Chromium updates with GN build #20120
Conversation
This is the standalone version of GN used currently solely for building Chromium. An upstream bug report is available at https://crbug.com/504074 to support a standalone build without needing various components from the Chromium source tree. Because there isn't a standalone vrsion available, I'm choosing 0.0.0.${date} as the version scheme here so that we don't conflict with versioned releases from upstream someday[TM]. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This only uses the most basic GN flags which should represent the GYP flags we had before. In order to get rid most of the GYP cruft, we now have common.nix and common-gn.nix which are mostly the same, just that the latter is only for GN builds. The GN implementation is far from complete and currently not even builds, so we need more work to get the beta and dev channels building. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The oldest version we build is version 53, so we no longer need this patch. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This should now be the upstream default and there also is no more flag for GN to set it, so we'll no longer need it on our side as well. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Previously I've added the extra file common-gn.nix in addition to common.nix, so we can possibly have a smooth transition from current stable to the new version 54. Unfortunately, version 53 is already EOL and we have to move to version 54 as soon as possible so we can only use GN and thus it doesn't make sense to provide expressions for GYP anymore. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Seems that these libraries aren't the ones Chromium is expecting to be, so let's switch to use the bundled version of these libraries instead. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
So far we had the bundled Flash player plugin that came with Chrome, but since version 54 the Chrome package doesn't include PPAPI Flash anymore. Instead we're going to download the PPAPI Flash plugin directly from Adobe and try to use them for all release channels of Chromium. Of course it would be nice if we'd have an updater for it but for now it's important that we don't break things for people who are currently forced to use Flash. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Overview of updated versions: stable: 54.0.2840.71 -> 54.0.2840.90 beta: 55.0.2883.21 -> 55.0.2883.35 dev: 56.0.2897.0 -> 56.0.2906.0 This is to get our Chromium versions in par with the latest upstream ones before merging in the GN migration changes. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
aszlig
added
1.severity: security
8.has: package (update)
9.needs: port to stable
|
Build failing because |
| python build/gyp_chromium -f ninja --depth . ${gypFlags} | ||
| python build/linux/unbundle/replace_gn_files.py \ | ||
| --system-libraries ${toString gnSystemLibraries} | ||
| gn gen --args=${escapeShellArg gnFlags} out/Release |
There was a problem hiding this comment.
I think the mentioned build failure is triggered here, but I am not quite sure.
|
@sternenseemann good to see testing of chromium-dev, but this PR is mostly about chromium-stable, since we need to fix those CVEs. Your build failure should be easily fixable, by adding gtk3 to buildInputs, though. |
|
@bendlas Oh, I see, totally missed that. The stable builds seem to be still in queue, sorry! |
|
This looks really good, but I'm afraid of breaking flash for our users, since I want to backport this to 16.09. This is a tough call for me. Having updates which break important features can easily turn users off from upgrading. |
|
@aszlig just a thought -- will it fail to build? or will it silently fail? Very different user experiences here. |
|
@grahamc: It won't fail to build and it just doesn't work. I think it's just a matter of passing the right parameters in the wrapper. |
|
Good news, after having installed this build to my system profile, flash actually works. |
|
Building to give it a go. |
|
These changes also fix my weird yellow box issues (#1795,) so that is good. I'm finding WideVine is now broken, not showing up in chrome://components/. Is this expected? |
|
Ported to 16.09 for testing here: https://github.com/grahamc/nixpkgs/tree/chromium-16.09 |
|
I'm not feeling too great about this, but not great about leaving it unpatched either. Merging. @aszlig can you check out my branch for 16.09 to see if it is correctly backported? |
|
@grahamc: I have time for the whole night to work on this now, so I could work on this along with fixing/testing WideVine/Flash and also incorporating the latest stdenv merge. |
This is the merge c67a7ee from master but backported to stable, which brings a bunch of security updates to Chromium: CVE-2016-5198: Out of bounds memory access in V8 CVE-2016-5181: Universal XSS in Blink CVE-2016-5182: Heap overflow in Blink CVE-2016-5183: Use after free in PDFium CVE-2016-5184: Use after free in PDFium CVE-2016-5185: Use after free in Blink CVE-2016-5187: URL spoofing CVE-2016-5188: UI spoofing CVE-2016-5192: Cross-origin bypass in Blink CVE-2016-5189: URL spoofing CVE-2016-5186: Out of bounds read in DevTools CVE-2016-5191: Universal XSS in Bookmarks CVE-2016-5190: Use after free in Internals CVE-2016-5193: Scheme bypass Detailed announcements about these changes can be found here (latest to oldest): https://googlechromereleases.blogspot.de/2016/11/stable-channel-update-for-desktop.html https://googlechromereleases.blogspot.de/2016/10/stable-channel-update-for-desktop_20.html https://googlechromereleases.blogspot.de/2016/10/stable-channel-update-for-desktop.html The implementation of this backport differs in that we copy the cc-wrapper to the Chromium directory and add support for handling response files. Thanks to @bendlas for the work on this. Tests and builds pass successfully on my Hydra at: https://headcounter.org/hydra/eval/339329 Cc: @grahamc, @bendlas, @shlevy, @sternenseemann Closes: #19565 Closes: #20120
TredwellGit
added
8.has: port to stable
This should update Chromium to the latest versions along with the transition to GN and split up flash/widevine plugins.
However, the flash plugin currently doesn't work and I have no time digging through this properly, so if anyone got time to fix it, feel free to merge these with or without the fix of the flash plugin. The fix should be quite easy, but if it should get more involved I think it's better to have a broken flash plugin than a browser with tons of CVEs out there.
The work includes part of my initiel transition to the GN build system and a modified cc-wrapper from @bendlas to handle
@responsefiles during ninja build.I've updated the Chromium versions to the latest ones, build and tests can be found here:
https://headcounter.org/hydra/eval/338754
(At the time of writing this, the builds aren't finished yet)
Note that the tests for beta and dev will probably fail, another issue which can wait for a while (until 55 becomes stable).
Cc: @grahamc,, @rycee, @FRidh, @fpletz, @NeQuissimus, @vcunat (participants in #19884 and #20078)