From 282afa02453ad818225d741a61be4790142521d5 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 14 Jul 2021 15:52:49 +0200 Subject: [PATCH 1/3] nss_latest: init at 3.67 Required for the latest and greatest firefox release --- pkgs/development/libraries/nss/latest.nix | 183 ++++++++++++++++++++++ pkgs/top-level/all-packages.nix | 3 + 2 files changed, 186 insertions(+) create mode 100644 pkgs/development/libraries/nss/latest.nix diff --git a/pkgs/development/libraries/nss/latest.nix b/pkgs/development/libraries/nss/latest.nix new file mode 100644 index 00000000000..ced72d33e17 --- /dev/null +++ b/pkgs/development/libraries/nss/latest.nix @@ -0,0 +1,183 @@ +{ lib, stdenv, fetchurl, nspr, perl, zlib +, sqlite, ninja +, darwin, fixDarwinDylibNames, buildPackages +, useP11kit ? true, p11-kit +, # allow FIPS mode. Note that this makes the output non-reproducible. + # https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6 + enableFIPS ? false +}: + +let + nssPEM = fetchurl { + url = "http://dev.gentoo.org/~polynomial-c/mozilla/nss-3.15.4-pem-support-20140109.patch.xz"; + sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw"; + }; + + # NOTE: Whenever you updated this version check if the `cacert` package also + # needs an update. You can run the regular updater script for cacerts. + # It will rebuild itself using the version of this package (NSS) and if + # an update is required do the required changes to the expression. + # Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert + version = "3.67"; + underscoreVersion = builtins.replaceStrings ["."] ["_"] version; + +in stdenv.mkDerivation rec { + pname = "nss"; + inherit version; + + src = fetchurl { + url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/${pname}-${version}.tar.gz"; + sha256 = "0zyfi27lbdz1bmk9dmsivcya4phx25rzlxqcnjab69yd928rlm7n"; + }; + + depsBuildBuild = [ buildPackages.stdenv.cc ]; + + nativeBuildInputs = [ perl ninja (buildPackages.python3.withPackages (ps: with ps; [ gyp ])) ] + ++ lib.optionals stdenv.hostPlatform.isDarwin [ darwin.cctools fixDarwinDylibNames ]; + + buildInputs = [ zlib sqlite ]; + + propagatedBuildInputs = [ nspr ]; + + prePatch = '' + # strip the trailing whitespace from the patch line and the renamed CKO_NETSCAPE_ enum to CKO_NSS_ + xz -d < ${nssPEM} | sed \ + -e 's/-DIRS = builtins $/-DIRS = . builtins/g' \ + -e 's/CKO_NETSCAPE_/CKO_NSS_/g' \ + -e 's/CKT_NETSCAPE_/CKT_NSS_/g' \ + | patch -p1 + + patchShebangs nss + + for f in nss/coreconf/config.gypi nss/build.sh nss/coreconf/config.gypi; do + substituteInPlace "$f" --replace "/usr/bin/env" "${buildPackages.coreutils}/bin/env" + done + + substituteInPlace nss/coreconf/config.gypi --replace "/usr/bin/grep" "${buildPackages.coreutils}/bin/env grep" + ''; + + patches = + [ + # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch + ./85_security_load.patch + ./ckpem.patch + ./fix-cross-compilation.patch + ]; + + patchFlags = [ "-p0" ]; + + postPatch = lib.optionalString stdenv.hostPlatform.isDarwin '' + substituteInPlace nss/coreconf/Darwin.mk --replace '@executable_path/$(notdir $@)' "$out/lib/\$(notdir \$@)" + substituteInPlace nss/coreconf/config.gypi --replace "'DYLIB_INSTALL_NAME_BASE': '@executable_path'" "'DYLIB_INSTALL_NAME_BASE': '$out/lib'" + ''; + + outputs = [ "out" "dev" "tools" ]; + + preConfigure = "cd nss"; + + buildPhase = let + getArch = platform: if platform.isx86_64 then "x64" + else if platform.isx86_32 then "ia32" + else if platform.isAarch32 then "arm" + else if platform.isAarch64 then "arm64" + else if platform.isPower && platform.is64bit then ( + if platform.isLittleEndian then "ppc64le" else "ppc64" + ) + else platform.parsed.cpu.name; + # yes, this is correct. nixpkgs uses "host" for the platform the binary will run on whereas nss uses "host" for the platform that the build is running on + target = getArch stdenv.hostPlatform; + host = getArch stdenv.buildPlatform; + in '' + runHook preBuild + + sed -i 's|nss_dist_dir="$dist_dir"|nss_dist_dir="'$out'"|;s|nss_dist_obj_dir="$obj_dir"|nss_dist_obj_dir="'$out'"|' build.sh + ./build.sh -v --opt \ + --with-nspr=${nspr.dev}/include:${nspr.out}/lib \ + --system-sqlite \ + --enable-legacy-db \ + --target ${target} \ + -Dhost_arch=${host} \ + -Duse_system_zlib=1 \ + --enable-libpkix \ + ${lib.optionalString enableFIPS "--enable-fips"} \ + ${lib.optionalString stdenv.isDarwin "--clang"} \ + ${lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) "--disable-tests"} + + runHook postBuild + ''; + + NIX_CFLAGS_COMPILE = "-Wno-error -DNIX_NSS_LIBDIR=\"${placeholder "out"}/lib/\" " + lib.optionalString stdenv.hostPlatform.is64bit "-DNSS_USE_64=1"; + + installPhase = '' + runHook preInstall + + rm -rf $out/private + find $out -name "*.TOC" -delete + mv $out/public $out/include + + ln -s lib $out/lib64 + + # Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=530672 + # https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch?id=af1acce6c6d2c3adb17689261dfe2c2b6771ab8a + NSS_MAJOR_VERSION=`grep "NSS_VMAJOR" lib/nss/nss.h | awk '{print $3}'` + NSS_MINOR_VERSION=`grep "NSS_VMINOR" lib/nss/nss.h | awk '{print $3}'` + NSS_PATCH_VERSION=`grep "NSS_VPATCH" lib/nss/nss.h | awk '{print $3}'` + PREFIX="$out" + + mkdir -p $out/lib/pkgconfig + sed -e "s,%prefix%,$PREFIX," \ + -e "s,%exec_prefix%,$PREFIX," \ + -e "s,%libdir%,$PREFIX/lib64," \ + -e "s,%includedir%,$dev/include/nss," \ + -e "s,%NSS_VERSION%,$NSS_MAJOR_VERSION.$NSS_MINOR_VERSION.$NSS_PATCH_VERSION,g" \ + -e "s,%NSPR_VERSION%,4.16,g" \ + pkg/pkg-config/nss.pc.in > $out/lib/pkgconfig/nss.pc + chmod 0644 $out/lib/pkgconfig/nss.pc + + sed -e "s,@prefix@,$PREFIX," \ + -e "s,@MOD_MAJOR_VERSION@,$NSS_MAJOR_VERSION," \ + -e "s,@MOD_MINOR_VERSION@,$NSS_MINOR_VERSION," \ + -e "s,@MOD_PATCH_VERSION@,$NSS_PATCH_VERSION," \ + pkg/pkg-config/nss-config.in > $out/bin/nss-config + chmod 0755 $out/bin/nss-config + ''; + + postInstall = lib.optionalString useP11kit '' + # Replace built-in trust with p11-kit connection + ln -sf ${p11-kit}/lib/pkcs11/p11-kit-trust.so $out/lib/libnssckbi.so + ''; + + postFixup = let + isCross = stdenv.hostPlatform != stdenv.buildPlatform; + nss = if isCross then buildPackages.nss.tools else "$out"; + in + (lib.optionalString enableFIPS ('' + for libname in freebl3 nssdbm3 softokn3 + do '' + + (if stdenv.isDarwin + then '' + libfile="$out/lib/lib$libname.dylib" + DYLD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \ + '' else '' + libfile="$out/lib/lib$libname.so" + LD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \ + '') + '' + ${nss}/bin/shlibsign -v -i "$libfile" + done + '')) + + '' + moveToOutput bin "$tools" + moveToOutput bin/nss-config "$dev" + moveToOutput lib/libcrmf.a "$dev" # needed by firefox, for example + rm -f "$out"/lib/*.a + + runHook postInstall + ''; + + meta = with lib; { + homepage = "https://developer.mozilla.org/en-US/docs/NSS"; + description = "A set of libraries for development of security-enabled client and server applications"; + license = licenses.mpl20; + platforms = platforms.all; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 0cfaca0572a..4fc77aaba31 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -17157,6 +17157,9 @@ in # required for stable thunderbird and firefox-esr-78 nss_3_53 = lowPrio (callPackage ../development/libraries/nss/3.53.nix { }); + # required for the latest firefox version + nss_latest = lowPrio (callPackage ../development/libraries/nss/latest.nix { }); + nss_wrapper = callPackage ../development/libraries/nss_wrapper { }; nsss = skawarePackages.nsss; From 88320091fac59584068fab5e2e944bc563219150 Mon Sep 17 00:00:00 2001 From: ajs124 Date: Mon, 12 Jul 2021 15:38:03 +0200 Subject: [PATCH 2/3] firefox: 89.0.2 -> 90.0 make gtk3Support non-optional, because it hasn't been for a long time also make gtk2 conditional on firefox older than 90, because we can get rid of it with firefox 90, but it's still needed by the current ESR release (cherry picked from commit b332794adf841262958424c623c442cc8fab92e8) --- .../networking/browsers/firefox/common.nix | 19 +++++++++---------- ...ffx84.patch => no-buildconfig-ffx90.patch} | 15 ++++++--------- .../networking/browsers/firefox/packages.nix | 4 ++-- 3 files changed, 17 insertions(+), 21 deletions(-) rename pkgs/applications/networking/browsers/firefox/{no-buildconfig-ffx84.patch => no-buildconfig-ffx90.patch} (61%) diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix index 51a671cb198..13cf0ea0162 100644 --- a/pkgs/applications/networking/browsers/firefox/common.nix +++ b/pkgs/applications/networking/browsers/firefox/common.nix @@ -12,6 +12,7 @@ , autoconf213, which, gnused, rustPackages, rustPackages_1_45 , rust-cbindgen, nodejs, nasm, fetchpatch , gnum4 +, gtk2, gtk3, wrapGAppsHook , debugBuild ? false ### optionals @@ -25,7 +26,6 @@ , alsaSupport ? stdenv.isLinux, alsaLib , pulseaudioSupport ? stdenv.isLinux, libpulseaudio , ffmpegSupport ? true -, gtk3Support ? true, gtk2, gtk3, wrapGAppsHook , waylandSupport ? true, libxkbcommon, libdrm , ltoSupport ? (stdenv.isLinux && stdenv.is64bit), overrideCC, buildPackages , gssSupport ? true, libkrb5 @@ -83,7 +83,7 @@ let flag = tf: x: [(if tf then "--enable-${x}" else "--disable-${x}")]; default-toolkit = if stdenv.isDarwin then "cairo-cocoa" - else "cairo-gtk${if gtk3Support then "3${lib.optionalString waylandSupport "-wayland"}" else "2"}"; + else "cairo-gtk3${lib.optionalString waylandSupport "-wayland"}"; binaryName = "firefox"; binaryNameCapitalized = lib.toUpper (lib.substring 0 1 binaryName) + lib.substring 1 (-1) binaryName; @@ -145,7 +145,7 @@ buildStdenv.mkDerivation ({ lib.optional (lib.versionOlder ffversion "86") ./env_var_for_system_dir-ff85.patch ++ lib.optional (lib.versionAtLeast ffversion "86") ./env_var_for_system_dir-ff86.patch ++ lib.optional (lib.versionOlder ffversion "83") ./no-buildconfig-ffx76.patch ++ - lib.optional (lib.versionAtLeast ffversion "84") ./no-buildconfig-ffx84.patch ++ + lib.optional (lib.versionAtLeast ffversion "90") ./no-buildconfig-ffx90.patch ++ lib.optional (ltoSupport && lib.versionOlder ffversion "84") ./lto-dependentlibs-generation-ffx83.patch ++ lib.optional (ltoSupport && lib.versionAtLeast ffversion "84" && lib.versionOlder ffversion "86") (fetchpatch { @@ -170,7 +170,7 @@ buildStdenv.mkDerivation ({ patchFlags = [ "-p1" "-l" ]; buildInputs = [ - gtk2 perl zip libjpeg zlib bzip2 + gtk3 perl zip libjpeg zlib bzip2 dbus dbus-glib pango freetype fontconfig xorg.libXi xorg.libXcursor xorg.libX11 xorg.libXrender xorg.libXft xorg.libXt file xorg.pixman yasm libGLU libGL @@ -188,14 +188,14 @@ buildStdenv.mkDerivation ({ ] ++ lib.optional alsaSupport alsaLib ++ lib.optional pulseaudioSupport libpulseaudio # only headers are needed - ++ lib.optional gtk3Support gtk3 ++ lib.optional gssSupport libkrb5 ++ lib.optionals waylandSupport [ libxkbcommon libdrm ] ++ lib.optional pipewireSupport pipewire ++ lib.optional (lib.versionAtLeast ffversion "82") gnum4 ++ lib.optionals buildStdenv.isDarwin [ CoreMedia ExceptionHandling Kerberos AVFoundation MediaToolbox CoreLocation - Foundation libobjc AddressBook cups ]; + Foundation libobjc AddressBook cups ] + ++ lib.optional (lib.versionOlder ffversion "90") gtk2; NIX_LDFLAGS = lib.optionalString ltoSupport '' -rpath ${llvmPackages.libunwind.out}/lib @@ -238,8 +238,8 @@ buildStdenv.mkDerivation ({ rustc which unzip + wrapGAppsHook ] - ++ lib.optional gtk3Support wrapGAppsHook ++ lib.optionals buildStdenv.isDarwin [ xcbuild rsync ] ++ extraNativeBuildInputs; @@ -368,8 +368,6 @@ buildStdenv.mkDerivation ({ passthru = { inherit updateScript; version = ffversion; - isFirefox3Like = true; - gtk = gtk2; inherit alsaSupport; inherit pipewireSupport; inherit nspr; @@ -378,7 +376,8 @@ buildStdenv.mkDerivation ({ inherit execdir; inherit browserName; inherit tests; - } // lib.optionalAttrs gtk3Support { inherit gtk3; }; + inherit gtk3; + }; hardeningDisable = [ "format" ]; # -Werror=format-security diff --git a/pkgs/applications/networking/browsers/firefox/no-buildconfig-ffx84.patch b/pkgs/applications/networking/browsers/firefox/no-buildconfig-ffx90.patch similarity index 61% rename from pkgs/applications/networking/browsers/firefox/no-buildconfig-ffx84.patch rename to pkgs/applications/networking/browsers/firefox/no-buildconfig-ffx90.patch index c4187fcda39..c8d2028f30b 100644 --- a/pkgs/applications/networking/browsers/firefox/no-buildconfig-ffx84.patch +++ b/pkgs/applications/networking/browsers/firefox/no-buildconfig-ffx90.patch @@ -1,25 +1,22 @@ -diff --git a/docshell/base/nsAboutRedirector.cpp b/docshell/base/nsAboutRedirector.cpp -index 10ac77b..0125d9b 100644 --- a/docshell/base/nsAboutRedirector.cpp +++ b/docshell/base/nsAboutRedirector.cpp -@@ -63,8 +63,6 @@ static const RedirEntry kRedirMap[] = { +@@ -66,8 +66,6 @@ static const RedirEntry kRedirMap[] = { {"about", "chrome://global/content/aboutAbout.html", 0}, - {"addons", "chrome://mozapps/content/extensions/extensions.xhtml", + {"addons", "chrome://mozapps/content/extensions/aboutaddons.html", nsIAboutModule::ALLOW_SCRIPT}, - {"buildconfig", "chrome://global/content/buildconfig.html", - nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT}, {"checkerboard", "chrome://global/content/aboutCheckerboard.html", nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT | nsIAboutModule::ALLOW_SCRIPT}, -diff --git a/toolkit/content/jar.mn b/toolkit/content/jar.mn -index c83b3e2..d543140 100644 --- a/toolkit/content/jar.mn +++ b/toolkit/content/jar.mn -@@ -40,7 +40,6 @@ toolkit.jar: +@@ -39,8 +39,6 @@ toolkit.jar: + content/global/plugins.html content/global/plugins.css content/global/plugins.js - content/global/browser-child.js -* content/global/buildconfig.html - content/global/buildconfig.css +- content/global/buildconfig.css content/global/contentAreaUtils.js content/global/datepicker.xhtml + #ifndef MOZ_FENNEC diff --git a/pkgs/applications/networking/browsers/firefox/packages.nix b/pkgs/applications/networking/browsers/firefox/packages.nix index 01611fd41dd..f00f0bfeee2 100644 --- a/pkgs/applications/networking/browsers/firefox/packages.nix +++ b/pkgs/applications/networking/browsers/firefox/packages.nix @@ -7,10 +7,10 @@ in rec { firefox = common rec { pname = "firefox"; - ffversion = "89.0.2"; + ffversion = "90.0"; src = fetchurl { url = "mirror://mozilla/firefox/releases/${ffversion}/source/firefox-${ffversion}.source.tar.xz"; - sha512 = "ffd98ab0887611c5b4aba68346c49a7a31a58150fd8bbae610a4d941c4cff0acef0daaebfbb577787a759b4c1ef3c1199f02681148612f4f5b709983e07e0ccb"; + sha512 = "233ad59e4ab2f08d2253b49235b51b26fa32fb7c285928110573ccbe67c79965d9401a6c58a3af2ad22b8a58ca5d9b3154e3e8c9d29b153acd16152d9b75442c"; }; meta = { From 8728b288d1fa7f0fde629a408946ddbece22485c Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 14 Jul 2021 16:08:18 +0200 Subject: [PATCH 3/3] firefox: use nss_latest for firefox >= 90 --- pkgs/applications/networking/browsers/firefox/common.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix index 13cf0ea0162..30e37ff8836 100644 --- a/pkgs/applications/networking/browsers/firefox/common.nix +++ b/pkgs/applications/networking/browsers/firefox/common.nix @@ -4,7 +4,7 @@ { lib, stdenv, pkg-config, pango, perl, python3, zip , libjpeg, zlib, dbus, dbus-glib, bzip2, xorg -, freetype, fontconfig, file, nspr, nss, nss_3_53 +, freetype, fontconfig, file, nspr, nss_3_53 , yasm, libGLU, libGL, sqlite, unzip, makeWrapper , hunspell, libevent, libstartup_notification , libvpx_1_8 @@ -19,6 +19,7 @@ ## backported libraries +, nss_latest , rust-cbindgen_latest ## optional libraries @@ -124,7 +125,7 @@ let # Disable p11-kit support in nss until our cacert packages has caught up exposing CKA_NSS_MOZILLA_CA_POLICY # https://github.com/NixOS/nixpkgs/issues/126065 - nss_pkg = if lib.versionOlder ffversion "83" then nss_3_53 else nss.override { useP11kit = false; }; + nss_pkg = if lib.versionOlder ffversion "83" then nss_3_53 else nss_latest.override { useP11kit = false; }; # --enable-release adds -ffunction-sections & LTO that require a big amount of # RAM and the 32-bit memory space cannot handle that linking