Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chromium: use a less frightening updater script #89635

Closed
flokli opened this issue Jun 6, 2020 · 2 comments · Fixed by #72932
Closed

chromium: use a less frightening updater script #89635

flokli opened this issue Jun 6, 2020 · 2 comments · Fixed by #72932
Labels
0.kind: bug Something is broken

Comments

@flokli
Copy link
Contributor

flokli commented Jun 6, 2020
edited
Loading

The chromium updater script uses a Nix fixed-output derivation doing network access, and makes use of a hash collision to emit contents that have the same sha1 hash.

Before ed8f3b5, this was MD5, and also used collisions.

While this is funny and cool, it's probably not a good idea to be this tooling essential to do things like security updates in a browser.

Before 28b289e, it was a 101 line bash script. Now we're with a 271 line nix script that is (at least for me) very hard to read.

@aszlig can you elaborate on if we really need a nix-based updater script, or can this be moved back to the 101 line bash script?

cc @primeos
@flokli flokli added the 0.kind: bug Something is broken label Jun 6, 2020
@flokli flokli mentioned this issue Jun 6, 2020
Closed
@primeos
Copy link
Member

primeos commented Jun 6, 2020

Also relevant: #72932 (cc @alyssais).

@flokli
Copy link
Contributor Author

flokli commented Jun 6, 2020

Oh yeah, that'd also be fine. Let's carry over discussion to that thread.

@flokli flokli mentioned this issue Jun 6, 2020
Merged
flokli pushed a commit to alyssais/nixpkgs that referenced this issue Sep 5, 2020
@alyssais @flokli
chromium: replace update.nix with Python impl
de69b70 
update.nix was a huuuuge hack, abusing checksum collisions, etc., and
was extremely difficult to read and maintain, especially because
values from update.nix were also used in the derivations themselves!

I've replaced this with an implementation in Python, which I chose for
readability.  Rather than generating Nix, I chose to
generate JSON, since Python can do that in the standard library and
Nix can read it.

I also set update.py as an updateScript, so Chromium can now
automatically be updated!

Fixes: NixOS#89635
primeos pushed a commit to primeos/nixpkgs that referenced this issue Sep 23, 2020
@alyssais @primeos
chromium: replace update.nix with Python impl
0074031 
update.nix was a huuuuge hack, abusing checksum collisions, etc., and
was extremely difficult to read and maintain, especially because
values from update.nix were also used in the derivations themselves!

I've replaced this with an implementation in Python, which I chose for
readability.  Rather than generating Nix, I chose to
generate JSON, since Python can do that in the standard library and
Nix can read it.

I also set update.py as an updateScript, so Chromium can now
automatically be updated!

Fixes: NixOS#89635
(cherry picked from commit de69b70)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug Something is broken
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chromium: replace update.nix with Python impl alyssais/nixpkgs
2 participants
@flokli @primeos