This patch extends the caching mechanism of the chromium
update scripts to use cached dependencies of all attributes
in the lockfile.
When updating ungoogled-chromium for example, the update script
will now use cached dependencies from vanilla chromium, usually
meaning that no additional fetching has to be done.
This builds upon Yureka's work to build electron from source.
A lot of the newly introduced changes to the chromium derivation and
update script are 1-to-1 copies or slight derivates of that work.
Especially the newly added depot_tools.py to resolve the DEPS files does
most of the heavy lifting and is an ever so slightly modified version of
that section Yureka implemented in electron's update.py.
Some coordination between the chromium and electron maintainers should
allow us to deduplicate a lot of the duplicated code fairly easily in
the future.
That just wasn't a goal with this commit, due to time constraints and
the urgency to switch away from the release tarballs.
Instead of taking just a few hours for a tarball to be available for
download after a release, it now takes multiple days at least.
At the time of writing, roughly a week after M131 was released, the
tarball is still not available. It's unclear if it will ever be.
Reason for this are CI issues on Google's side.
Note that virtually every release contains some security critical fixes.
Also note that this commit is written with a lot of conditionals so the
electron derivation doesn't change (just yet).
The new update.mjs update script is still very much work-in-progress but
gets the job done.
Co-Authored-By: Yureka <yuka@yuka.dev>
This is no longer used as we only differentiate between stable and
ungoogled-chromium, which we already track in the "ungoogled" boolean.
Beta and dev channels are gone for good.
It's been a year since their removal in 59719f787e.
There is, however, an additional channel mapping in nixos/tests/chromium
but that one is independent from this one here.
In preparation for the deprecation of `stdenv.isX`.
These shorthands are not conducive to cross-compilation because they
hide the platforms.
Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way
One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059
There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.
```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
This update includes 38 security fixes. Google is aware that an exploit
for CVE-2024-7971 exists in the wild.
CVEs:
CVE-2024-7964 CVE-2024-7965 CVE-2024-7966 CVE-2024-7967 CVE-2024-7968
CVE-2024-7969 CVE-2024-7971 CVE-2024-7972 CVE-2024-7973 CVE-2024-7974
CVE-2024-7975 CVE-2024-7976 CVE-2024-7977 CVE-2024-7978 CVE-2024-7979
CVE-2024-7980 CVE-2024-7981 CVE-2024-8033 CVE-2024-8034 CVE-2024-8035
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
This update includes 38 security fixes. Google is aware that an exploit
for CVE-2024-7971 exists in the wild.
CVEs:
CVE-2024-7964 CVE-2024-7965 CVE-2024-7966 CVE-2024-7967 CVE-2024-7968
CVE-2024-7969 CVE-2024-7971 CVE-2024-7972 CVE-2024-7973 CVE-2024-7974
CVE-2024-7975 CVE-2024-7976 CVE-2024-7977 CVE-2024-7978 CVE-2024-7979
CVE-2024-7980 CVE-2024-7981 CVE-2024-8033 CVE-2024-8034 CVE-2024-8035
https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html
This update includes 22 security fixes.
CVEs:
CVE-2024-6988 CVE-2024-6989 CVE-2024-6991 CVE-2024-6994 CVE-2024-6995
CVE-2024-6996 CVE-2024-6997 CVE-2024-6998 CVE-2024-6999 CVE-2024-7000
CVE-2024-7001 CVE-2024-7003 CVE-2024-7004 CVE-2024-7005
The ungoogled-chromium binary pruning list got updated to include the
path to a node binary previously not included in the chromium source
tarball. We already did link the binary from our node package into place,
however as we were running the pruning script after the linking the
binary would get removed, causing the build to fail.
Co-authored-by: emilylange <git@emilylange.de>
