From 6184ee89fe4107a1e15f1473f50e4593f449f40c Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Thu, 27 Mar 2014 09:40:21 +0100
Subject: [PATCH] chromium/update: Update Debian binaries as well.

This cases the Debian binaries to be fetched from Google's official APT
repository. If we aren't able to find a package from the APT repository,
it's very likely that it already got deleted upstream and we need to
fallback to mirrors instead.

Unfortunately, we can't use mirrors for updating, because Google doesn't
sign the Debian packages themselves and only the release files.

We're going to hook it into a Chromium updater soon, making the sha256
hashes publicly available, so if it is missing, we can still put the
sha256 manually into sources.nix, without risking anything by blindly
fetching from one of the provided mirrors.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 .../browsers/chromium/source/update.nix       | 77 ++++++++++++++++---
 .../browsers/chromium/source/update.sh        | 12 ++-
 2 files changed, 79 insertions(+), 10 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/source/update.nix b/pkgs/applications/networking/browsers/chromium/source/update.nix
index 841dfcccb54..7a8144314d5 100644
--- a/pkgs/applications/networking/browsers/chromium/source/update.nix
+++ b/pkgs/applications/networking/browsers/chromium/source/update.nix
@@ -1,7 +1,7 @@
 { system ? builtins.currentSystem }:
 
 let
-  inherit (import <nixpkgs> {}) lib writeText;
+  inherit (import <nixpkgs> {}) lib writeText stdenv;
 
   sources = if builtins.pathExists ./sources.nix
             then import ./sources.nix
@@ -10,21 +10,34 @@ let
   bucketURL = "http://commondatastorage.googleapis.com/"
             + "chromium-browser-official";
 
+  debURL = "https://dl.google.com/linux/chrome/deb/pool/main/g";
+
+  # Untrusted mirrors, don't try to update from them!
+  debMirrors = [
+    "http://95.31.35.30/chrome/pool/main/g"
+    "http://mirror.pcbeta.com/google/chrome/deb/pool/main/g"
+  ];
+
   tryChannel = channel: let
-    chanAttrs = builtins.getAttr channel sources;
+    chan = builtins.getAttr channel sources;
   in if sources != null then ''
-    oldver="${chanAttrs.version}";
+    oldver="${chan.version}";
     echo -n "Checking if $oldver ($channel) is up to date..." >&2;
     if [ "x$(get_newest_ver "$version" "$oldver")" != "x$oldver" ];
     then
       echo " no, getting sha256 for new version $version:" >&2;
-      sha256="$(nix-prefetch-url "$url")" || return 1;
+      sha256="$(prefetch_sha "$channel" "$version")" || return 1;
     else
       echo " yes, keeping old sha256." >&2;
-      sha256="${chanAttrs.sha256}";
+      sha256="${chan.sha256}";
+      ${if (chan ? sha256bin32 && chan ? sha256bin64) then ''
+        sha256="$sha256.${chan.sha256bin32}.${chan.sha256bin64}";
+      '' else ''
+        sha256="$sha256.$(prefetch_deb_sha "$channel" "$version")";
+      ''}
     fi;
   '' else ''
-    sha256="$(nix-prefetch-url "$url")" || return 1;
+    sha256="$(prefetch_sha "$channel" "$version")" || return 1;
   '';
 
   caseChannel = channel: ''
@@ -35,16 +48,62 @@ in rec {
   getChannel = channel: let
     chanAttrs = builtins.getAttr channel sources;
   in {
-    url = "${bucketURL}/chromium-${chanAttrs.version}.tar.xz";
-    inherit (chanAttrs) version sha256;
+    main = {
+      url = "${bucketURL}/chromium-${chanAttrs.version}.tar.xz";
+      inherit (chanAttrs) version sha256;
+    };
+
+    binary = let
+      pname = if channel == "dev"
+              then "google-chrome-unstable"
+              else "google-chrome-${channel}";
+      arch = if stdenv.is64bit then "amd64" else "i386";
+      relpath = "${pname}/${pname}_${chanAttrs.version}-1_${arch}.deb";
+    in lib.optionalAttrs (chanAttrs ? sha256bin64) {
+      urls = map (url: "${url}/${relpath}") ([ debURL ] ++ debMirrors);
+      sha256 = if stdenv.is64bit
+               then chanAttrs.sha256bin64
+               else chanAttrs.sha256bin32;
+      inherit (chanAttrs) version;
+    };
   };
 
   updateHelpers = writeText "update-helpers.sh" ''
+
+    prefetch_main_sha()
+    {
+      nix-prefetch-url "${bucketURL}/chromium-$2.tar.xz";
+    }
+
+    prefetch_deb_sha()
+    {
+      channel="$1";
+      version="$2";
+
+      case "$1" in
+        dev) pname="google-chrome-unstable";;
+        *)   pname="google-chrome-$channel";;
+      esac;
+
+      deb_pre="${debURL}/$pname/$pname";
+
+      deb32=$(nix-prefetch-url "''${deb_pre}_$version-1_i386.deb");
+      deb64=$(nix-prefetch-url "''${deb_pre}_$version-1_amd64.deb");
+
+      echo "$deb32.$deb64";
+      return 0;
+    }
+
+    prefetch_sha()
+    {
+      echo "$(prefetch_main_sha "$@").$(prefetch_deb_sha "$@")";
+      return 0;
+    }
+
     get_sha256()
     {
       channel="$1";
       version="$2";
-      url="${bucketURL}/chromium-$version.tar.xz";
 
       case "$channel" in
         ${lib.concatMapStrings caseChannel [ "stable" "dev" "beta" ]}
diff --git a/pkgs/applications/networking/browsers/chromium/source/update.sh b/pkgs/applications/networking/browsers/chromium/source/update.sh
index a2e1e268f4f..806169f524c 100755
--- a/pkgs/applications/networking/browsers/chromium/source/update.sh
+++ b/pkgs/applications/networking/browsers/chromium/source/update.sh
@@ -92,9 +92,19 @@ get_channel_exprs()
 
         sha_insert "$version" "$sha256";
 
+        main="${sha256%%.*}";
+        deb="${sha256#*.}";
+        deb32="${deb%.*}";
+        deb64="${deb#*.}";
+
         echo "  $channel = {";
         echo "    version = \"$version\";";
-        echo "    sha256 = \"$sha256\";";
+        echo "    sha256 = \"$main\";";
+        if [ "x${deb#*[a-z0-9].[a-z0-9]}" != "x$deb" ];
+        then
+            echo "    sha256bin32 = \"$deb32\";";
+            echo "    sha256bin64 = \"$deb64\";";
+        fi;
         echo "  };";
     done;
 }