Merge pull request #37040 from taku0/firefox-59.0

firefox, firefox-bin: 58.0.2 -> 59.0, firefos-esr: 52.6.0esr -> 52.7.0esr [Critical security fixes]
2018-03-16 20:56:00 +00:00 · 2018-03-16 20:56:00 +00:00 · 92d18198ae
parent b1747a123a 808e8f672e
commit 92d18198ae
4 changed files with 32 additions and 26 deletions
--- a/pkgs/applications/networking/browsers/firefox/common.nix
+++ b/pkgs/applications/networking/browsers/firefox/common.nix
@ -221,7 +221,7 @@ stdenv.mkDerivation (rec {

  postInstall = ''
    # For grsecurity kernels
-    paxmark m $out/lib/firefox-[0-9]*/{firefox,firefox-bin,plugin-container}
+    paxmark m $out/lib/firefox*/{firefox,firefox-bin,plugin-container}

    # Remove SDK cruft. FIXME: move to a separate output?
    rm -rf $out/share/idl $out/include $out/lib/firefox-devel-*
@ -233,8 +233,8 @@ stdenv.mkDerivation (rec {
  postFixup = ''
    # Fix notifications. LibXUL uses dlopen for this, unfortunately; see #18712.
    patchelf --set-rpath "${lib.getLib libnotify
-      }/lib:$(patchelf --print-rpath "$out"/lib/firefox-*/libxul.so)" \
-        "$out"/lib/firefox-*/libxul.so
+      }/lib:$(patchelf --print-rpath "$out"/lib/firefox*/libxul.so)" \
+        "$out"/lib/firefox*/libxul.so
  '';

  doInstallCheck = true;
--- a/pkgs/applications/networking/browsers/firefox/packages.nix
+++ b/pkgs/applications/networking/browsers/firefox/packages.nix
@ -18,28 +18,15 @@ rec {

  firefox = common rec {
    pname = "firefox";
-    version = "58.0.2";
+    version = "59.0";
    src = fetchurl {
-      url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "ff748780492fc66b3e44c7e7641f16206e4c09514224c62d37efac2c59877bdf428a3670bfb50407166d7b505d4e2ea020626fd776b87f6abb6bc5d2e54c773f";
+      url = "https://hg.mozilla.org/releases/mozilla-release/archive/c61f5f5ead48c78a80c80db5c489bdc7cfaf8175.tar.bz2";
+      sha512 = "03yybi1yp9g29jzdfgrq32r7a0gl2jz64w6ai8219cvhx8y95ahxfznj3vm29frrp6c18dk2nlpv2s89iczwm00lnn42r7dn6s6ppl9";
    };

    patches = nixpkgsPatches ++ [
      ./no-buildconfig.patch
-
-      # https://bugzilla.mozilla.org/show_bug.cgi?id=1430274
-      # Scheduled for firefox 59
-      (fetchpatch {
-        url = "https://bug1430274.bmoattachments.org/attachment.cgi?id=8943426";
-        sha256 = "12yfss3k61yilrb337dh2rffy5hh83d2f16gqrf5i56r9c33f7hf";
-      })
-
-      # https://bugzilla.mozilla.org/show_bug.cgi?id=1388981
-      # Should have been fixed in firefox 57
-    ] ++ lib.optional stdenv.isi686 (fetchpatch {
-      url = "https://hg.mozilla.org/mozilla-central/raw-rev/15517c5a5d37";
-      sha256 = "1ba487p3hk4w2w7qqfxgv1y57vp86b8g3xhav2j20qd3j3phbbn7";
-    });
+    ];

    meta = {
      description = "A web browser built from Firefox source tree";
@ -54,10 +41,10 @@ rec {

  firefox-esr = common rec {
    pname = "firefox-esr";
-    version = "52.6.0esr";
+    version = "52.7.1esr";
    src = fetchurl {
      url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "cf583df34272b7ff8841c3b093ca0819118f9c36d23c6f9b3135db298e84ca022934bcd189add6473922b199b47330c0ecf14c303ab4177c03dbf26e64476fa4";
+      sha512 = "0275ca9c093fd0dcf09cfd31a4bca8c6ddb87aa74ace6b273a62f61079eeed11c2c0330c52c5f76aa73ed97e9cd18aa63cee69387e1fe346a30e4f9affc91ba7";
    };

    patches = nixpkgsPatches;
--- a/pkgs/applications/networking/browsers/firefox/update.nix
+++ b/pkgs/applications/networking/browsers/firefox/update.nix
@ -22,13 +22,15 @@ writeScript "update-${attrPath}" ''
  #  - removes trailing slash
  #  - sorts everything with semver in mind
  #  - picks up latest release
-  version=`xidel $url --extract "//a" | \
+  version=`xidel -s $url --extract "//a" | \
           grep "^[0-9.]*${versionSuffix}/$" | \
           sed s/[/]$// | \
           sort --version-sort | \
           tail -n 1`

+  source_url=`curl --silent $url$version/SOURCE | grep -o 'https://.*\.tar\.bz2'`
+
  shasum=`curl --silent $url$version/SHA512SUMS | grep 'source\.tar\.xz' | cut -d ' ' -f 1`

-  update-source-version ${attrPath} "$version" "$shasum"
+  update-source-version ${attrPath} "$version" "$shasum" "$source_url"
 ''
--- a/pkgs/common-updater/scripts/update-source-version
+++ b/pkgs/common-updater/scripts/update-source-version
@ -6,10 +6,11 @@ die() {
    exit 1
 }

-# Usage: update-source-hash <attr> <version> [<new-source-hash>]
+# Usage: update-source-hash <attr> <version> [<new-source-hash>] [<new-source-url>]
 attr=$1
 newVersion=$2
 newHash=$3
+newUrl=$4

 nixFile=$(nix-instantiate --eval --strict -A "$attr.meta.position" | sed -re 's/^"(.*):[0-9]+"$/\1/')
 if [ ! -f "$nixFile" ]; then
@ -27,6 +28,12 @@ if [ $(grep -c "$oldHash" "$nixFile") != 1 ]; then
    die "Couldn't locate old source hash '$oldHash' (or it appeared more than once) in '$nixFile'!"
 fi

+oldUrl=$(nix-instantiate --eval -E "with import ./. {}; builtins.elemAt $attr.src.drvAttrs.urls 0" | tr -d '"')
+
+if [ -z "$oldUrl" ]; then
+    die "Couldn't evaluate source url from '$attr.name'!"
+fi
+
 drvName=$(nix-instantiate --eval -E "with import ./. {}; (builtins.parseDrvName $attr.name).name" | tr -d '"')
 oldVersion=$(nix-instantiate --eval -E "with import ./. {}; $attr.version or (builtins.parseDrvName $attr.name).version" | tr -d '"')

@ -41,6 +48,7 @@ fi

 # Escape regex metacharacter that are allowed in store path names
 oldVersion=$(echo "$oldVersion" | sed -re 's|[.+]|\\&|g')
+oldUrl=$(echo "$oldUrl" | sed -re 's|[${}.+]|\\&|g')

 if [ $(grep -c -E "^\s*(let\b)?\s*version\s*=\s*\"$oldVersion\"" "$nixFile") = 1 ]; then
    pattern="/\bversion\b\s*=/ s|\"$oldVersion\"|\"$newVersion\"|"
@ -56,6 +64,15 @@ if cmp -s "$nixFile" "$nixFile.bak"; then
    die "Failed to replace version '$oldVersion' to '$newVersion' in '$attr'!"
 fi

+# Replace new URL
+if [ -n "$newUrl" ]; then
+    sed -i "$nixFile" -re "s|\"$oldUrl\"|\"$newUrl\"|"
+
+    if cmp -s "$nixFile" "$nixFile.bak"; then
+        die "Failed to replace source URL '$oldUrl' to '$newUrl' in '$attr'!"
+    fi
+fi
+
 case "$oldHashAlgo" in
    sha256) hashLength=64 ;;
    sha512) hashLength=128 ;;
@ -74,7 +91,7 @@ fi
 if [ -z "$newHash" ]; then
    nix-build --no-out-link -A "$attr.src" 2>"$attr.fetchlog" >/dev/null || true
    # FIXME: use nix-build --hash here once https://github.com/NixOS/nix/issues/1172 is fixed
-    newHash=$(egrep -v "killing process|dependencies couldn't be built" "$attr.fetchlog" | tail -n2 | sed "s~output path .* has .* hash \(.*\) when .* was expected\|fixed-output derivation produced path '.*' with .* hash '\(.*\)' instead of the expected hash '.*'~\1\2~" | head -n1)
+    newHash=$(egrep -v "killing process|dependencies couldn't be built" "$attr.fetchlog" | tail -n2 | sed "s~output path .* has .* hash ‘\(.*\)’ when .* was expected\|fixed-output derivation produced path '.*' with .* hash '\(.*\)' instead of the expected hash '.*'~\1\2~" | head -n1)
 fi

 if [ -z "$newHash" ]; then