Merge pull request #106475 from primeos/ungoogled-chromium-merge

Merge ungoogled-chromium back into the chromium expressions
2020-12-17 19:02:21 +01:00 · 2020-12-17 19:02:21 +01:00 · f5944b74e6
commit f5944b74e6
parent 230e0a31a0 240a8f746e
16 changed files with 73 additions and 950 deletions
--- a/pkgs/applications/networking/browsers/chromium/browser.nix
+++ b/pkgs/applications/networking/browsers/chromium/browser.nix
@ -1,4 +1,4 @@
-{ stdenv, mkChromiumDerivation, channel, enableWideVine }:
+{ stdenv, mkChromiumDerivation, channel, enableWideVine, ungoogled }:
 with stdenv.lib;
@ -69,18 +69,25 @@ mkChromiumDerivation (base: rec {
  requiredSystemFeatures = [ "big-parallel" ];
  meta = {
-    description = "An open source web browser from Google";
+    description = "An open source web browser from Google"
      + optionalString ungoogled ", with dependencies on Google web services removed";
    longDescription = ''
      Chromium is an open source web browser from Google that aims to build a
      safer, faster, and more stable way for all Internet users to experience
      the web. It has a minimalist user interface and provides the vast majority
      of source code for Google Chrome (which has some additional features).
    '';
-    homepage = "https://www.chromium.org/";
+    homepage = if ungoogled
-    maintainers = with maintainers; [ primeos thefloweringash bendlas ]; # See README.md
+      then "https://github.com/Eloston/ungoogled-chromium"
      else "https://www.chromium.org/";
    maintainers = with maintainers; if ungoogled
      then [ squalus primeos ]
      else [ primeos thefloweringash bendlas ];
    license = if enableWideVine then licenses.unfree else licenses.bsd3;
    platforms = platforms.linux;
-    hydraPlatforms = if channel == "stable" then ["aarch64-linux" "x86_64-linux"] else [];
+    hydraPlatforms = if (channel == "stable" || channel == "ungoogled-chromium")
      then ["aarch64-linux" "x86_64-linux"]
      else [];
    timeout = 172800; # 48 hours (increased from the Hydra default of 10h)
  };
 })
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@ -31,6 +31,7 @@
 , proprietaryCodecs ? true
 , cupsSupport ? true
 , pulseSupport ? false, libpulseaudio ? null
 , ungoogled ? false, ungoogled-chromium
 , channel
 , upstream-info
@ -109,6 +110,10 @@ let
            result
       else result;
  ungoogler = ungoogled-chromium {
    inherit (upstream-info.deps.ungoogled-patches) rev sha256;
  };
  base = rec {
    name = "${packageName}-unwrapped-${version}";
    inherit (upstream-info) version;
@ -208,6 +213,10 @@ let
    '' + optionalString stdenv.isAarch64 ''
      substituteInPlace build/toolchain/linux/BUILD.gn \
        --replace 'toolprefix = "aarch64-linux-gnu-"' 'toolprefix = ""'
    '' + optionalString ungoogled ''
      ${ungoogler}/utils/prune_binaries.py . ${ungoogler}/pruning.list || echo "some errors"
      ${ungoogler}/utils/patches.py . ${ungoogler}/patches
      ${ungoogler}/utils/domain_substitution.py apply -r ${ungoogler}/domain_regex.list -f ${ungoogler}/domain_substitution.list -c ./ungoogled-domsubcache.tar.gz .
    '';
    gnFlags = mkGnFlags ({
@ -260,6 +269,24 @@ let
      use_system_minigbm = true;
      use_system_libdrm = true;
      system_wayland_scanner_path = "${wayland}/bin/wayland-scanner";
    } // optionalAttrs ungoogled {
      chrome_pgo_phase = 0;
      enable_hangout_services_extension = false;
      enable_js_type_check = false;
      enable_mdns = false;
      enable_nacl_nonsfi = false;
      enable_one_click_signin = false;
      enable_reading_list = false;
      enable_remoting = false;
      enable_reporting = false;
      enable_service_discovery = false;
      exclude_unwind_tables = true;
      google_api_key = "";
      google_default_client_id = "";
      google_default_client_secret = "";
      safe_browsing_mode = 0;
      use_official_google_api_keys = false;
      use_unofficial_version_number = false;
    } // (extraAttrs.gnFlags or {}));
    configurePhase = ''
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@ -15,6 +15,7 @@
 , enablePepperFlash ? false
 , enableWideVine ? false
 , enableVaapi ? false # Disabled by default due to unofficial support
 , ungoogled ? false # Whether to build chromium or ungoogled-chromium
 , cupsSupport ? true
 , pulseSupport ? config.pulseaudio or stdenv.isLinux
 , commandLineArgs ? ""
@ -33,7 +34,7 @@ let
    mkChromiumDerivation = callPackage ./common.nix ({
      inherit channel gnome gnomeSupport gnomeKeyringSupport proprietaryCodecs
-              cupsSupport pulseSupport;
+              cupsSupport pulseSupport ungoogled;
      gnChromium = gn.overrideAttrs (oldAttrs: {
        inherit (upstream-info.deps.gn) version;
        src = fetchgit {
@ -42,11 +43,13 @@ let
      });
    });
-    browser = callPackage ./browser.nix { inherit channel enableWideVine; };
+    browser = callPackage ./browser.nix { inherit channel enableWideVine ungoogled; };
    plugins = callPackage ./plugins.nix {
      inherit enablePepperFlash;
    };
    ungoogled-chromium = callPackage ./ungoogled.nix {};
  };
  pkgSuffix = if channel == "dev" then "unstable" else channel;
@ -113,7 +116,9 @@ let
    };
  };
-  suffix = if channel != "stable" then "-" + channel else "";
+  suffix = if (channel == "stable" || channel == "ungoogled-chromium")
    then ""
    else "-" + channel;
  sandboxExecutableName = chromium.browser.passthru.sandboxExecutableName;
@ -133,7 +138,8 @@ let
    else browser;
 in stdenv.mkDerivation {
-  name = "chromium${suffix}-${version}";
+  name = lib.optionalString ungoogled "ungoogled-"
    + "chromium${suffix}-${version}";
  inherit version;
  buildInputs = [
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled.nix
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled.nix
@ -4,6 +4,7 @@
 , makeWrapper
 , patch
 }:
 { rev
 , sha256
 }:
--- a/pkgs/applications/networking/browsers/chromium/update.py
+++ b/pkgs/applications/networking/browsers/chromium/update.py
@ -113,9 +113,12 @@ with open(JSON_PATH, 'w') as out:
            return 1
        elif channel_name == 'dev':
            return 2
        elif channel_name == 'ungoogled-chromium':
            return 3
        else:
            print(f'Error: Unexpected channel: {channel_name}', file=sys.stderr)
            sys.exit(1)
    channels['ungoogled-chromium'] = last_channels['ungoogled-chromium'] # Keep ungoogled-chromium unchanged
    sorted_channels = OrderedDict(sorted(channels.items(), key=get_channel_key))
    json.dump(sorted_channels, out, indent=2)
    out.write('\n')
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.json
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.json
@ -42,5 +42,21 @@
        "sha256": "1xcm07qjk6m2czi150fiqqxql067i832adck6zxrishm70c9jbr9"
      }
    }
  },
  "ungoogled-chromium": {
    "version": "87.0.4280.88",
    "sha256": "1h09g9b2zxad85vd146ymvg3w2kpngpi78yig3dn1vrmhwr4aiiy",
    "deps": {
      "ungoogled-patches": {
        "rev": "87.0.4280.88-1",
        "sha256": "0w2137w8hfcgl6f938hqnb4ffp33v5r8vdzxrvs814w7dszkiqgg"
      },
      "gn": {
        "version": "2020-09-09",
        "url": "https://gn.googlesource.com/gn",
        "rev": "e002e68a48d1c82648eadde2f6aafa20d08c36f2",
        "sha256": "0x4c7amxwzxs39grqs3dnnz0531mpf1p75niq7zhinyfqm86i4dk"
      }
    }
  }
 }
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/browser.nix
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/browser.nix
@ -1,86 +0,0 @@
 { stdenv, mkChromiumDerivation, channel, enableWideVine }:
 with stdenv.lib;
 mkChromiumDerivation (base: rec {
  name = "chromium-browser";
  packageName = "chromium";
  buildTargets = [ "mksnapshot" "chrome_sandbox" "chrome" ];
  outputs = ["out" "sandbox"];
  sandboxExecutableName = "__chromium-suid-sandbox";
  installPhase = ''
    mkdir -p "$libExecPath"
    cp -v "$buildPath/"*.so "$buildPath/"*.pak "$buildPath/"*.bin "$libExecPath/"
    cp -v "$buildPath/icudtl.dat" "$libExecPath/"
    cp -vLR "$buildPath/locales" "$buildPath/resources" "$libExecPath/"
    cp -v "$buildPath/chrome" "$libExecPath/$packageName"
    # Swiftshader
    # See https://stackoverflow.com/a/4264351/263061 for the find invocation.
    if [ -n "$(find "$buildPath/swiftshader/" -maxdepth 1 -name '*.so' -print -quit)" ]; then
      echo "Swiftshader files found; installing"
      mkdir -p "$libExecPath/swiftshader"
      cp -v "$buildPath/swiftshader/"*.so "$libExecPath/swiftshader/"
    else
      echo "Swiftshader files not found"
    fi
    mkdir -p "$sandbox/bin"
    cp -v "$buildPath/chrome_sandbox" "$sandbox/bin/${sandboxExecutableName}"
    mkdir -vp "$out/share/man/man1"
    cp -v "$buildPath/chrome.1" "$out/share/man/man1/$packageName.1"
    for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do
      num_and_suffix="''${icon_file##*logo_}"
      icon_size="''${num_and_suffix%.*}"
      expr "$icon_size" : "^[0-9][0-9]*$" || continue
      logo_output_prefix="$out/share/icons/hicolor"
      logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps"
      mkdir -vp "$logo_output_path"
      cp -v "$icon_file" "$logo_output_path/$packageName.png"
    done
    # Install Desktop Entry
    install -D chrome/installer/linux/common/desktop.template \
      $out/share/applications/chromium-browser.desktop
    substituteInPlace $out/share/applications/chromium-browser.desktop \
      --replace "@@MENUNAME@@" "Chromium" \
      --replace "@@PACKAGE@@" "chromium" \
      --replace "Exec=/usr/bin/@@USR_BIN_SYMLINK_NAME@@" "Exec=chromium"
    # Append more mime types to the end
    sed -i '/^MimeType=/ s,$,x-scheme-handler/webcal;x-scheme-handler/mailto;x-scheme-handler/about;x-scheme-handler/unknown,' \
      $out/share/applications/chromium-browser.desktop
    # See https://github.com/NixOS/nixpkgs/issues/12433
    sed -i \
      -e '/\[Desktop Entry\]/a\' \
      -e 'StartupWMClass=chromium-browser' \
      $out/share/applications/chromium-browser.desktop
  '';
  passthru = { inherit sandboxExecutableName; };
  requiredSystemFeatures = [ "big-parallel" ];
  meta = {
    description = "An open source web browser from Google, with dependencies on Google web services removed";
    longDescription = ''
      Chromium is an open source web browser from Google that aims to build a
      safer, faster, and more stable way for all Internet users to experience
      the web. It has a minimalist user interface and provides the vast majority
      of source code for Google Chrome (which has some additional features).
    '';
    homepage = "https://github.com/Eloston/ungoogled-chromium";
    maintainers = with maintainers; [ squalus ];
    license = if enableWideVine then licenses.unfree else licenses.bsd3;
    platforms = platforms.linux;
    hydraPlatforms = if channel == "stable" then ["aarch64-linux" "x86_64-linux"] else [];
    timeout = 172800; # 48 hours (increased from the Hydra default of 10h)
  };
 })
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/common.nix
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/common.nix
@ -1,345 +0,0 @@
 { stdenv, lib, llvmPackages, gnChromium, ninja, which, nodejs, fetchpatch, fetchurl
 # default dependencies
 , gnutar, bzip2, flac, speex, libopus
 , libevent, expat, libjpeg, snappy
 , libpng, libcap
 , xdg_utils, yasm, nasm, minizip, libwebp
 , libusb1, pciutils, nss, re2
 , python2Packages, perl, pkgconfig
 , nspr, systemd, kerberos
 , util-linux, alsaLib
 , bison, gperf
 , glib, gtk3, dbus-glib
 , glibc
 , libXScrnSaver, libXcursor, libXtst, libGLU, libGL
 , protobuf, speechd, libXdamage, cups
 , ffmpeg, libxslt, libxml2, at-spi2-core
 , jre8
 , pipewire_0_2
 , libva
 # optional dependencies
 , libgcrypt ? null # gnomeSupport || cupsSupport
 , libdrm ? null, wayland ? null, mesa ? null, libxkbcommon ? null # useOzone
 # package customization
 , useOzone ? true
 , gnomeSupport ? false, gnome ? null
 , gnomeKeyringSupport ? false, libgnome-keyring3 ? null
 , proprietaryCodecs ? true
 , cupsSupport ? true
 , pulseSupport ? false, libpulseaudio ? null
 , ungoogled-chromium
 , ungoogled ? false
 , channel
 , upstream-info
 }:
 buildFun:
 with stdenv.lib;
 let
  jre = jre8; # TODO: remove override https://github.com/NixOS/nixpkgs/pull/89731
  # The additional attributes for creating derivations based on the chromium
  # source tree.
  extraAttrs = buildFun base;
  githubPatch = commit: sha256: fetchpatch {
    url = "https://github.com/chromium/chromium/commit/${commit}.patch";
    inherit sha256;
  };
  mkGnFlags =
    let
      # Serialize Nix types into GN types according to this document:
      # https://source.chromium.org/gn/gn/+/master:docs/language.md
      mkGnString = value: "\"${escape ["\"" "$" "\\"] value}\"";
      sanitize = value:
        if value == true then "true"
        else if value == false then "false"
        else if isList value then "[${concatMapStringsSep ", " sanitize value}]"
        else if isInt value then toString value
        else if isString value then mkGnString value
        else throw "Unsupported type for GN value `${value}'.";
      toFlag = key: value: "${key}=${sanitize value}";
    in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs));
  # https://source.chromium.org/chromium/chromium/src/+/master:build/linux/unbundle/replace_gn_files.py
  gnSystemLibraries = [
    "ffmpeg"
    "flac"
    "libjpeg"
    "libpng"
    "libwebp"
    "libxslt"
    "opus"
    "snappy"
    "zlib"
  ];
  opusWithCustomModes = libopus.override {
    withCustomModes = true;
  };
  defaultDependencies = [
    bzip2 flac speex opusWithCustomModes
    libevent expat libjpeg snappy
    libpng libcap
    xdg_utils minizip libwebp
    libusb1 re2
    ffmpeg libxslt libxml2
    nasm
  ];
  # build paths and release info
  packageName = extraAttrs.packageName or extraAttrs.name;
  buildType = "Release";
  buildPath = "out/${buildType}";
  libExecPath = "$out/libexec/${packageName}";
  versionRange = min-version: upto-version:
    let inherit (upstream-info) version;
        result = versionAtLeast version min-version && versionOlder version upto-version;
        stable-version = (importJSON ./upstream-info.json).stable.version;
    in if versionAtLeast stable-version upto-version
       then warn "chromium: stable version ${stable-version} is newer than a patchset bounded at ${upto-version}. You can safely delete it."
            result
       else result;
  ungoogler =
    let versionEntry = (import ./ungoogled-src.nix)."${upstream-info.version}";
    in ungoogled-chromium {
      inherit (versionEntry) rev sha256;
    };
  base = rec {
    name = "${packageName}-unwrapped-${version}";
    inherit (upstream-info) version;
    inherit channel packageName buildType buildPath;
    src = fetchurl {
      url = "https://commondatastorage.googleapis.com/chromium-browser-official/chromium-${version}.tar.xz";
      inherit (upstream-info) sha256;
    };
    nativeBuildInputs = [
      llvmPackages.lldClang.bintools
      ninja which python2Packages.python perl pkgconfig
      python2Packages.ply python2Packages.jinja2 nodejs
      gnutar python2Packages.setuptools
    ];
    buildInputs = defaultDependencies ++ [
      nspr nss systemd
      util-linux alsaLib
      bison gperf kerberos
      glib gtk3 dbus-glib
      libXScrnSaver libXcursor libXtst libGLU libGL
      pciutils protobuf speechd libXdamage at-spi2-core
      jre
      pipewire_0_2
      libva
    ] ++ optional gnomeKeyringSupport libgnome-keyring3
      ++ optionals gnomeSupport [ gnome.GConf libgcrypt ]
      ++ optionals cupsSupport [ libgcrypt cups ]
      ++ optional pulseSupport libpulseaudio
      ++ optionals useOzone [ libdrm wayland mesa.drivers libxkbcommon ];
    patches = [
      ./patches/no-build-timestamps.patch # Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed)
      ./patches/widevine-79.patch # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags
      # ++ optional (versionRange "68" "72") ( githubPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000" )
    ];
    postPatch = ''
      # remove unused third-party
      for lib in ${toString gnSystemLibraries}; do
        if [ -d "third_party/$lib" ]; then
          find "third_party/$lib" -type f \
            \! -path "third_party/$lib/chromium/*" \
            \! -path "third_party/$lib/google/*" \
            \! -path "third_party/harfbuzz-ng/utils/hb_scoped.h" \
            \! -regex '.*\.\(gn\|gni\|isolate\)' \
            -delete
        fi
      done
      # Required for patchShebangs (unsupported interpreter directive, basename: invalid option -- '*', etc.):
      substituteInPlace native_client/SConstruct --replace "#! -*- python -*-" ""
      if [ -e third_party/harfbuzz-ng/src/src/update-unicode-tables.make ]; then
        substituteInPlace third_party/harfbuzz-ng/src/src/update-unicode-tables.make \
          --replace "/usr/bin/env -S make -f" "/usr/bin/make -f"
      fi
      # We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
      substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \
        --replace \
          'return sandbox_binary;' \
          'return base::FilePath(GetDevelSandboxPath());'
      substituteInPlace services/audio/audio_sandbox_hook_linux.cc \
        --replace \
          '/usr/share/alsa/' \
          '${alsaLib}/share/alsa/' \
        --replace \
          '/usr/lib/x86_64-linux-gnu/gconv/' \
          '${glibc}/lib/gconv/' \
        --replace \
          '/usr/share/locale/' \
          '${glibc}/share/locale/'
      sed -i -e 's@"\(#!\)\?.*xdg-@"\1${xdg_utils}/bin/xdg-@' \
        chrome/browser/shell_integration_linux.cc
      sed -i -e '/lib_loader.*Load/s!"\(libudev\.so\)!"${lib.getLib systemd}/lib/\1!' \
        device/udev_linux/udev?_loader.cc
      sed -i -e '/libpci_loader.*Load/s!"\(libpci\.so\)!"${pciutils}/lib/\1!' \
        gpu/config/gpu_info_collector_linux.cc
      # Allow to put extensions into the system-path.
      sed -i -e 's,/usr,/run/current-system/sw,' chrome/common/chrome_paths.cc
      patchShebangs .
      # use our own nodejs
      mkdir -p third_party/node/linux/node-linux-x64/bin
      ln -s "$(command -v node)" third_party/node/linux/node-linux-x64/bin/node
      # Allow building against system libraries in official builds
      sed -i 's/OFFICIAL_BUILD/GOOGLE_CHROME_BUILD/' tools/generate_shim_headers/generate_shim_headers.py
    '' + optionalString stdenv.isAarch64 ''
      substituteInPlace build/toolchain/linux/BUILD.gn \
        --replace 'toolprefix = "aarch64-linux-gnu-"' 'toolprefix = ""'
    '' + optionalString ungoogled ''
      ${ungoogler}/utils/prune_binaries.py . ${ungoogler}/pruning.list || echo "some errors"
      ${ungoogler}/utils/patches.py . ${ungoogler}/patches
      ${ungoogler}/utils/domain_substitution.py apply -r ${ungoogler}/domain_regex.list -f ${ungoogler}/domain_substitution.list -c ./ungoogled-domsubcache.tar.gz .
    '';
    gnFlags = mkGnFlags ({
      custom_toolchain = "//build/toolchain/linux/unbundle:default";
      host_toolchain = "//build/toolchain/linux/unbundle:default";
      is_official_build = true;
      use_vaapi = !stdenv.isAarch64; # TODO: Remove once M88 is released
      use_sysroot = false;
      use_gnome_keyring = gnomeKeyringSupport;
      use_gio = gnomeSupport;
      # ninja: error: '../../native_client/toolchain/linux_x86/pnacl_newlib/bin/x86_64-nacl-objcopy',
      # needed by 'nacl_irt_x86_64.nexe', missing and no known rule to make it
      enable_nacl = false;
      # Enabling the Widevine component here doesn't affect whether we can
      # redistribute the chromium package; the Widevine component is either
      # added later in the wrapped -wv build or downloaded from Google.
      enable_widevine = true;
      use_cups = cupsSupport;
      # Provides the enable-webrtc-pipewire-capturer flag to support Wayland screen capture.
      rtc_use_pipewire = true;
      treat_warnings_as_errors = false;
      clang_use_chrome_plugins = false;
      blink_symbol_level = 0;
      symbol_level = 0;
      fieldtrial_testing_like_official_build = true;
      # Google API keys, see:
      #   http://www.chromium.org/developers/how-tos/api-keys
      # Note: These are for NixOS/nixpkgs use ONLY. For your own distribution,
      # please get your own set of keys.
      google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI";
      google_default_client_id = "404761575300.apps.googleusercontent.com";
      google_default_client_secret = "9rIFQjfnkykEmqb6FfjJQD1D";
    } // optionalAttrs proprietaryCodecs {
      # enable support for the H.264 codec
      proprietary_codecs = true;
      enable_hangout_services_extension = true;
      ffmpeg_branding = "Chrome";
    } // optionalAttrs pulseSupport {
      use_pulseaudio = true;
      link_pulseaudio = true;
    } // optionalAttrs useOzone {
      use_ozone = true;
      use_xkbcommon = true;
      use_glib = true;
      use_gtk = true;
      use_system_libwayland = true;
      use_system_minigbm = true;
      use_system_libdrm = true;
      system_wayland_scanner_path = "${wayland}/bin/wayland-scanner";
    } // optionalAttrs ungoogled {
      chrome_pgo_phase = 0;
      enable_hangout_services_extension = false;
      enable_js_type_check = false;
      enable_mdns = false;
      enable_nacl_nonsfi = false;
      enable_one_click_signin = false;
      enable_reading_list = false;
      enable_remoting = false;
      enable_reporting = false;
      enable_service_discovery = false;
      exclude_unwind_tables = true;
      google_api_key = "";
      google_default_client_id = "";
      google_default_client_secret = "";
      safe_browsing_mode = 0;
      use_official_google_api_keys = false;
      use_unofficial_version_number = false;
    } // (extraAttrs.gnFlags or {}));
    configurePhase = ''
      runHook preConfigure
      # This is to ensure expansion of $out.
      libExecPath="${libExecPath}"
      python build/linux/unbundle/replace_gn_files.py --system-libraries ${toString gnSystemLibraries}
      ${gnChromium}/bin/gn gen --args=${escapeShellArg gnFlags} out/Release | tee gn-gen-outputs.txt
      # Fail if `gn gen` contains a WARNING.
      grep -o WARNING gn-gen-outputs.txt && echo "Found gn WARNING, exiting nix build" && exit 1
      runHook postConfigure
    '';
    # Don't spam warnings about unknown warning options. This is useful because
    # our Clang is always older than Chromium's and the build logs have a size
    # of approx. 25 MB without this option (and this saves e.g. 66 %).
    NIX_CFLAGS_COMPILE = "-Wno-unknown-warning-option";
    buildPhase = let
      buildCommand = target: ''
        ninja -C "${buildPath}" -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES "${target}"
        (
          source chrome/installer/linux/common/installer.include
          PACKAGE=$packageName
          MENUNAME="Chromium"
          process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
        )
      '';
      targets = extraAttrs.buildTargets or [];
      commands = map buildCommand targets;
    in concatStringsSep "\n" commands;
    postFixup = ''
      # Make sure that libGLESv2 is found by dlopen (if using EGL).
      chromiumBinary="$libExecPath/$packageName"
      origRpath="$(patchelf --print-rpath "$chromiumBinary")"
      patchelf --set-rpath "${libGL}/lib:$origRpath" "$chromiumBinary"
    '';
    passthru = {
      updateScript = ./update.py;
      chromiumDeps = {
        gn = gnChromium;
      };
    };
  };
 # Remove some extraAttrs we supplied to the base attributes already.
 in stdenv.mkDerivation (base // removeAttrs extraAttrs [
  "name" "gnFlags" "buildTargets"
 ] // { passthru = base.passthru // (extraAttrs.passthru or {}); })
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/default.nix
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/default.nix
@ -1,214 +0,0 @@
 { newScope, config, stdenv, fetchurl, makeWrapper
 , llvmPackages_11, ed, gnugrep, coreutils, xdg_utils
 , glib, gtk3, gnome3, gsettings-desktop-schemas, gn, fetchgit
 , libva ? null
 , pipewire_0_2
 , gcc, nspr, nss, runCommand
 , lib
 # package customization
 # Note: enable* flags should not require full rebuilds (i.e. only affect the wrapper)
 , channel ? "stable"
 , gnomeSupport ? false, gnome ? null
 , gnomeKeyringSupport ? false
 , proprietaryCodecs ? true
 , enablePepperFlash ? false
 , enableWideVine ? false
 , enableVaapi ? false # Disabled by default due to unofficial support
 , ungoogled ? true
 , cupsSupport ? true
 , pulseSupport ? config.pulseaudio or stdenv.isLinux
 , commandLineArgs ? ""
 }:
 let
  llvmPackages = llvmPackages_11;
  stdenv = llvmPackages.stdenv;
  callPackage = newScope chromium;
  chromium = rec {
    inherit stdenv llvmPackages;
    upstream-info = (lib.importJSON ./upstream-info.json).${channel};
    mkChromiumDerivation = callPackage ./common.nix ({
      inherit channel gnome gnomeSupport gnomeKeyringSupport proprietaryCodecs
              cupsSupport pulseSupport;
      inherit ungoogled;
      gnChromium = gn.overrideAttrs (oldAttrs: {
        inherit (upstream-info.deps.gn) version;
        src = fetchgit {
          inherit (upstream-info.deps.gn) url rev sha256;
        };
      });
    });
    browser = callPackage ./browser.nix { inherit channel enableWideVine; };
    plugins = callPackage ./plugins.nix {
      inherit enablePepperFlash;
    };
    ungoogled-chromium = callPackage ./ungoogled.nix {};
  };
  pkgSuffix = if channel == "dev" then "unstable" else channel;
  pkgName = "google-chrome-${pkgSuffix}";
  chromeSrc = fetchurl {
    urls = map (repo: "${repo}/${pkgName}/${pkgName}_${version}-1_amd64.deb") [
      "https://dl.google.com/linux/chrome/deb/pool/main/g"
      "http://95.31.35.30/chrome/pool/main/g"
      "http://mirror.pcbeta.com/google/chrome/deb/pool/main/g"
      "http://repo.fdzh.org/chrome/deb/pool/main/g"
    ];
    sha256 = chromium.upstream-info.sha256bin64;
  };
  mkrpath = p: "${lib.makeSearchPathOutput "lib" "lib64" p}:${lib.makeLibraryPath p}";
  widevineCdm = stdenv.mkDerivation {
    name = "chrome-widevine-cdm";
    src = chromeSrc;
    phases = [ "unpackPhase" "patchPhase" "installPhase" "checkPhase" ];
    unpackCmd = let
      widevineCdmPath =
        if channel == "stable" then
          "./opt/google/chrome/WidevineCdm"
        else if channel == "beta" then
          "./opt/google/chrome-beta/WidevineCdm"
        else if channel == "dev" then
          "./opt/google/chrome-unstable/WidevineCdm"
        else
          throw "Unknown chromium channel.";
    in ''
      # Extract just WidevineCdm from upstream's .deb file
      ar p "$src" data.tar.xz | tar xJ "${widevineCdmPath}"
      # Move things around so that we don't have to reference a particular
      # chrome-* directory later.
      mv "${widevineCdmPath}" ./
      # unpackCmd wants a single output directory; let it take WidevineCdm/
      rm -rf opt
    '';
    doCheck = true;
    checkPhase = ''
      ! find -iname '*.so' -exec ldd {} + | grep 'not found'
    '';
    PATCH_RPATH = mkrpath [ gcc.cc glib nspr nss ];
    patchPhase = ''
      patchelf --set-rpath "$PATCH_RPATH" _platform_specific/linux_x64/libwidevinecdm.so
    '';
    installPhase = ''
      mkdir -p $out/WidevineCdm
      cp -a * $out/WidevineCdm/
    '';
    meta = {
      platforms = [ "x86_64-linux" ];
      license = lib.licenses.unfree;
    };
  };
  suffix = if channel != "stable" then "-" + channel else "";
  sandboxExecutableName = chromium.browser.passthru.sandboxExecutableName;
  version = chromium.browser.version;
  # We want users to be able to enableWideVine without rebuilding all of
  # chromium, so we have a separate derivation here that copies chromium
  # and adds the unfree WidevineCdm.
  chromiumWV = let browser = chromium.browser; in if enableWideVine then
    runCommand (browser.name + "-wv") { version = browser.version; }
      ''
        mkdir -p $out
        cp -a ${browser}/* $out/
        chmod u+w $out/libexec/chromium
        cp -a ${widevineCdm}/WidevineCdm $out/libexec/chromium/
      ''
    else browser;
 in stdenv.mkDerivation {
  name = "ungoogled-chromium${suffix}-${version}";
  inherit version;
  buildInputs = [
    makeWrapper ed
    # needed for GSETTINGS_SCHEMAS_PATH
    gsettings-desktop-schemas glib gtk3
    # needed for XDG_ICON_DIRS
    gnome3.adwaita-icon-theme
  ];
  outputs = ["out" "sandbox"];
  buildCommand = let
    browserBinary = "${chromiumWV}/libexec/chromium/chromium";
    getWrapperFlags = plugin: "$(< \"${plugin}/nix-support/wrapper-flags\")";
    libPath = stdenv.lib.makeLibraryPath [ libva pipewire_0_2 ];
  in with stdenv.lib; ''
    mkdir -p "$out/bin"
    eval makeWrapper "${browserBinary}" "$out/bin/chromium" \
      --add-flags ${escapeShellArg (escapeShellArg commandLineArgs)} \
      ${lib.optionalString enableVaapi "--add-flags --enable-accelerated-video-decode"} \
      ${concatMapStringsSep " " getWrapperFlags chromium.plugins.enabled}
    ed -v -s "$out/bin/chromium" << EOF
    2i
    if [ -x "/run/wrappers/bin/${sandboxExecutableName}" ]
    then
      export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${sandboxExecutableName}"
    else
      export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
    fi
  '' + lib.optionalString (libPath != "") ''
    # To avoid loading .so files from cwd, LD_LIBRARY_PATH here must not
    # contain an empty section before or after a colon.
    export LD_LIBRARY_PATH="\$LD_LIBRARY_PATH\''${LD_LIBRARY_PATH:+:}${libPath}"
  '' + ''
    # libredirect causes chromium to deadlock on startup
    export LD_PRELOAD="\$(echo -n "\$LD_PRELOAD" | ${coreutils}/bin/tr ':' '\n' | ${gnugrep}/bin/grep -v /lib/libredirect\\\\.so$ | ${coreutils}/bin/tr '\n' ':')"
    export XDG_DATA_DIRS=$XDG_ICON_DIRS:$GSETTINGS_SCHEMAS_PATH\''${XDG_DATA_DIRS:+:}\$XDG_DATA_DIRS
    # Mainly for xdg-open but also other xdg-* tools:
    export PATH="${xdg_utils}/bin\''${PATH:+:}\$PATH"
    .
    w
    EOF
    ln -sv "${chromium.browser.sandbox}" "$sandbox"
    ln -s "$out/bin/chromium" "$out/bin/chromium-browser"
    mkdir -p "$out/share"
    for f in '${chromium.browser}'/share/*; do # hello emacs */
      ln -s -t "$out/share/" "$f"
    done
  '';
  inherit (chromium.browser) packageName;
  meta = chromium.browser.meta;
  passthru = {
    inherit (chromium) upstream-info browser;
    mkDerivation = chromium.mkChromiumDerivation;
    inherit chromeSrc sandboxExecutableName;
    updateScript = ./update.py;
  };
 }
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/patches/no-build-timestamps.patch
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/no-build-timestamps.patch
@ -1,17 +0,0 @@
 --- chromium-70.0.3538.67/build/compute_build_timestamp.py.orig	2018-11-02 16:00:34.368933077 +0200
 +++ chromium-70.0.3538.67/build/compute_build_timestamp.py	2018-11-08 04:06:21.658105129 +0200
@@ -94,6 +94,14 @@
       'build_type', help='The type of build', choices=('official', 'default'))
   args = argument_parser.parse_args()
 +  # I don't trust LASTCHANGE magic, and I definelly want something deterministic here
 +  SOURCE_DATE_EPOCH = os.getenv("SOURCE_DATE_EPOCH", None)
 +  if SOURCE_DATE_EPOCH is not None:
 +    print(SOURCE_DATE_EPOCH)
 +    return 0
 +  else:
 +    raise RuntimeError("SOURCE_DATE_EPOCH not set")
 +
   # The mtime of the revision in build/util/LASTCHANGE is stored in a file
   # next to it. Read it, to get a deterministic time close to "now".
   # That date is then modified as described at the top of the file so that
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/patches/widevine-79.patch
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/patches/widevine-79.patch
@ -1,13 +0,0 @@
 diff --git a/third_party/widevine/cdm/BUILD.gn b/third_party/widevine/cdm/BUILD.gn
 index ed0e2f5208b..5b431a030d5 100644
 --- a/third_party/widevine/cdm/BUILD.gn
 +++ b/third_party/widevine/cdm/BUILD.gn
@@ -14,7 +14,7 @@ buildflag_header("buildflags") {
   flags = [
     "ENABLE_WIDEVINE=$enable_widevine",
 -    "BUNDLE_WIDEVINE_CDM=$bundle_widevine_cdm",
 +    "BUNDLE_WIDEVINE_CDM=true",
     "ENABLE_WIDEVINE_CDM_COMPONENT=$enable_widevine_cdm_component",
   ]
 }
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/plugins.nix
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/plugins.nix
@ -1,92 +0,0 @@
 { stdenv, gcc
 , jshon
 , glib
 , nspr
 , nss
 , fetchzip
 , enablePepperFlash ? false
 , upstream-info
 }:
 with stdenv.lib;
 let
  mkrpath = p: "${makeSearchPathOutput "lib" "lib64" p}:${makeLibraryPath p}";
  # Generate a shell fragment that emits flags appended to the
  # final makeWrapper call for wrapping the browser's main binary.
  #
  # Note that this is shell-escaped so that only the variable specified
  # by the "output" attribute is substituted.
  mkPluginInfo = { output ? "out", allowedVars ? [ output ]
                 , flags ? [], envVars ? {}
                 }: let
    shSearch = ["'"] ++ map (var: "@${var}@") allowedVars;
    shReplace = ["'\\''"] ++ map (var: "'\"\${${var}}\"'") allowedVars;
    # We need to triple-escape "val":
    #  * First because makeWrapper doesn't do any quoting of its arguments by
    #    itself.
    #  * Second because it's passed to the makeWrapper call separated by IFS but
    #    not by the _real_ arguments, for example the Widevine plugin flags
    #    contain spaces, so they would end up as separate arguments.
    #  * Third in order to be correctly quoted for the "echo" call below.
    shEsc = val: "'${replaceStrings ["'"] ["'\\''"] val}'";
    mkSh = val: "'${replaceStrings shSearch shReplace (shEsc val)}'";
    mkFlag = flag: ["--add-flags" (shEsc flag)];
    mkEnvVar = key: val: ["--set" (shEsc key) (shEsc val)];
    envList = mapAttrsToList mkEnvVar envVars;
    quoted = map mkSh (flatten ((map mkFlag flags) ++ envList));
  in ''
    mkdir -p "''$${output}/nix-support"
    echo ${toString quoted} > "''$${output}/nix-support/wrapper-flags"
  '';
  flash = stdenv.mkDerivation rec {
    pname = "flashplayer-ppapi";
    version = "32.0.0.465";
    src = fetchzip {
      url = "https://fpdownload.adobe.com/pub/flashplayer/pdc/${version}/flash_player_ppapi_linux.x86_64.tar.gz";
      sha256 = "16qbc2s8dg2rwggphf8f5665iccc6lrvgz45bdwskg9pwg87hlj1";
      stripRoot = false;
    };
    patchPhase = ''
      chmod +x libpepflashplayer.so
      patchelf --set-rpath "${mkrpath [ gcc.cc ]}" libpepflashplayer.so
    '';
    doCheck = true;
    checkPhase = ''
      ! find -iname '*.so' -exec ldd {} + | grep 'not found'
    '';
    installPhase = ''
      flashVersion="$(
        "${jshon}/bin/jshon" -F manifest.json -e version -u
      )"
      install -vD libpepflashplayer.so "$out/lib/libpepflashplayer.so"
      ${mkPluginInfo {
        allowedVars = [ "out" "flashVersion" ];
        flags = [
          "--ppapi-flash-path=@out@/lib/libpepflashplayer.so"
          "--ppapi-flash-version=@flashVersion@"
        ];
      }}
    '';
    dontStrip = true;
    meta = {
      license = stdenv.lib.licenses.unfree;
      maintainers = with stdenv.lib.maintainers; [ taku0 ];
      platforms = platforms.x86_64;
    };
  };
 in {
  enabled = optional enablePepperFlash flash;
 }
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix
@ -1,6 +0,0 @@
 {
  "87.0.4280.88" = {
    rev = "87.0.4280.88-1";
    sha256 = "0w2137w8hfcgl6f938hqnb4ffp33v5r8vdzxrvs814w7dszkiqgg";
  };
 }
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/update.py
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/update.py
@ -1,121 +0,0 @@
 #! /usr/bin/env nix-shell
 #! nix-shell -i python -p python3 nix nix-prefetch-git
 import csv
 import json
 import re
 import subprocess
 import sys
 from codecs import iterdecode
 from collections import OrderedDict
 from datetime import datetime
 from os.path import abspath, dirname
 from urllib.request import urlopen
 HISTORY_URL = 'https://omahaproxy.appspot.com/history?os=linux'
 DEB_URL = 'https://dl.google.com/linux/chrome/deb/pool/main/g'
 BUCKET_URL = 'https://commondatastorage.googleapis.com/chromium-browser-official'
 JSON_PATH = dirname(abspath(__file__)) + '/upstream-info.json'
 def load_json(path):
    with open(path, 'r') as f:
        return json.load(f)
 def nix_prefetch_url(url, algo='sha256'):
    print(f'nix-prefetch-url {url}')
    out = subprocess.check_output(['nix-prefetch-url', '--type', algo, url])
    return out.decode('utf-8').rstrip()
 def nix_prefetch_git(url, rev):
    print(f'nix-prefetch-git {url} {rev}')
    out = subprocess.check_output(['nix-prefetch-git', '--quiet', '--url', url, '--rev', rev])
    return json.loads(out)
 def get_file_revision(revision, file_path):
    url = f'https://raw.githubusercontent.com/chromium/chromium/{revision}/{file_path}'
    with urlopen(url) as http_response:
        return http_response.read()
 def get_matching_chromedriver(version):
    # See https://chromedriver.chromium.org/downloads/version-selection
    build = re.sub('.[0-9]+$', '', version)
    chromedriver_version_url = f'https://chromedriver.storage.googleapis.com/LATEST_RELEASE_{build}'
    with urlopen(chromedriver_version_url) as http_response:
        chromedriver_version = http_response.read().decode()
        def get_chromedriver_url(system):
            return f'https://chromedriver.storage.googleapis.com/{chromedriver_version}/chromedriver_{system}.zip'
        return {
            'version': chromedriver_version,
            'sha256_linux': nix_prefetch_url(get_chromedriver_url('linux64')),
            'sha256_darwin': nix_prefetch_url(get_chromedriver_url('mac64'))
        }
 def get_channel_dependencies(channel):
    deps = get_file_revision(channel['version'], 'DEPS')
    gn_pattern = b"'gn_version': 'git_revision:([0-9a-f]{40})'"
    gn_commit = re.search(gn_pattern, deps).group(1).decode()
    gn = nix_prefetch_git('https://gn.googlesource.com/gn', gn_commit)
    return {
        'gn': {
            'version': datetime.fromisoformat(gn['date']).date().isoformat(),
            'url': gn['url'],
            'rev': gn['rev'],
            'sha256': gn['sha256']
        }
    }
 channels = {}
 last_channels = load_json(JSON_PATH)
 print(f'GET {HISTORY_URL}', file=sys.stderr)
 with urlopen(HISTORY_URL) as resp:
    builds = csv.DictReader(iterdecode(resp, 'utf-8'))
    for build in builds:
        channel_name = build['channel']
        # If we've already found a newer build for this channel, we're
        # no longer interested in it.
        if channel_name in channels:
            continue
        # If we're back at the last build we used, we don't need to
        # keep going -- there's no new version available, and we can
        # just reuse the info from last time.
        if build['version'] == last_channels[channel_name]['version']:
            channels[channel_name] = last_channels[channel_name]
            continue
        channel = {'version': build['version']}
        suffix = 'unstable' if channel_name == 'dev' else channel_name
        try:
            channel['sha256'] = nix_prefetch_url(f'{BUCKET_URL}/chromium-{build["version"]}.tar.xz')
            channel['sha256bin64'] = nix_prefetch_url(f'{DEB_URL}/google-chrome-{suffix}/google-chrome-{suffix}_{build["version"]}-1_amd64.deb')
        except subprocess.CalledProcessError:
            # This build isn't actually available yet.  Continue to
            # the next one.
            continue
        channel['deps'] = get_channel_dependencies(channel)
        if channel_name == 'stable':
            channel['chromedriver'] = get_matching_chromedriver(channel['version'])
        channels[channel_name] = channel
 with open(JSON_PATH, 'w') as out:
    def get_channel_key(item):
        channel_name = item[0]
        if channel_name == 'stable':
            return 0
        elif channel_name == 'beta':
            return 1
        elif channel_name == 'dev':
            return 2
        else:
            print(f'Error: Unexpected channel: {channel_name}', file=sys.stderr)
            sys.exit(1)
    sorted_channels = OrderedDict(sorted(channels.items(), key=get_channel_key))
    json.dump(sorted_channels, out, indent=2)
    out.write('\n')
--- a/pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.json
+++ b/pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.json
@ -1,46 +0,0 @@
 {
  "stable": {
    "version": "87.0.4280.88",
    "sha256": "1h09g9b2zxad85vd146ymvg3w2kpngpi78yig3dn1vrmhwr4aiiy",
    "sha256bin64": "0n3fm6wf8zfkv135d50xl8xxrnng3q55vyxkck1da8jyvh18bijb",
    "deps": {
      "gn": {
        "version": "2020-09-09",
        "url": "https://gn.googlesource.com/gn",
        "rev": "e002e68a48d1c82648eadde2f6aafa20d08c36f2",
        "sha256": "0x4c7amxwzxs39grqs3dnnz0531mpf1p75niq7zhinyfqm86i4dk"
      }
    },
    "chromedriver": {
      "version": "87.0.4280.88",
      "sha256_linux": "141mr2jiy3nslwd3s43m4i6plkv9wv5fgi78cn7mz0ac9x6fpcgx",
      "sha256_darwin": "048hsqp6575r980m769lzznvxypmfcwn89f1d3ik751ymzmb5r78"
    }
  },
  "beta": {
    "version": "88.0.4324.27",
    "sha256": "0mciiyh3sn2zrl8g6znylc2pm9sb0wzsclgavf7mmlknri5sjblc",
    "sha256bin64": "0qf2j1j3p94s724rwh8fydpjn88cs9yxxhjf5axvqwi7q3h35cfx",
    "deps": {
      "gn": {
        "version": "2020-11-05",
        "url": "https://gn.googlesource.com/gn",
        "rev": "53d92014bf94c3893886470a1c7c1289f8818db0",
        "sha256": "1xcm07qjk6m2czi150fiqqxql067i832adck6zxrishm70c9jbr9"
      }
    }
  },
  "dev": {
    "version": "89.0.4343.0",
    "sha256": "0jmc1l0lysl5zax98fjhzsfq3c1sqh3n3xscidafflx362wcfpwa",
    "sha256bin64": "1v6xik8kf531y0g5xj0c8szjmak0qvh77kwkw7p7hqxqmnwwp06d",
    "deps": {
      "gn": {
        "version": "2020-11-05",
        "url": "https://gn.googlesource.com/gn",
        "rev": "53d92014bf94c3893886470a1c7c1289f8818db0",
        "sha256": "1xcm07qjk6m2czi150fiqqxql067i832adck6zxrishm70c9jbr9"
      }
    }
  }
 }
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -24477,7 +24477,10 @@ in
  uefitoolPackages = recurseIntoAttrs (callPackage ../tools/system/uefitool/variants.nix {});
  uefitool = uefitoolPackages.new-engine;
-  ungoogled-chromium = callPackage ../applications/networking/browsers/ungoogled-chromium (config.chromium or {});
+  ungoogled-chromium = callPackage ../applications/networking/browsers/chromium ((config.chromium or {}) // {
    ungoogled = true;
    channel = "ungoogled-chromium";
  });
  unigine-valley = callPackage ../applications/graphics/unigine-valley { };