The "sources.nix" also contains information about where to get binary
packages, so calling it "upstream-info.nix" fits better in terms of
naming.
Also, we're moving it away from the sources dir, because the latter will
soon vanish.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Overview of the updated versions:
stable: 48.0.2564.116 -> 49.0.2623.75
beta: 49.0.2623.63 -> 49.0.2623.75
dev: 50.0.2657.0 -> 50.0.2661.11
Stable and beta are now in par because of the release of a major stable
update.
The release addresses 26 security vulnerabilities, the following with an
assigned CVE:
* CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz
Mlynski.
* CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz
Mlynski.
* CVE-2016-1632: Bad cast in Extensions. Credit to anonymous.
* CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer.
* CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer.
* CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu.
* CVE-2016-1636: SRI Validation Bypass. Credit to Ryan Lester and
Bryant Zadegan.
* CVE-2015-8126: Out-of-bounds access in libpng. Credit to
joerg.bornemann.
* CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy.
* CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu.
* CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani.
* CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan
Herrera.
* CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen of
OUSPG.
The full announcement which also includes the link to the bug tracker
can be found here:
http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html
Also, the 32bit Chrome package needed for the Flash and Widevine plugins
doesn't exist anymore, because Google has dropped support for 32bit
distros, see here for the announcement:
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/FoE6sL-p6oU
On our end, we need to fix the patch for the plugin paths to work for
the latest dev channel. The change is very minor, because the
nix_plugin_paths_46.patch only doesn't apply because of an iOS-related
ifdef.
Built and tested on my Hydra at:
https://headcounter.org/hydra/eval/311511
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #13665
No changes in functionality, but to make future source updates a bit
easier on the eyes when viewing the diff.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
As stated in the parent commit, the 32bit Chrome package is not
available upstream, so let's at least provide the SHA256 hash for the
64bit package.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
From the debian security mailing list:
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2016-1622
It was discovered that a maliciously crafted extension could bypass
the Same Origin Policy.
CVE-2016-1623
Mariusz Mlynski discovered a way to bypass the Same Origin Policy.
CVE-2016-1624
lukezli discovered a buffer overflow issue in the Brotli library.
CVE-2016-1625
Jann Horn discovered a way to cause the Chrome Instant feature to
navigate to unintended destinations.
CVE-2016-1626
An out-of-bounds read issue was discovered in the openjpeg library.
CVE-2016-1627
It was discovered that the Developer Tools did not validate URLs.
CVE-2016-1628
An out-of-bounds read issue was discovered in the pdfium library.
CVE-2016-1629
A way to bypass the Same Origin Policy was discovered in Blink/WebKit,
along with a way to escape the chromium sandbox.
- Fixes CVE-2016-1612 CVE-2016-1613 CVE-2016-1614 CVE-2016-1615
CVE-2016-1616 CVE-2016-1617 CVE-2016-1618 CVE-2016-1619 CVE-2016-1620.
- Moves chromium stable and beta channels up one version major.
vcunat made dev channel stay for now, as it wouldn't download otherwise.
This is most of PR #12717.
Built and run Beta and Stable locally. Dev is surrently superseded by Stable so
it doesn't matter much.
- Dev: 47.0.2508.0 -> 48.0.2564.22
- Beta: 46.0.2490.64 -> 48.0.2564.23
- Stable: 45.0.2454.101 -> 47.0.2526.73
Changed the SSL dependencies to the supported configuration on Linux (according
to Torne @Freenode/#chromium-support).
- NSS is a dependency since it is used to access the ceritiface store.
- Dropped system OpenSSL support, the bundled BoringSSL is used.
This probably fixes issue #10555. Note that without this adjustment the build
fails even.
Dropped uneeded old patches.
Overview of the updated versions:
beta: 45.0.2454.15 -> 45.0.2454.26
dev: 45.0.2454.15 -> 46.0.2471.2
Changes for getting beta and dev channel to build:
* The reference for chrome::FILE_FLASH_PLUGIN doesn't exist anymore in
version 46, because it has been dropped upstream, see the following
review URL:
https://codereview.chromium.org/1255943002
We set the PPAPI Flash path using a command line flag anyway, so it
doesn't hurt us if we don't patch that path (which was an old
artifact from the NSAPI->PPAPI conversion anyway).
Changes for the dev channel only:
* It seems that in the SCM, chrome/test/data/webui/ contains a lot of
files, however they are missing in the tarball.
This has been reported upstream at: https://crbug.com/515917
Our fix is to just not include webui/i18n_process_css_test.html at
all, to avoid the configure (gyp) phase to fail, because we're not
building tests anyway.
All channels built and tested by my Hydra instance at:
https://headcounter.org/hydra/eval/218978
Test reports:
x86: https://headcounter.org/hydra/build/723341/download/1/log.html
x86_64: https://headcounter.org/hydra/build/723342/download/1/log.html
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Overview of the updated versions:
stable: 43.0.2357.125 -> 43.0.2357.130
beta: 44.0.2403.52 -> 44.0.2403.61
For the beta channel the following changes were necessary:
* Drop all patches which were added in c290595 because they apply to
44.0.2403.52 only. The shipped version of Blink was older than the
one used for Chromium itself and thus contained just the
cherry-picked patches from upstream Blink.
* The ffmpegsumo library is now statically linked the same way as in
the dev version, so let's not try to put it into the output store
path.
All channels were built successfully on my Hydra at:
https://headcounter.org/hydra/eval/187176
VM tests did also pass and can be found at:
x86: https://headcounter.org/hydra/build/707636
x86_64: https://headcounter.org/hydra/build/707637
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Changes included:
- Update versions.
- Use gyp package not gyp_svn1977.
- Remove icu from buildInputs, since this causes a build error due to inferference with use_system_icu=false.
- Remove the hack that inserts the absolute path into gyp files, and pass `--depth .` to gyp. This resolves the `third_party/angle` gyp error.
- Do a normal copy of the source code not a symlink copy. This resolves some link error where the symlinks interfere with relative paths (seems like because gyp resolves symlinks first). Note, this used to be worked around with the absolute path insertion hack.
- Change the bucketURL in update.nix to https (for more secure updates).
Overview of the updated versions:
stable: 40.0.2214.91 -> 40.0.2214.115
beta: 41.0.2272.16 -> 41.0.2272.64
dev: 41.0.2272.16 -> 42.0.2305.3
Introduces 42.0.2305.3 as the new dev version, which no longer requires
our user namespaces sandbox patch. Thanks to everyone participating in
https://crbug.com/312380 for finally having this upstream.
In the course of supporting the official namespace sandbox (that's what
the user namespace sandbox is called), a few things needed to be fixed
for version 42:
* Add an updated nix_plugin_paths.patch, because the old
one tries to patch the path for libpdf, which is now natively included
in Chromium.
* Don't copy libpdf.so to libexec path for version 42, it's no longer
needed as it's completely built-in now.
* Disable SUID sandbox directly in the source instead of going the easy
route of passing --disable-setuid-sandbox. The reason is that with
the command line flag a nasty nagbar will appear.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This brings a new stable version 40.0.2214.91 along with a beta update
to version 41.0.2272.16, the dev channel is still stuck at version
41.0.2272.12 and within the next days will jump to version 42.
For this reason, I've done some cheating here and brought the beta
channel in par with the dev channel, because dev is older than beta on
OmahaProxy.
Here's an overview of the channel upgrades:
stable: 39.0.2171.65 -> 40.0.2214.91 [1]
beta: 40.0.2214.10 -> 41.0.2272.16 [1] [2] [3]
dev: 41.0.2224.3 -> 41.0.2272.16 [1] [2] [3]
[1]: We needed to patch in locations of lib{pci,udev}.so, because
Chromium tries to load them at runtime. For version 41 startup will
fail if it is unable to load libudev, but it also has the advantage
that this fixes GPU detection using libpci in the stable version,
which in turn could fix a few bugs on NixOS.
[2]: The upstream Debian package for the binary plugins now uses XZ
compression for the enclosed data tarball.
[3]: Chromium 41 needs {shapshot,natives}_blob.bin in order to start up,
so let's cp it among with the .pak files to avoid adding a
conditional for version 40.
The release annoucement of the stable channel update can be found here:
http://googlechromereleases.blogspot.de/2015/01/stable-update.html
Note that this release contains 62 security fixes(!) and I'm hereby
apologizing for the delay of this update.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 38.0.2125.101 -> 39.0.2171.65
beta: 39.0.2171.19 -> 40.0.2214.10
dev: 40.0.2182.3 -> 41.0.2224.3
We can now remove missing_alg_import.patch, because version 39 is nom
stable and thus fixes the missing include directive upstream.
However, starting with version 40, we hit a few bugs with system
protobuf, so we're disabling it for every version >=40 to avoid
runtime/startup errors.
Here is the stable channel announcement for version 39 on the official
blog:
http://googlechromereleases.blogspot.de/2014/11/stable-channel-update_18.html
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 37.0.2062.94 -> 37.0.2062.120
beta: 38.0.2125.24 -> 38.0.2125.101
dev: 39.0.2138.3 -> 39.0.2171.7
All channels built fine on my machine and were tested against a few
sites.
The missing_alg_import.patch now is no longer needed for version 39, so
we're not applying it there anymore.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 36.0.1985.125 -> 37.0.2062.94
beta: 37.0.2062.58 -> 37.0.2062.94
dev: 38.0.2107.3 -> 38.0.2125.8
All channels built fine on my machine and were tested against a few
sites.
Stable and beta channel now contain the same release, because version
37 hit the stable channel. For release notes, please have a look at the
announcement:
http://googlechromereleases.blogspot.de/2014/08/stable-channel-update_26.html
Of course we're also dropping all version 36 specific crap, such as the
architecture-specific target suffix for builds, which now is no longer
needed.
The gyp flag use_mojo=0 is no longer needed, as it was a workaround
concerning version 37.0.2054.3 only.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
beta: 37.0.2062.44 -> 37.0.2062.58 (builds fine, tested)
dev: 38.0.2101.0 -> 38.0.2107.3 (builds fine, tested)
Drop patch for fixing angle build for the dev version, because it was
applied upstream already.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 35.0.1916.153 -> 36.0.1985.125
beta: 36.0.1985.84 -> 37.0.2062.44
dev: 37.0.2054.3 -> 38.0.2101.0
All builds were successfully tested on my machine, however in order to
update the beta and dev channels, a few additional modifications were
necessary:
* Don't update address_input_strings.grdp anymore because this has been
done/fixed upstream and was relevant in version 37.0.2054.3 _only_.
* No need to fix references to /usr/bin/gcc in version 38 anymore.
* Constrain patch for Angle (introduced in 4cbedd7) to version 37 only,
because it already has been applied upstream in version 38.
* Drop user namespaces patch for version 31 up until version 35,
because version 36 is already in stable.
* Don't try to build bundled Clang and/or even build using Clang.
* Remove obsolete patchPhase commands that are specific to version 35
and older.
While testing the dev version 38 I came accross a font rendering issue
which needs to be addressed ASAP (perhaps related to #3187), however the
browser works otherwise.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 35.0.1916.114 -> 35.0.1916.153
beta: 35.0.1916.86 -> 36.0.1985.67
dev: 36.0.1964.2 -> 37.0.2054.3
All builds successfully tested on my machine, however in order to update
the beta and dev channels, a few additional modifications were
necessary:
* Update/rebase USER_NS sandbox patch for version 36 and higher.
* Create address_input_strings.grdp before running gyp in version 37.
* Remove an empty string leftover from 0517041.
* Add patch for building bundled Angle for version 37.
The patch for Angle is to remove reliance on git being present during
build and is from https://chromium-review.googlesource.com/202048 but
with own modifications to remove/fix Windows-specific parts within the
patch file.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
