this patch teaches the update script to use the hash for a recompressed
chromium source tarball from the upstream-info.nix file instead of
recompressing a new tarball for an already hashed version.
this patch introduces an in memory cache for the result of hashing a
chromium release tarball after recompressing and pruning it.
previously updating chromium and ungoogled-chromium to the same chromium
version would result in the expensive recompression happening twice.
this patch adds a new subcommand to the update script
```
update.py ungoogled-rev <rev>
```
to update to an unreleased version of ungoogled-chromium by referencing
a git ref from the ungoogled-chromium repository (like a commit hash in an
update pull request).
This is mainly due to the lack of maintenance in nixpkgs.
`google-chrome-{beta,dev}` depend on `chromium{Beta,Dev}`'s version
info.
`chromium{Beta,Dev}` are rarely updated and explicitly blocklisted by
`hydra.nixos.org`, meaning they are almost always outdated and not
cached in `cache.nixos.org`.
`chromium{Beta,Dev}` were intended to fix the build derivation of each
new major release (if something broke) *before* stable reached that
new major release.
Allowing for fast bumps in nixpkgs, especially if the stable bump
contains very important critical security fixes.
Something that can easily be replicated by using an early-stable release
or by manually entering a dev/beta version string in stable's
`upstream-info.nix`.
This resolves exposing end-users to outdated and vulnerable
`google-chrome-{beta,dev}` and `chromium{Beta,Dev}` versions.
this patch changes the update script to always output sri hashes
for all hashes written to chromium's `upstream-info.nix` and
electron's `info.json`. the keys have also been renamed from `sha256`
to `hash`.
ofborg uses `builtins.unsafeGetAttrPos` internally, to figure out which
maintainers need to be pinged.
e.g:
`builtins.unsafeGetAttrPos "version" drv`
When using a `.json` file containing the version via `lib.importJSON`,
this will always return `null` and thus leading to no pings at all.
This commit works around this, resulting in properly working pings
for any changes to the upstream-info file.
A similar thing has been done for element-{web,desktop} in the past.
ungoogled-chromium releases generally follow the chromium stable channel,
however as the patchset targets Linux, macOS and Windows, a release might
not always be intended for being packaged in nix. This patch patches the
update script to filter ungoogled-chromium releases by them being available
as stable releases for Linux.
This ensures that our build flags for ungoogled-chromium will remain
up-to-date with upstream's defaults (also important for avoiding build
errors).
Co-authored-by: Michael Weiss <dev.primeos@gmail.com>
The tag 98.0.4710.4 is missing on the official GitHub mirror. As a
result the download of the DEPS file was failing (HTTP Error 404: Not
Found). Using the upstream repository is obviously better anyway, it's
just less obvious how to fetch a file from there (?format=TEXT).
Unfortunately this requires a crazy hack to support building with
Google's proprietary Widevine DRM technology as that requires fetching
the Google Chrome sources (see also 86ff1e45ce).
The hack is required because ungoogled-chromium doesn't always use tags
that correspond to a Google Chrome release.
I forgot that string comparison isn't enough because e.g.:
>>> "89.0.4389.9" < "89.0.4389.23"
False
distutils.version.LooseVersion is undocumented but it works and is
already available so why not use it:
>>> LooseVersion("89.0.4389.9") < LooseVersion("89.0.4389.23")
True
This also adds a dedicated channel for ungoogled-chromium that enables
us to update ungoogled-chromium independently of chromium.
TODO: Automate ungoogled-chromium updates via update.py (currently it
needs to be updated manually).
Note: Unfortunately this changes the ungoogled-chromium derivation
because common.nix passes the channel as an argument to
stdenv.mkDerivation (this makes it more difficult to verify this commit
but the result should remain the same).
The gn version depends on the channel and new gn versions aren't always
backward compatible. Therefore we should also include it in
upstream-info.json (I've scoped it under "deps" as we'll likely have to
add more like this in the future).
update.nix was a huuuuge hack, abusing checksum collisions, etc., and
was extremely difficult to read and maintain, especially because
values from update.nix were also used in the derivations themselves!
I've replaced this with an implementation in Python, which I chose for
readability. Rather than generating Nix, I chose to
generate JSON, since Python can do that in the standard library and
Nix can read it.
I also set update.py as an updateScript, so Chromium can now
automatically be updated!
Fixes: https://github.com/NixOS/nixpkgs/issues/89635