@ from forcing GEXP-PROMISE."
                    (force-output)
                    (invoke "tar" "xf" #+chromium-source)
 
-                   (format #t "Removing non-free file...~%")
-                   (force-output)
-                   ;; This file has a CC-BY-NC clause according to LICENSES from
-                   ;; the same directory, making it non-free.
-                   (delete-file
-                    (string-append
-                     chromium-dir
-                     "/third_party/blink/perf_tests/svg/resources/HarveyRayner.svg"))
-
-                   ;; Ungoogled-Chromium contains a forked subset of the Debian
-                   ;; patches.  Disable those, as we apply newer versions later.
-                   (substitute* "patches/series"
-                     ((".*/debian/.*")
-                      ""))
+                   (with-directory-excursion chromium-dir
+                     (format #t "Removing non-free file...~%")
+                     (force-output)
+                     ;; This file has a CC-BY-NC clause according to LICENSES from
+                     ;; the same directory, making it non-free.
+                     (delete-file
+                      "third_party/blink/perf_tests/svg/resources/HarveyRayner.svg")
+
+                     ;; Apply patches before running the ungoogled scripts because
+                     ;; domain substitution may break some of the patches.
+                     (format #t "Applying assorted build fixes...~%")
+                     (force-output)
+                     (for-each
+                      (lambda (patch)
+                        (invoke "patch" "-p1" "--force" "--input"
+                                patch "--no-backup-if-mismatch"))
+                      (append
+                       '#+%gentoo-patches '#+%debian-patches
+                       '#+(list (local-file
+                                 (search-patch
+                                  "ungoogled-chromium-system-jsoncpp.patch"))
+                                (local-file
+                                 (search-patch
+                                  "ungoogled-chromium-system-zlib.patch"))))))
 
                    (format #t "Ungooglifying...~%")
                    (force-output)
@@ -356,47 +423,6 @@ from forcing GEXP-PROMISE."
                            "-c" "/tmp/domainscache.tar.gz" chromium-dir)
 
                    (with-directory-excursion chromium-dir
-
-                     (format #t "Applying Debian patches...~%")
-                     (force-output)
-                     (let* ((debian  #+debian-source)
-                            (patches (string-append debian "/debian/patches"))
-                            (series  (string-append patches "/series")))
-                       (with-input-from-file series
-                         (lambda ()
-                           (let loop ((line (read-line)))
-                             (unless (eof-object? line)
-                               (when (and (> (string-length line) 1)
-                                          (not (string-prefix? "#" line))
-                                          ;; Skip the Debian-specific ones.
-                                          (not (string-prefix? "debianization/" line))
-                                          (not (string-prefix? "buster/" line))
-                                          (not (any (cute string-suffix? <> line)
-                                                    ;; These conflict with Ungoogled.
-                                                    '("widevine-buildflag.patch"
-                                                      "signin.patch"
-                                                      "third-party-cookies.patch"
-
-                                                      ;; Disable workarounds for the
-                                                      ;; Chromium "-lite" tarball.  We
-                                                      ;; use the "full" version and don't
-                                                      ;; need these patches.
-                                                      "closure.patch"
-                                                      "owners.patch"
-
-                                                      ;; XXX: 'fixes/inspector.patch'
-                                                      ;; makes v8 reuse the top-level
-                                                      ;; third_party/inspector_protocol
-                                                      ;; instead of its own bundled copy,
-                                                      ;; but that does not work here for
-                                                      ;; some reason.  Ignore that patch
-                                                      ;; and those that depend on it.
-                                                      "inspector.patch"))))
-                                 (invoke "patch" "--force" "-p1" "--input"
-                                         (string-append patches "/" line)
-                                         "--no-backup-if-mismatch"))
-                               (loop (read-line)))))))
-
                      (format #t "Pruning third party files...~%")
                      (force-output)
                      (apply invoke (string-append #+python-2 "/bin/python")
@@ -412,7 +438,7 @@ from forcing GEXP-PROMISE."
                              "libxslt" "openh264" "opus" "re2" "snappy" "yasm"
                              "zlib"))
 
-                   (format #t (string-append "Packing new ungoogled tarball ...~%"))
+                   (format #t "Packing new ungoogled tarball ...~%")
                    (force-output)
                    (invoke "tar" "cvfa" #$output
                            ;; Avoid non-determinism in the archive.
@@ -481,7 +507,6 @@ from forcing GEXP-PROMISE."
              "enable_remoting=false"
              "enable_reporting=false"
              "enable_service_discovery=false"
-             "enable_swiftshader=false"
              "enable_vr=false"
              "enable_widevine=false"
              ;; Disable type-checking for the Web UI to avoid a Java dependency.
@@ -505,6 +530,7 @@ from forcing GEXP-PROMISE."
              "use_openh264=true"
              "use_pulseaudio=true"
              "link_pulseaudio=true"
+             "icu_use_data_file=false"
 
              ;; VA-API acceleration is currently only supported on x86_64-linux.
              ,@(if (string-prefix? "x86_64" (or (%current-target-system)
@@ -631,17 +657,6 @@ from forcing GEXP-PROMISE."
                (substitute* "device/udev_linux/udev1_loader.cc"
                  (("libudev\\.so\\.1")
                   (string-append udev "/lib/libudev.so.1")))
-               (substitute*
-                   '("ui/ozone/platform/x11/gl_ozone_glx.cc"
-                     "ui/ozone/common/egl_util.cc"
-                     "ui/gl/init/gl_initializer_x11.cc"
-                     "third_party/angle/src/libANGLE/renderer/gl/glx/FunctionsGLX.cpp")
-                 (("libGL\\.so\\.1")
-                  (string-append mesa "/lib/libGL.so.1"))
-                 (("libEGL\\.so\\.1")
-                  (string-append mesa "/lib/libEGL.so.1"))
-                 (("libGLESv2\\.so\\.2")
-                  (string-append mesa "/lib/libGLESv2.so.2")))
                #t)))
          (add-before 'configure 'prepare-build-environment
            (lambda* (#:key inputs #:allow-other-keys)
@@ -658,14 +673,11 @@ from forcing GEXP-PROMISE."
                         ;; Clang plugins or newer versions.
                         "-Wno-unknown-warning-option")))
 
+             (setenv "CFLAGS" "-Wno-unknown-warning-option")
+
              ;; TODO: pre-compile instead. Avoids a race condition.
              (setenv "PYTHONDONTWRITEBYTECODE" "1")
 
-             (substitute*
-                 ;; From Debians 'system/node.patch'.
-                 "third_party/devtools-frontend/src/scripts/devtools_paths.py"
-               (("/usr/bin/nodejs") (which "node")))
-
              ;; XXX: How portable is this.
              (mkdir-p "third_party/node/linux/node-linux-x64")
              (symlink (string-append (assoc-ref inputs "node") "/bin")
@@ -717,7 +729,7 @@ from forcing GEXP-PROMISE."
                     (lib            (string-append out "/lib"))
                     (man            (string-append out "/share/man/man1"))
                     (applications   (string-append out "/share/applications"))
-                    (install-regexp (make-regexp "\\.(bin|pak)$"))
+                    (install-regexp (make-regexp "\\.(bin|pak|so)$"))
                     (locales        (string-append lib "/locales"))
                     (resources      (string-append lib "/resources"))
                     (preferences    (assoc-ref inputs "master-preferences"))
@@ -754,6 +766,10 @@ from forcing GEXP-PROMISE."
                  (symlink "../lib/chromium" exe)
                  (install-file "chromedriver" bin)
 
+                 (for-each (lambda (so)
+                             (install-file so (string-append lib "/swiftshader")))
+                           (find-files "swiftshader" "\\.so$"))
+
                  (wrap-program exe
                    ;; Avoid file manager crash.  See <https://bugs.gnu.org/26593>.
                    `("XDG_DATA_DIRS" ":" prefix (,(string-append gtk+ "/share")))))
@@ -770,7 +786,7 @@ from forcing GEXP-PROMISE."
                #t))))))
     (native-inputs
      `(("bison" ,bison)
-       ("clang" ,clang-9)
+       ("clang" ,clang-10)
        ("gn" ,gn)
        ("gperf" ,gperf)
        ("ninja" ,ninja)
@@ -805,7 +821,7 @@ from forcing GEXP-PROMISE."
        ("glib" ,glib)
        ("gtk+" ,gtk+)
        ("harfbuzz" ,harfbuzz)
-       ("icu4c" ,icu4c)
+       ("icu4c" ,icu4c-67)
        ("jsoncpp" ,jsoncpp)
        ("lcms" ,lcms)
        ("libevent" ,libevent)
@@ -881,19 +897,10 @@ disabled in order to protect the users privacy.")
        ,@(package-inputs ungoogled-chromium)))
     (arguments
      (substitute-keyword-arguments (package-arguments ungoogled-chromium)
-       ((#:phases phases)
-        `(modify-phases ,phases
-           (add-after 'unpack 'add-ozone-patch
-             (lambda _
-               ;; Add missing include statement required when using libstdc++,
-               ;; Clang and Ozone.  Fixed in M81.
-               (substitute* "ui/base/cursor/ozone/bitmap_cursor_factory_ozone.cc"
-                 (("#include \"base/logging\\.h" all)
-                  (string-append "#include <algorithm>\n" all)))
-               #t))))
        ((#:configure-flags flags)
         `(append (list "use_ozone=true"
                        "ozone_platform_wayland=true"
+                       "ozone_platform_x11=true"
                        "ozone_auto_platforms=false"
                        "ozone_platform=\"wayland\""
                        "use_xkbcommon=true"