ungoogled-chromium: 84.0.4147.89-1 -> 85.0.4183.102-1

based on chromium master@05f5001c

pkgs/applications/networking/browsers/ungoogled-chromium/common.nix

@@ -1,7 +1,7 @@
-{ stdenv, lib, llvmPackages, gnChromium, ninja, which, nodejs, fetchpatch, gnutar
+{ stdenv, lib, llvmPackages, gnChromium, ninja, which, nodejs, fetchpatch, fetchurl
 
 # default dependencies
-, bzip2, flac, speex, libopus
+, gnutar, bzip2, flac, speex, libopus
 , libevent, expat, libjpeg, snappy
 , libpng, libcap
 , xdg_utils, yasm, nasm, minizip, libwebp
@@ -41,6 +41,7 @@
 , ungoogled-chromium
 , ungoogled ? false
 
+, channel
 , upstream-info
 }:
 
@@ -110,7 +111,7 @@ let
   versionRange = min-version: upto-version:
     let inherit (upstream-info) version;
         result = versionAtLeast version min-version && versionOlder version upto-version;
-        stable-version = (import ./upstream-info.nix).stable.version;
+        stable-version = (importJSON ./upstream-info.json).stable.version;
     in if versionAtLeast stable-version upto-version
        then warn "chromium: stable version ${stable-version} is newer than a patchset bounded at ${upto-version}. You can safely delete it."
             result
@@ -123,10 +124,13 @@ let
     };
   base = rec {
     name = "${packageName}-unwrapped-${version}";
-    inherit (upstream-info) channel version;
+    inherit (upstream-info) version;
-    inherit packageName buildType buildPath;
+    inherit channel packageName buildType buildPath;
 
-    src = upstream-info.main;
+    src = fetchurl {
+      url = "https://commondatastorage.googleapis.com/chromium-browser-official/chromium-${version}.tar.xz";
+      inherit (upstream-info) sha256;
+    };
 
     nativeBuildInputs = [
       ninja which python2Packages.python perl pkgconfig
@@ -151,8 +155,9 @@ let
       ++ optional pulseSupport libpulseaudio
       ++ optionals useOzone [ libdrm wayland mesa_drivers libxkbcommon ];
 
-    patches = [
+    patches = optionals (versionRange "68" "86") [
       ./patches/nix_plugin_paths_68.patch
+    ] ++ [
       ./patches/remove-webp-include-69.patch
       ./patches/no-build-timestamps.patch
       ./patches/widevine-79.patch
@@ -166,12 +171,18 @@ let
       #
       # ++ optionals (channel == "dev") [ ( githubPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000" ) ]
       # ++ optional (versionRange "68" "72") ( githubPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000" )
-    ] ++ optionals (useVaapi) [ # Improvements for the VA-API build:
+    ] ++ optionals (useVaapi && versionRange "68" "86") [ # Improvements for the VA-API build:
       ./patches/enable-vdpau-support-for-nvidia.patch # https://aur.archlinux.org/cgit/aur.git/tree/vdpau-support.patch?h=chromium-vaapi
       ./patches/enable-video-acceleration-on-linux.patch # Can be controlled at runtime (i.e. without rebuilding Chromium)
     ];
 
-    postPatch = ''
+    postPatch = optionalString (!versionRange "0" "86") ''
+      # Required for patchShebangs (unsupported interpreter directive, basename: invalid option -- '*', etc.):
+      substituteInPlace native_client/SConstruct \
+        --replace "#! -*- python -*-" ""
+      substituteInPlace third_party/harfbuzz-ng/src/src/update-unicode-tables.make \
+        --replace "/usr/bin/env -S make -f" "/usr/bin/make -f"
+    '' + ''
       # We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
       substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \
         --replace \
@@ -300,8 +311,8 @@ let
       use_system_libdrm = true;
       system_wayland_scanner_path = "${wayland}/bin/wayland-scanner";
     } // optionalAttrs ungoogled {
-      closure_compile = false;
       enable_hangout_services_extension = false;
+      enable_js_type_check = false;
       enable_mdns = false;
       enable_nacl_nonsfi = false;
       enable_one_click_signin = false;
@@ -313,7 +324,6 @@ let
       google_api_key = "";
       google_default_client_id = "";
       google_default_client_secret = "";
-      optimize_webui = false;
       safe_browsing_mode = 0;
       use_official_google_api_keys = false;
       use_unofficial_version_number = false;
@@ -366,9 +376,11 @@ let
       origRpath="$(patchelf --print-rpath "$chromiumBinary")"
       patchelf --set-rpath "${libGL}/lib:$origRpath" "$chromiumBinary"
     '';
+
+    passthru.updateScript = ./update.py;
   };
 
 # Remove some extraAttrs we supplied to the base attributes already.
 in stdenv.mkDerivation (base // removeAttrs extraAttrs [
   "name" "gnFlags" "buildTargets"
-])
+] // { passthru = base.passthru // (extraAttrs.passthru or {}); })

pkgs/applications/networking/browsers/ungoogled-chromium/default.nix

@@ -1,5 +1,5 @@
-{ newScope, config, stdenv, llvmPackages_9, llvmPackages_10
+{ newScope, config, stdenv, fetchurl, makeWrapper
-, makeWrapper, ed, gnugrep
+, llvmPackages_10, llvmPackages_11, ed, gnugrep, coreutils, xdg_utils
 , glib, gtk3, gnome3, gsettings-desktop-schemas, gn, fetchgit
 , libva ? null
 , pipewire_0_2
@@ -29,24 +29,16 @@ let
 
   callPackage = newScope chromium;
 
-  chromium = {
+  chromium = rec {
     inherit stdenv llvmPackages;
 
-    upstream-info = (callPackage ./update.nix {}).getChannel channel;
+    upstream-info = (lib.importJSON ./upstream-info.json).${channel};
 
     mkChromiumDerivation = callPackage ./common.nix ({
-      inherit gnome gnomeSupport gnomeKeyringSupport proprietaryCodecs cupsSupport pulseSupport useOzone;
+      inherit channel gnome gnomeSupport gnomeKeyringSupport proprietaryCodecs
+              cupsSupport pulseSupport useOzone;
       inherit ungoogled;
       # TODO: Remove after we can update gn for the stable channel (backward incompatible changes):
-      gnChromium = gn.overrideAttrs (oldAttrs: {
-        version = "2020-03-23";
-        src = fetchgit {
-          url = "https://gn.googlesource.com/gn";
-          rev = "5ed3c9cc67b090d5e311e4bd2aba072173e82db9";
-          sha256 = "00y2d35wvqmx9glaqhfb62wdgbfpwr77v0934nnvh9ks71vnsjqy";
-        };
-      });
-    } // lib.optionalAttrs (channel == "dev") {
       gnChromium = gn.overrideAttrs (oldAttrs: {
         version = "2020-05-19";
         src = fetchgit {
@@ -55,6 +47,27 @@ let
           sha256 = "0197msabskgfbxvhzq73gc3wlr3n9cr4bzrhy5z5irbvy05lxk17";
         };
       });
+    } // lib.optionalAttrs (lib.versionAtLeast upstream-info.version "86") {
+      llvmPackages = llvmPackages_11;
+      gnChromium = gn.overrideAttrs (oldAttrs: {
+        version = "2020-07-20";
+        src = fetchgit {
+          url = "https://gn.googlesource.com/gn";
+          rev = "3028c6a426a4aaf6da91c4ebafe716ae370225fe";
+          sha256 = "0h3wf4152zdvrbb0jbj49q6814lfl3rcy5mj8b2pl9s0ahvkbc6q";
+        };
+      });
+    } // lib.optionalAttrs (lib.versionAtLeast upstream-info.version "87") {
+      llvmPackages = llvmPackages_11;
+      useOzone = true; # YAY: https://chromium-review.googlesource.com/c/chromium/src/+/2382834 \o/
+      gnChromium = gn.overrideAttrs (oldAttrs: {
+        version = "2020-08-17";
+        src = fetchgit {
+          url = "https://gn.googlesource.com/gn";
+          rev = "6f13aaac55a977e1948910942675c69f2b4f7a94";
+          sha256 = "01hpma1sllpdx09mvr4d6073sg6zmk6iv44kd3r28khymcj4s251";
+        };
+      });
     });
 
     browser = callPackage ./browser.nix { inherit channel enableWideVine; };
@@ -66,22 +79,33 @@ let
     ungoogled-chromium = callPackage ./ungoogled.nix {};
   };
 
+  pkgSuffix = if channel == "dev" then "unstable" else channel;
+  pkgName = "google-chrome-${pkgSuffix}";
+  chromeSrc = fetchurl {
+    urls = map (repo: "${repo}/${pkgName}/${pkgName}_${version}-1_amd64.deb") [
+      "https://dl.google.com/linux/chrome/deb/pool/main/g"
+      "http://95.31.35.30/chrome/pool/main/g"
+      "http://mirror.pcbeta.com/google/chrome/deb/pool/main/g"
+      "http://repo.fdzh.org/chrome/deb/pool/main/g"
+    ];
+    sha256 = chromium.upstream-info.sha256bin64;
+  };
+
   mkrpath = p: "${lib.makeSearchPathOutput "lib" "lib64" p}:${lib.makeLibraryPath p}";
-  widevineCdm = let upstream-info = chromium.upstream-info; in stdenv.mkDerivation {
+  widevineCdm = stdenv.mkDerivation {
     name = "chrome-widevine-cdm";
 
-    # The .deb file for Google Chrome
+    src = chromeSrc;
-    src = upstream-info.binary;
 
     phases = [ "unpackPhase" "patchPhase" "installPhase" "checkPhase" ];
 
     unpackCmd = let
       widevineCdmPath =
-        if upstream-info.channel == "stable" then
+        if channel == "stable" then
           "./opt/google/chrome/WidevineCdm"
-        else if upstream-info.channel == "beta" then
+        else if channel == "beta" then
           "./opt/google/chrome-beta/WidevineCdm"
-        else if upstream-info.channel == "dev" then
+        else if channel == "dev" then
           "./opt/google/chrome-unstable/WidevineCdm"
         else
           throw "Unknown chromium channel.";
@@ -191,10 +215,13 @@ in stdenv.mkDerivation {
   '' + ''
 
     # libredirect causes chromium to deadlock on startup
-    export LD_PRELOAD="\$(echo -n "\$LD_PRELOAD" | tr ':' '\n' | ${gnugrep}/bin/grep -v /lib/libredirect\\\\.so$ | tr '\n' ':')"
+    export LD_PRELOAD="\$(echo -n "\$LD_PRELOAD" | ${coreutils}/bin/tr ':' '\n' | ${gnugrep}/bin/grep -v /lib/libredirect\\\\.so$ | ${coreutils}/bin/tr '\n' ':')"
 
     export XDG_DATA_DIRS=$XDG_ICON_DIRS:$GSETTINGS_SCHEMAS_PATH\''${XDG_DATA_DIRS:+:}\$XDG_DATA_DIRS
 
+    # Mainly for xdg-open but also other xdg-* tools:
+    export PATH="${xdg_utils}/bin\''${PATH:+:}\$PATH"
+
     .
     w
     EOF
@@ -214,6 +241,7 @@ in stdenv.mkDerivation {
   passthru = {
     inherit (chromium) upstream-info browser;
     mkDerivation = chromium.mkChromiumDerivation;
-    inherit sandboxExecutableName;
+    inherit chromeSrc sandboxExecutableName;
+    updateScript = ./update.py;
   };
 }

pkgs/applications/networking/browsers/ungoogled-chromium/ungoogled-src.nix

@@ -1,6 +1,6 @@
 {
-  "84.0.4147.89" = {
+  "85.0.4183.102" = {
-    rev = "84.0.4147.89-1";
+    rev = "85.0.4183.102-1";
-    sha256 = "1bqvcq3dj6615198j7cz3ylyyic5zpis06capvl6ybl1na3ainb0";
+    sha256 = "1mdx4a5zcs3an9yx1jxx4amq8p9rcj0hv76r8y7nz6cpsfgd9n3y";
   };
 }

pkgs/applications/networking/browsers/ungoogled-chromium/update.nix

@@ -1,271 +0,0 @@
-let maybePkgs = import ../../../../../. {}; in
-
-{ stdenv     ? maybePkgs.stdenv
-, runCommand ? maybePkgs.runCommand
-, fetchurl   ? maybePkgs.fetchurl
-, writeText  ? maybePkgs.writeText
-, curl       ? maybePkgs.curl
-, cacert     ? maybePkgs.cacert
-, nix        ? maybePkgs.nix
-}:
-
-let
-  inherit (stdenv) lib;
-
-  sources = if builtins.pathExists ./upstream-info.nix
-            then import ./upstream-info.nix
-            else {};
-
-  bucketURL = "https://commondatastorage.googleapis.com/"
-            + "chromium-browser-official";
-
-  mkVerURL = version: "${bucketURL}/chromium-${version}.tar.xz";
-
-  debURL = "https://dl.google.com/linux/chrome/deb/pool/main/g";
-
-  getDebURL = channelName: version: arch: mirror: let
-    packageSuffix = if channelName == "dev" then "unstable" else channelName;
-    packageName = "google-chrome-${packageSuffix}";
-  in "${mirror}/${packageName}/${packageName}_${version}-1_${arch}.deb";
-
-  # Untrusted mirrors, don't try to update from them!
-  debMirrors = [
-    "http://95.31.35.30/chrome/pool/main/g"
-    "http://mirror.pcbeta.com/google/chrome/deb/pool/main/g"
-    "http://repo.fdzh.org/chrome/deb/pool/main/g"
-  ];
-
-in {
-  getChannel = channel: let
-    chanAttrs = builtins.getAttr channel sources;
-  in {
-    inherit channel;
-    inherit (chanAttrs) version;
-
-    main = fetchurl {
-      url = mkVerURL chanAttrs.version;
-      inherit (chanAttrs) sha256;
-    };
-
-    binary = fetchurl (let
-      mkUrls = arch: let
-        mkURLForMirror = getDebURL channel chanAttrs.version arch;
-      in map mkURLForMirror ([ debURL ] ++ debMirrors);
-    in if stdenv.is64bit && chanAttrs ? sha256bin64 then {
-      urls = mkUrls "amd64";
-      sha256 = chanAttrs.sha256bin64;
-    } else if !stdenv.is64bit && chanAttrs ? sha256bin32 then {
-      urls = mkUrls "i386";
-      sha256 = chanAttrs.sha256bin32;
-    } else throw "No Chrome plugins are available for your architecture.");
-  };
-
-  update = let
-    csv2nix = name: src: import (runCommand "${name}.nix" {
-      src = builtins.fetchurl src;
-    } ''
-      esc() { echo "\"$(echo "$1" | sed -e 's/"\\$/\\&/')\""; } # ohai emacs "
-      IFS=, read -r -a headings <<< "$(head -n1 "$src")"
-      echo "[" > "$out"
-      tail -n +2 "$src" | while IFS=, read -r -a line; do
-        echo "  {"
-        for idx in "''${!headings[@]}"; do
-          echo "    $(esc "''${headings[idx]}") = $(esc ''${line[$idx]});"
-        done
-        echo "  }"
-      done >> "$out"
-      echo "]" >> "$out"
-    '');
-
-    channels = lib.fold lib.recursiveUpdate {} (map (attrs: {
-      ${attrs.os}.${attrs.channel} = attrs // {
-        history = let
-          drvName = "omahaproxy-${attrs.os}.${attrs.channel}-info";
-          history = csv2nix drvName "http://omahaproxy.appspot.com/history";
-          cond = h: attrs.os == h.os && attrs.channel == h.channel
-                 && lib.versionOlder h.version attrs.current_version;
-          # Note that this is a *reverse* sort!
-          sorter = a: b: lib.versionOlder b.version a.version;
-          sorted = builtins.sort sorter (lib.filter cond history);
-        in map (lib.flip removeAttrs ["os" "channel"]) sorted;
-        version = attrs.current_version;
-      };
-    }) (csv2nix "omahaproxy-info" "http://omahaproxy.appspot.com/all?csv=1"));
-
-    /*
-      XXX: This is essentially the same as:
-
-        builtins.tryEval (builtins.fetchurl url)
-
-      ... except that tryEval on fetchurl isn't working and doesn't catch
-      errors for fetchurl, so we go for a different approach.
-
-      We only have fixed-output derivations that can have networking access, so
-      we abuse SHA1 and its weaknesses to forge a fixed-output derivation which
-      is not so fixed, because it emits different contents that have the same
-      SHA1 hash.
-
-      Using this method, we can distinguish whether the URL is available or
-      whether it's not based on the actual content.
-
-      So let's use tryEval as soon as it's working with fetchurl in Nix.
-    */
-    tryFetch = url: let
-      # SHA1 hash collisions from https://shattered.io/static/shattered.pdf:
-      collisions = runCommand "sha1-collisions" {
-        outputs = [ "out" "good" "bad" ];
-        base64 = ''
-          QlpoOTFBWSZTWbL5V5MABl///////9Pv///v////+/////HDdK739/677r+W3/75rUNr4
-          Aa/AAAAAAACgEVTRtQDQAaA0AAyGmjTQGmgAAANGgAaMIAYgGgAABo0AAAAAADQAIAGQ0
-          MgDIGmjQA0DRk0AaMQ0DQAGIANGgAAGRoNGQMRpo0GIGgBoGQAAIAGQ0MgDIGmjQA0DRk
-          0AaMQ0DQAGIANGgAAGRoNGQMRpo0GIGgBoGQAAIAGQ0MgDIGmjQA0DRk0AaMQ0DQAGIAN
-          GgAAGRoNGQMRpo0GIGgBoGQAAIAGQ0MgDIGmjQA0DRk0AaMQ0DQAGIANGgAAGRoNGQMRp
-          o0GIGgBoGQAABVTUExEZATTICnkxNR+p6E09JppoyamjGhkm0ammIyaekbUejU9JiGnqZ
-          qaaDxJ6m0JkZMQ2oaYmJ6gxqMyE2TUzJqfItligtJQJfYbl9Zy9QjQuB5mHQRdSSXCCTH
-          MgmSDYmdOoOmLTBJWiCpOhMQYpQlOYpJjn+wQUJSTCEpOMekaFaaNB6glCC0hKEJdHr6B
-          mUIHeph7YxS8WJYyGwgWnMTFJBDFSxSCCYljiEk7HZgJzJVDHJxMgY6tCEIIWgsKSlSZ0
-          S8GckoIIF+551Ro4RCw260VCEpWJSlpWx/PMrLyVoyhWMAneDilBcUIeZ1j6NCkus0qUC
-          Wnahhk5KT4GpWMh3vm2nJWjTL9Qg+84iExBJhNKpbV9tvEN265t3fu/TKkt4rXFTsV+Nc
-          upJXhOhOhJMQQktrqt4K8mSh9M2DAO2X7uXGVL9YQxUtzQmS7uBndL7M6R7vX869VxqPu
-          renSuHYNq1yTXOfNWLwgvKlRlFYqLCs6OChDp0HuTzCWscmGudLyqUuwVGG75nmyZhKpJ
-          yOE/pOZyHyrZxGM51DYIN+Jc8yVJgAykxKCEtW55MlfudLg3KG6TtozalunXrroSxUpVL
-          StWrWLFihMnVpkyZOrQnUrE6xq1CGtJlbAb5ShMbV1CZgqlKC0wCFCpMmUKSEkvFLaZC8
-          wHOCVAlvzaJQ/T+XLb5Dh5TNM67p6KZ4e4ZSGyVENx2O27LzrTIteAreTkMZpW95GS0CE
-          JYhMc4nToTJ0wQhKEyddaLb/rTqmgJSlkpnALxMhlNmuKEpkEkqhKUoEq3SoKUpIQcDgW
-          lC0rYahMmLuPQ0fHqZaF4v2W8IoJ2EhMhYmSw7qql27WJS+G4rUplToFi2rSv0NSrVvDU
-          pltQ8Lv6F8pXyxmFBSxiLSxglNC4uvXVKmAtusXy4YXGX1ixedEvXF1aX6t8adYnYCpC6
-          rW1ZzdZYlCCxKEv8vpbqdSsXl8v1jCQv0KEPxPTa/5rtWSF1dSgg4z4KjfIMNtgwWoWLE
-          sRhKxsSA9ji7V5LRPwtumeQ8V57UtFSPIUmtQdOQfseI2Ly1DMtk4Jl8n927w34zrWG6P
-          i4jzC82js/46Rt2IZoadWxOtMInS2xYmcu8mOw9PLYxQ4bdfFw3ZPf/g2pzSwZDhGrZAl
-          9lqky0W+yeanadC037xk496t0Dq3ctfmqmjgie8ln9k6Q0K1krb3dK9el4Xsu44LpGcen
-          r2eQZ1s1IhOhnE56WnXf0BLWn9Xz15fMkzi4kpVxiTKGEpffErEEMvEeMZhUl6yD1SdeJ
-          YbxzGNM3ak2TAaglLZlDCVnoM6wV5DRrycwF8Zh/fRsdmhkMfAO1duwknrsFwrzePWeMw
-          l107DWzymxdQwiSXx/lncnn75jL9mUzw2bUDqj20LTgtawxK2SlQg1CCZDQMgSpEqLjRM
-          sykM9zbSIUqil0zNk7Nu+b5J0DKZlhl9CtpGKgX5uyp0idoJ3we9bSrY7PupnUL5eWiDp
-          V5mmnNUhOnYi8xyClkLbNmAXyoWk7GaVrM2umkbpqHDzDymiKjetgzTocWNsJ2E0zPcfh
-          t46J4ipaXGCfF7fuO0a70c82bvqo3HceIcRlshgu73seO8BqlLIap2z5jTOY+T2ucCnBt
-          Atva3aHdchJg9AJ5YdKHz7LoA3VKmeqxAlFyEnQLBxB2PAhAZ8KvmuR6ELXws1Qr13Nd1
-          i4nsp189jqvaNzt+0nEnIaniuP1+/UOZdyfoZh57ku8sYHKdvfW/jYSUks+0rK+qtte+p
-          y8jWL9cOJ0fV8rrH/t+85/p1z2N67p/ZsZ3JmdyliL7lrNxZUlx0MVIl6PxXOUuGOeArW
-          3vuEvJ2beoh7SGyZKHKbR2bBWO1d49JDIcVM6lQtu9UO8ec8pOnXmkcponBPLNM2CwZ9k
-          NC/4ct6rQkPkQHMcV/8XckU4UJCy+VeTA==
-        '';
-      } ''
-        echo "$base64" | base64 -d | tar xj
-        mv good.pdf "$good"
-        mv bad.pdf "$bad"
-        touch "$out"
-      '';
-
-      cacheVal = let
-        urlHash = builtins.hashString "sha256" url;
-        timeSlice = builtins.currentTime / 600;
-      in "${urlHash}-${toString timeSlice}";
-
-    in {
-      success = import (runCommand "check-success" {
-        result = stdenv.mkDerivation {
-          name = "tryfetch-${cacheVal}";
-          inherit url;
-
-          outputHash = "d00bbe65d80f6d53d5c15da7c6b4f0a655c5a86a";
-          outputHashMode = "flat";
-          outputHashAlgo = "sha1";
-
-          nativeBuildInputs = [ curl ];
-          preferLocalBuild = true;
-
-          inherit (collisions) good bad;
-
-          buildCommand = ''
-            if SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt" \
-               curl -s -L -f -I "$url" > /dev/null; then
-              cp "$good" "$out"
-            else
-              cp "$bad" "$out"
-            fi
-          '';
-
-          impureEnvVars = lib.fetchers.proxyImpureEnvVars;
-        };
-        inherit (collisions) good;
-      } ''
-        if cmp -s "$result" "$good"; then
-          echo true > "$out"
-        else
-          echo false > "$out"
-        fi
-      '');
-      value = builtins.fetchurl url;
-    };
-
-    fetchLatest = channel: let
-      result = tryFetch (mkVerURL channel.version);
-    in if result.success then result.value else fetchLatest (channel // {
-      version = if channel.history != []
-                then (lib.head channel.history).version
-                else throw "Unfortunately there's no older version than " +
-                           "${channel.version} available for channel " +
-                           "${channel.channel} on ${channel.os}.";
-      history = lib.tail channel.history;
-    });
-
-    getHash = path: import (runCommand "gethash.nix" {
-      inherit path;
-      nativeBuildInputs = [ nix ];
-    } ''
-      sha256="$(nix-hash --flat --base32 --type sha256 "$path")"
-      echo "\"$sha256\"" > "$out"
-    '');
-
-    isLatest = channel: version: let
-      ourVersion = sources.${channel}.version or null;
-    in if ourVersion == null then false
-       else lib.versionOlder version sources.${channel}.version
-         || version == sources.${channel}.version;
-
-    # We only support GNU/Linux right now.
-    linuxChannels = let
-      genLatest = channelName: channel: let
-        newUpstream = {
-          inherit (channel) version;
-          sha256 = getHash (fetchLatest channel);
-        };
-        keepOld = let
-          oldChannel = sources.${channelName};
-        in {
-          inherit (oldChannel) version sha256;
-        } // lib.optionalAttrs (oldChannel ? sha256bin32) {
-          inherit (oldChannel) sha256bin32;
-        } // lib.optionalAttrs (oldChannel ? sha256bin64) {
-          inherit (oldChannel) sha256bin64;
-        };
-      in if isLatest channelName channel.version then keepOld else newUpstream;
-    in lib.mapAttrs genLatest channels.linux;
-
-    getLinuxFlash = channelName: channel: let
-      inherit (channel) version;
-      fetchArch = arch: tryFetch (getDebURL channelName version arch debURL);
-      packages = lib.genAttrs ["i386" "amd64"] fetchArch;
-      isNew = arch: attr: !(builtins.hasAttr attr channel)
-                       && packages.${arch}.success;
-    in channel // lib.optionalAttrs (isNew "i386" "sha256bin32") {
-      sha256bin32 = getHash (packages.i386.value);
-    } // lib.optionalAttrs (isNew "amd64" "sha256bin64") {
-      sha256bin64 = getHash (packages.amd64.value);
-    };
-
-    newChannels = lib.mapAttrs getLinuxFlash linuxChannels;
-
-    dumpAttrs = indent: attrs: let
-      mkVal = val: if lib.isAttrs val then dumpAttrs (indent + 1) val
-                   else "\"${lib.escape ["$" "\\" "\""] (toString val)}\"";
-      mkIndent = level: lib.concatStrings (builtins.genList (_: "  ") level);
-      mkAttr = key: val: "${mkIndent (indent + 1)}${key} = ${mkVal val};\n";
-      attrLines = lib.mapAttrsToList mkAttr attrs;
-    in "{\n" + (lib.concatStrings attrLines) + (mkIndent indent) + "}";
-  in writeText "chromium-new-upstream-info.nix" ''
-    # This file is autogenerated from update.sh in the same directory.
-    ${dumpAttrs 0 newChannels}
-  '';
-}

pkgs/applications/networking/browsers/ungoogled-chromium/update.py

@@ -0,0 +1,77 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i python -p python3 nix
+
+import csv
+import json
+import subprocess
+import sys
+
+from codecs import iterdecode
+from collections import OrderedDict
+from os.path import abspath, dirname
+from urllib.request import urlopen
+
+HISTORY_URL = 'https://omahaproxy.appspot.com/history?os=linux'
+DEB_URL = 'https://dl.google.com/linux/chrome/deb/pool/main/g'
+BUCKET_URL = 'https://commondatastorage.googleapis.com/chromium-browser-official'
+
+JSON_PATH = dirname(abspath(__file__)) + '/upstream-info.json'
+
+def load_json(path):
+    with open(path, 'r') as f:
+        return json.load(f)
+
+def nix_prefetch_url(url, algo='sha256'):
+    print(f'nix-prefetch-url {url}')
+    out = subprocess.check_output(['nix-prefetch-url', '--type', algo, url])
+    return out.decode('utf-8').rstrip()
+
+channels = {}
+last_channels = load_json(JSON_PATH)
+
+print(f'GET {HISTORY_URL}', file=sys.stderr)
+with urlopen(HISTORY_URL) as resp:
+    builds = csv.DictReader(iterdecode(resp, 'utf-8'))
+    for build in builds:
+        channel_name = build['channel']
+
+        # If we've already found a newer build for this channel, we're
+        # no longer interested in it.
+        if channel_name in channels:
+            continue
+
+        # If we're back at the last build we used, we don't need to
+        # keep going -- there's no new version available, and we can
+        # just reuse the info from last time.
+        if build['version'] == last_channels[channel_name]['version']:
+            channels[channel_name] = last_channels[channel_name]
+            continue
+
+        channel = {'version': build['version']}
+        suffix = 'unstable' if channel_name == 'dev' else channel_name
+
+        try:
+            channel['sha256'] = nix_prefetch_url(f'{BUCKET_URL}/chromium-{build["version"]}.tar.xz')
+            channel['sha256bin64'] = nix_prefetch_url(f'{DEB_URL}/google-chrome-{suffix}/google-chrome-{suffix}_{build["version"]}-1_amd64.deb')
+        except subprocess.CalledProcessError:
+            # This build isn't actually available yet.  Continue to
+            # the next one.
+            continue
+
+        channels[channel_name] = channel
+
+with open(JSON_PATH, 'w') as out:
+    def get_channel_key(item):
+        channel_name = item[0]
+        if channel_name == 'stable':
+            return 0
+        elif channel_name == 'beta':
+            return 1
+        elif channel_name == 'dev':
+            return 2
+        else:
+            print(f'Error: Unexpected channel: {channel_name}', file=sys.stderr)
+            sys.exit(1)
+    sorted_channels = OrderedDict(sorted(channels.items(), key=get_channel_key))
+    json.dump(sorted_channels, out, indent=2)
+    out.write('\n')

pkgs/applications/networking/browsers/ungoogled-chromium/update.sh

@@ -1,4 +0,0 @@
-#!/bin/sh -e
-cd "$(dirname "$0")"
-sp="$(nix-build --builders "" -Q --no-out-link update.nix -A update)"
-cat "$sp" > upstream-info.nix

pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.json

@@ -0,0 +1,17 @@
+{
+  "stable": {
+    "version": "85.0.4183.102",
+    "sha256": "032yh1mfwins7a62zw8kwwq8xw1n52a0a93lqz7qlyjaf9sd8s4a",
+    "sha256bin64": "1i8xaxxnmg80vsia8hxnq58qi9k5nnbrl80d6d23g9lb7dbc9cpm"
+  },
+  "beta": {
+    "version": "86.0.4240.30",
+    "sha256": "1isj0zngb72k1hhn3h0s8mccg1cdmppz1mjmg19f2h306farzmzl",
+    "sha256bin64": "10d8im2adqqnkd6265gngv6xlm5qsz6r13z6cbbchsss0ssr8fxa"
+  },
+  "dev": {
+    "version": "87.0.4252.0",
+    "sha256": "1lxlsdni63zh79hxvpwgmnfn67kgfzhz3yg9bkxghqchqykkz92y",
+    "sha256bin64": "130hf7b35wcxpw05ddbqq89x10c0kays1vb9qg6xhq3zx2mk6ijw"
+  }
+}

pkgs/applications/networking/browsers/ungoogled-chromium/upstream-info.nix

@@ -1,18 +0,0 @@
-# This file is autogenerated from update.sh in the same directory.
-{
-  beta = {
-    sha256 = "0yf6j0459qzr677zsa2apmfz0x0ndlscvwj1a5v40nqjijchv5qp";
-    sha256bin64 = "017ix9a74f2gzlg6in0x6fqgiw8bpk0rypr6wsqqkslywprypjd0";
-    version = "84.0.4147.89";
-  };
-  dev = {
-    sha256 = "1dbbr7s8vbhxd0sk4k2yqp630zp1r4gzkkd2a86pzlzq2mjhsk8a";
-    sha256bin64 = "0bphfwi6nkj9nzrjjaffiv27xfblgdikyifsbjl6vv2pawkh335q";
-    version = "85.0.4183.15";
-  };
-  stable = {
-    sha256 = "0yf6j0459qzr677zsa2apmfz0x0ndlscvwj1a5v40nqjijchv5qp";
-    sha256bin64 = "1hzhgvs2ykqsncpnbnhzh09sw1vlsdfjhs06z5gc80l47brdi3wz";
-    version = "84.0.4147.89";
-  };
-}