From 14b40e291d21c6ac0405ca38a1421811f5834fa1 Mon Sep 17 00:00:00 2001
From: Ivan Kozik <ivan@ludios.org>
Date: Tue, 10 Dec 2019 19:44:02 +0000
Subject: [PATCH 1/6] chromium: 78.0.3904.108 -> 79.0.3945.79

https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html

CVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728
CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734
CVE-2019-13735 CVE-2019-13764 CVE-2019-13736 CVE-2019-13737
CVE-2019-13738 CVE-2019-13739 CVE-2019-13740 CVE-2019-13741
CVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745
CVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749
CVE-2019-13750 CVE-2019-13751 CVE-2019-13752 CVE-2019-13753
CVE-2019-13754 CVE-2019-13755 CVE-2019-13756 CVE-2019-13757
CVE-2019-13758 CVE-2019-13759 CVE-2019-13761 CVE-2019-13762
CVE-2019-13763

The new widevine patch was taken from
https://git.archlinux.org/svntogit/packages.git/plain/trunk/chromium-widevine.patch?h=packages/chromium
---
 .../networking/browsers/chromium/common.nix   |  3 ---
 .../chromium/patches/widevine-79.patch        | 22 +++++++++--------
 .../browsers/chromium/patches/widevine.patch  | 24 -------------------
 .../browsers/chromium/upstream-info.nix       | 18 +++++++-------
 4 files changed, 21 insertions(+), 46 deletions(-)
 delete mode 100644 pkgs/applications/networking/browsers/chromium/patches/widevine.patch

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index d49e2d73122..9e031b6d332 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -136,9 +136,6 @@ let
       ./patches/nix_plugin_paths_68.patch
       ./patches/remove-webp-include-69.patch
       ./patches/no-build-timestamps.patch
-    ] ++ optionals (channel == "stable") [
-      ./patches/widevine.patch
-    ] ++ optionals (channel == "beta" || channel == "dev") [
       ./patches/widevine-79.patch
       # Unfortunately, chromium regularly breaks on major updates and
       # then needs various patches backported in order to be compiled with GCC.
diff --git a/pkgs/applications/networking/browsers/chromium/patches/widevine-79.patch b/pkgs/applications/networking/browsers/chromium/patches/widevine-79.patch
index 1a3ab33e36f..32f0ae2fb5e 100644
--- a/pkgs/applications/networking/browsers/chromium/patches/widevine-79.patch
+++ b/pkgs/applications/networking/browsers/chromium/patches/widevine-79.patch
@@ -1,11 +1,13 @@
-diff --git a/third_party/widevine/cdm/widevine_cdm_version.h b/third_party/widevine/cdm/widevine_cdm_version.h
-index dd6efed02646..4d8b2b7d85f7 100644
---- a/third_party/widevine/cdm/widevine_cdm_version.h
-+++ b/third_party/widevine/cdm/widevine_cdm_version.h
-@@ -11,5 +11,6 @@
- // If the Widevine CDM is available define the following:
- //  - WIDEVINE_CDM_VERSION_STRING (with the version of the CDM that's available
- //    as a string, e.g., "1.0.123.456").
-+#define WIDEVINE_CDM_VERSION_STRING "undefined"
+diff --git a/third_party/widevine/cdm/BUILD.gn b/third_party/widevine/cdm/BUILD.gn
+index ed0e2f5208b..5b431a030d5 100644
+--- a/third_party/widevine/cdm/BUILD.gn
++++ b/third_party/widevine/cdm/BUILD.gn
+@@ -14,7 +14,7 @@ buildflag_header("buildflags") {
  
- #endif  // WIDEVINE_CDM_VERSION_H_
+   flags = [
+     "ENABLE_WIDEVINE=$enable_widevine",
+-    "BUNDLE_WIDEVINE_CDM=$bundle_widevine_cdm",
++    "BUNDLE_WIDEVINE_CDM=true",
+     "ENABLE_WIDEVINE_CDM_COMPONENT=$enable_widevine_cdm_component",
+   ]
+ }
diff --git a/pkgs/applications/networking/browsers/chromium/patches/widevine.patch b/pkgs/applications/networking/browsers/chromium/patches/widevine.patch
deleted file mode 100644
index 2de6024141d..00000000000
--- a/pkgs/applications/networking/browsers/chromium/patches/widevine.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Description: enable widevine and set its version string to "undefined"
-Author: Michael Gilbert <mgilbert@debian.org>
-Author: Olivier Tilloy <olivier.tilloy@canonical.com>
-
---- a/third_party/widevine/cdm/widevine_cdm_version.h
-+++ b/third_party/widevine/cdm/widevine_cdm_version.h
-@@ -11,5 +11,6 @@
- // If the Widevine CDM is available define the following:
- //  - WIDEVINE_CDM_VERSION_STRING (with the version of the CDM that's available
- //    as a string, e.g., "1.0.123.456").
-+#define WIDEVINE_CDM_VERSION_STRING "undefined"
- 
- #endif  // WIDEVINE_CDM_VERSION_H_
---- a/chrome/common/chrome_content_client.cc
-+++ b/chrome/common/chrome_content_client.cc
-@@ -99,7 +99,7 @@
- // Registers Widevine CDM if Widevine is enabled, the Widevine CDM is
- // bundled and not a component. When the Widevine CDM is a component, it is
- // registered in widevine_cdm_component_installer.cc.
--#if BUILDFLAG(BUNDLE_WIDEVINE_CDM) && !BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
-+#if !BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
- #define REGISTER_BUNDLED_WIDEVINE_CDM
- #include "third_party/widevine/cdm/widevine_cdm_common.h"  // nogncheck
- // TODO(crbug.com/663554): Needed for WIDEVINE_CDM_VERSION_STRING. Support
diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
index bc1b5e9b23c..f107ebffb11 100644
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
@@ -1,18 +1,18 @@
 # This file is autogenerated from update.sh in the same directory.
 {
   beta = {
-    sha256 = "0sm6x4z6i6p292l98k0h0v69f29hgfd9l46jg8xbh2jzg9f5fp78";
-    sha256bin64 = "1yvy0d2h09cf1w42c93kpw66a2v9yn079zs6qjiqzs07yzxvxjdm";
-    version = "79.0.3945.36";
+    sha256 = "1wxw4l4hhk91x7drcamaxvh03ckxwv5567ccmpk743vb74nkd9z1";
+    sha256bin64 = "1fzgdfph2jj3rac868y3r0mlgqj740bivrgh1nq51v3ni507366n";
+    version = "79.0.3945.79";
   };
   dev = {
-    sha256 = "0zf434ijk6zw37fricnkb1968nhmb7zlfivf59nx9yh7irbwb4hm";
-    sha256bin64 = "1fphf8pwbbirs9fiislg3vav8c4a393lz487sa7f90mzsx84ffiz";
-    version = "80.0.3964.0";
+    sha256 = "18ijz7ailnmmz6b9n1jkdj0v8wiqdr845xzi0f7n5xcp4wf7xafk";
+    sha256bin64 = "19irp7x44h49cs1wvwv34jl0inwxk0g6vb44p4ab1jmfmdznv9lx";
+    version = "80.0.3983.2";
   };
   stable = {
-    sha256 = "03jvfz68nvmmrplygf96sh0l347p4h03c8vpw8yrglh6ycwkiigr";
-    sha256bin64 = "1knsrdh4vj1zl3v1frzrvzg0pwb64zhq2il7pwskrfcbmsj3gkh6";
-    version = "78.0.3904.108";
+    sha256 = "1wxw4l4hhk91x7drcamaxvh03ckxwv5567ccmpk743vb74nkd9z1";
+    sha256bin64 = "0dygich61ldy20bqcc84c396vkarmjp1syhyslzkg9kwn9xzr7gb";
+    version = "79.0.3945.79";
   };
 }

From 46d252f1f17f323a5daaf291e03a156e50da6fd3 Mon Sep 17 00:00:00 2001
From: Ivan Kozik <ivan@ludios.org>
Date: Sun, 15 Dec 2019 02:40:41 +0000
Subject: [PATCH 2/6] chromium: fix GL support by not using the ANGLE GL
 implementation

---
 .../networking/browsers/chromium/common.nix   |  1 +
 .../patches/dont-use-ANGLE-by-default.patch   | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 pkgs/applications/networking/browsers/chromium/patches/dont-use-ANGLE-by-default.patch

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 9e031b6d332..edb0b4ce02c 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -137,6 +137,7 @@ let
       ./patches/remove-webp-include-69.patch
       ./patches/no-build-timestamps.patch
       ./patches/widevine-79.patch
+      ./patches/dont-use-ANGLE-by-default.patch
       # Unfortunately, chromium regularly breaks on major updates and
       # then needs various patches backported in order to be compiled with GCC.
       # Good sources for such patches and other hints:
diff --git a/pkgs/applications/networking/browsers/chromium/patches/dont-use-ANGLE-by-default.patch b/pkgs/applications/networking/browsers/chromium/patches/dont-use-ANGLE-by-default.patch
new file mode 100644
index 00000000000..9f14a304eb3
--- /dev/null
+++ b/pkgs/applications/networking/browsers/chromium/patches/dont-use-ANGLE-by-default.patch
@@ -0,0 +1,26 @@
+A field trial currently enables the passthrough command decoder, which causes
+gl_factory.cc to try kGLImplementationEGLANGLE first, which causes Chromium to fail
+to load libGLESv2.so on NixOS.  It somehow does not try kGLImplementationDesktopGL,
+and so there is no GL support at all.
+
+Revert to using the validating command decoder, which prevents gl_factory.cc
+from touching allowed_impls, allowing it to successfully use kGLImplementationDesktopGL.
+
+diff --git a/ui/gl/gl_utils.cc b/ui/gl/gl_utils.cc
+index 697cbed5fe2d..8419bdb21a2f 100644
+--- a/ui/gl/gl_utils.cc
++++ b/ui/gl/gl_utils.cc
+@@ -71,9 +71,10 @@ bool UsePassthroughCommandDecoder(const base::CommandLine* command_line) {
+   } else if (switch_value == kCmdDecoderValidatingName) {
+     return false;
+   } else {
+-    // Unrecognized or missing switch, use the default.
+-    return base::FeatureList::IsEnabled(
+-        features::kDefaultPassthroughCommandDecoder);
++    // Ignore the field trial that enables it; disable it until
++    // gl_factory.cc kGLImplementationEGLANGLE issues are sorted
++    // out on NixOS.
++    return false;
+   }
+ }
+ }

From ec75ea3329b8303ad89d7263c46b4500b860526c Mon Sep 17 00:00:00 2001
From: Ivan Kozik <ivan@ludios.org>
Date: Sat, 14 Dec 2019 17:56:44 +0000
Subject: [PATCH 3/6] chromium: use llvmPackages_9 to more closely match
 upstream

---
 pkgs/applications/networking/browsers/chromium/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 369367bae42..7ef2bd20539 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -1,4 +1,4 @@
-{ newScope, config, stdenv, llvmPackages_8
+{ newScope, config, stdenv, llvmPackages_9
 , makeWrapper, ed
 , glib, gtk3, gnome3, gsettings-desktop-schemas
 , libva ? null
@@ -20,8 +20,8 @@
 }:
 
 let
-  stdenv = llvmPackages_8.stdenv;
-  llvmPackages = llvmPackages_8;
+  stdenv = llvmPackages_9.stdenv;
+  llvmPackages = llvmPackages_9;
 
   callPackage = newScope chromium;
 

From 950230bc84a09363edb2e3a1e5eb70bd2d1a3c4e Mon Sep 17 00:00:00 2001
From: Ivan Kozik <ivan@ludios.org>
Date: Sat, 14 Dec 2019 18:07:28 +0000
Subject: [PATCH 4/6] chromium: remove enableNaCl option

This hasn't worked since 2016 (https://github.com/NixOS/nixpkgs/issues/13983)
and is being removed very soon, per "Q4 2019" in
https://developer.chrome.com/native-client/migration

(It's staying around for "Chrome Apps", but those only run on ChromeOS now.)

earth.google.com users can use https://earth.google.com/web/?beta=1 to get
the wasm version instead of the PNaCl version.
---
 pkgs/applications/networking/browsers/chromium/common.nix  | 5 +++--
 pkgs/applications/networking/browsers/chromium/default.nix | 5 +----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index edb0b4ce02c..378e2a8224c 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -23,7 +23,6 @@
 , libva ? null # useVaapi
 
 # package customization
-, enableNaCl ? false
 , useVaapi ? false
 , gnomeSupport ? false, gnome ? null
 , gnomeKeyringSupport ? false, libgnome-keyring3 ? null
@@ -228,7 +227,9 @@ let
       use_sysroot = false;
       use_gnome_keyring = gnomeKeyringSupport;
       use_gio = gnomeSupport;
-      enable_nacl = enableNaCl;
+      # ninja: error: '../../native_client/toolchain/linux_x86/pnacl_newlib/bin/x86_64-nacl-objcopy',
+      # needed by 'nacl_irt_x86_64.nexe', missing and no known rule to make it
+      enable_nacl = false;
       enable_widevine = true;
       use_cups = cupsSupport;
 
diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 7ef2bd20539..5f7dc485f3e 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -7,7 +7,6 @@
 
 # package customization
 , channel ? "stable"
-, enableNaCl ? false
 , gnomeSupport ? false, gnome ? null
 , gnomeKeyringSupport ? false
 , proprietaryCodecs ? true
@@ -31,9 +30,7 @@ let
     upstream-info = (callPackage ./update.nix {}).getChannel channel;
 
     mkChromiumDerivation = callPackage ./common.nix {
-      inherit enableNaCl gnomeSupport gnome
-              gnomeKeyringSupport proprietaryCodecs cupsSupport pulseSupport
-              useVaapi;
+      inherit gnome gnomeSupport gnomeKeyringSupport proprietaryCodecs cupsSupport pulseSupport useVaapi;
     };
 
     browser = callPackage ./browser.nix { inherit channel enableWideVine; };

From 3d71db8abbc06898608e5a0e52844908f3ac19d0 Mon Sep 17 00:00:00 2001
From: Ivan Kozik <ivan@ludios.org>
Date: Sat, 14 Dec 2019 18:52:43 +0000
Subject: [PATCH 5/6] chromium: explain enable_widevine = true

---
 pkgs/applications/networking/browsers/chromium/common.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 378e2a8224c..7ce1c35e9eb 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -230,6 +230,9 @@ let
       # ninja: error: '../../native_client/toolchain/linux_x86/pnacl_newlib/bin/x86_64-nacl-objcopy',
       # needed by 'nacl_irt_x86_64.nexe', missing and no known rule to make it
       enable_nacl = false;
+      # Enabling the Widevine component here doesn't affect whether we can
+      # redistribute the chromium package; the Widevine component is either
+      # added later in the wrapped -wv build or downloaded from Google.
       enable_widevine = true;
       use_cups = cupsSupport;
 

From af006f9ff3bcdb7d3a06b9dee2d40ed3b9b3c4c8 Mon Sep 17 00:00:00 2001
From: Ivan Kozik <ivan@ludios.org>
Date: Sun, 15 Dec 2019 04:16:24 +0000
Subject: [PATCH 6/6] chromium: fix enableWideVine for v79 which needs the
 manifest.json in WidevineCdm/

---
 .../networking/browsers/chromium/default.nix  | 37 ++++++++++---------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 5f7dc485f3e..c3522e17379 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -41,8 +41,8 @@ let
   };
 
   mkrpath = p: "${lib.makeSearchPathOutput "lib" "lib64" p}:${lib.makeLibraryPath p}";
-  widevine = let upstream-info = chromium.upstream-info; in stdenv.mkDerivation {
-    name = "chromium-binary-plugin-widevine";
+  widevineCdm = let upstream-info = chromium.upstream-info; in stdenv.mkDerivation {
+    name = "chrome-widevine-cdm";
 
     # The .deb file for Google Chrome
     src = upstream-info.binary;
@@ -52,21 +52,25 @@ let
     phases = [ "unpackPhase" "patchPhase" "installPhase" "checkPhase" ];
 
     unpackCmd = let
-      soPath =
+      widevineCdmPath =
         if upstream-info.channel == "stable" then
-          "./opt/google/chrome/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so"
+          "./opt/google/chrome/WidevineCdm"
         else if upstream-info.channel == "beta" then
-          "./opt/google/chrome-beta/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so"
+          "./opt/google/chrome-beta/WidevineCdm"
         else if upstream-info.channel == "dev" then
-          "./opt/google/chrome-unstable/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so"
+          "./opt/google/chrome-unstable/WidevineCdm"
         else
           throw "Unknown chromium channel.";
     in ''
-      mkdir -p plugins
-      # Extract just libwidevinecdm.so from upstream's .deb file
-      ar p "$src" data.tar.xz | tar xJ -C plugins ${soPath}
-      mv plugins/${soPath} plugins/
-      rm -rf plugins/opt
+      # Extract just WidevineCdm from upstream's .deb file
+      ar p "$src" data.tar.xz | tar xJ "${widevineCdmPath}"
+
+      # Move things around so that we don't have to reference a particular
+      # chrome-* directory later.
+      mv "${widevineCdmPath}" ./
+
+      # unpackCmd wants a single output directory; let it take WidevineCdm/
+      rm -rf opt
     '';
 
     doCheck = true;
@@ -77,12 +81,12 @@ let
     PATCH_RPATH = mkrpath [ gcc.cc glib nspr nss ];
 
     patchPhase = ''
-      patchelf --set-rpath "$PATCH_RPATH" libwidevinecdm.so
+      patchelf --set-rpath "$PATCH_RPATH" _platform_specific/linux_x64/libwidevinecdm.so
     '';
 
     installPhase = ''
-      install -vD libwidevinecdm.so \
-        "$out/lib/libwidevinecdm.so"
+      mkdir -p $out/WidevineCdm
+      cp -a * $out/WidevineCdm/
     '';
 
     meta = {
@@ -99,15 +103,14 @@ let
 
   # We want users to be able to enableWideVine without rebuilding all of
   # chromium, so we have a separate derivation here that copies chromium
-  # and adds the unfree libwidevinecdm.so.
+  # and adds the unfree WidevineCdm.
   chromiumWV = let browser = chromium.browser; in if enableWideVine then
     runCommand (browser.name + "-wv") { version = browser.version; }
       ''
         mkdir -p $out
         cp -a ${browser}/* $out/
         chmod u+w $out/libexec/chromium
-        mkdir -p $out/libexec/chromium/WidevineCdm/_platform_specific/linux_x64
-        cp ${widevine}/lib/libwidevinecdm.so $out/libexec/chromium/WidevineCdm/_platform_specific/linux_x64/
+        cp -a ${widevineCdm}/WidevineCdm $out/libexec/chromium/
       ''
     else browser;
 in stdenv.mkDerivation {