From 224098757f84db54ec39345b9ad3c7f473fcdf62 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Sun, 26 Aug 2012 02:52:33 +0200
Subject: [PATCH 1/5] chromium/update.sh: Fix spacing in cache messages.

This commit doesn't add any feature and just fixes a small annoyance which
result in messages like this:

Checking if xxx applies...no.

See that there is no whitespace between "..." and "no"? Well, the world cares
for more important things, but for me personally those minor annoyances can turn
into major annoyances.
---
 pkgs/applications/networking/browsers/chromium/update.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/update.sh b/pkgs/applications/networking/browsers/chromium/update.sh
index 4721ded385a..c978ee4adf3 100755
--- a/pkgs/applications/networking/browsers/chromium/update.sh
+++ b/pkgs/applications/networking/browsers/chromium/update.sh
@@ -83,9 +83,9 @@ get_channel_exprs()
         echo -n "Checking if sha256 of version $version is cached..." >&2;
         if sha256="$(sha_lookup "$version")";
         then
-            echo "yes: $sha256" >&2;
+            echo " yes: $sha256" >&2;
         else
-            echo "no." >&2;
+            echo " no." >&2;
             sha256="$(get_sha256 "$channel" "$version" "$url")";
         fi;
 

From 819ee63851170fc2256e37429dddacfc13a04993 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Sun, 26 Aug 2012 02:56:59 +0200
Subject: [PATCH 2/5] chromium: Update to new release channels.

If you look at what changed, you'll surely notice that version 22 is now in
beta, so we have to expect things to break. And one thing that will break for
sure is the seccomp patch, because beginning with 22 the new BPF seccomp sandbox
is going to replace the mode 1 seccomp sandbox.
---
 .../networking/browsers/chromium/sources.nix   | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/sources.nix b/pkgs/applications/networking/browsers/chromium/sources.nix
index a250cda7610..8ae373438f5 100644
--- a/pkgs/applications/networking/browsers/chromium/sources.nix
+++ b/pkgs/applications/networking/browsers/chromium/sources.nix
@@ -1,18 +1,18 @@
 # This file is autogenerated from update.sh in the same directory.
 {
   dev = {
-    version = "22.0.1229.8";
-    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-22.0.1229.8.tar.bz2";
-    sha256 = "0gaa4mqvd0v4y587y6mri2f3b0rc8npmcbs9bfs4wwb8n1cp8kw0";
+    version = "23.0.1243.2";
+    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-23.0.1243.2.tar.bz2";
+    sha256 = "1idsc1k0c392mvh2rhfv0sr50rmzdab18ilh9p90mab5a6fk32rh";
   };
   beta = {
-    version = "21.0.1180.79";
-    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-21.0.1180.79.tar.bz2";
-    sha256 = "1jscpibv02pyqpcj6djcx0d1qwq8hcxampfqbsz8dicgjprp22c8";
+    version = "22.0.1229.14";
+    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-22.0.1229.14.tar.bz2";
+    sha256 = "11z5wc1m5443bsassq3np79yqr2bwr06ph672by3saikl2xkadn5";
   };
   stable = {
-    version = "21.0.1180.79";
-    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-21.0.1180.79.tar.bz2";
-    sha256 = "1jscpibv02pyqpcj6djcx0d1qwq8hcxampfqbsz8dicgjprp22c8";
+    version = "21.0.1180.81";
+    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-21.0.1180.81.tar.bz2";
+    sha256 = "1b5svzg7xxx46bz9s5ayai2ig9b7s0x4s1yl7r42p9g27qwf0dpl";
   };
 }

From b1a6a98139f9ba3a6a30b751dfed332f8727a8e1 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Sun, 26 Aug 2012 03:03:24 +0200
Subject: [PATCH 3/5] chromium: Drop dependency on subversion.

Versions older than 21 needed subversion in order to build. As the oldest
version we support is 21, we no longer need this dependency.
---
 pkgs/applications/networking/browsers/chromium/default.nix | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 84cdf556d02..5949be2a4c8 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -1,8 +1,5 @@
 { stdenv, getConfig, fetchurl, makeWrapper, which
 
-# this is needed in order to build the versions older than 21.x
-, subversion
-
 # default dependencies
 , bzip2, flac, speex
 , libevent, expat, libjpeg
@@ -73,14 +70,12 @@ let
     use_system_v8 = false;
   };
 
-  needsSubversion = stdenv.lib.versionOlder sourceInfo.version "21.0.0.0";
-
   defaultDependencies = [
     bzip2 flac speex
     libevent expat libjpeg
     libpng libxml2 libxslt
     xdg_utils yasm zlib
-  ] ++ stdenv.lib.optional needsSubversion subversion;
+  ];
 
 in stdenv.mkDerivation rec {
   name = "${packageName}-${version}";

From c67d8bcabe33e7dd8effa25510f4aca3a2442ce1 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Sun, 26 Aug 2012 07:36:57 +0200
Subject: [PATCH 4/5] chromium: Don't use the sandbox patch on v21.

The patch doesn't apply in version 22 and newer, because mode 1 sandboxes are
connsidered "legacy" (well, apart from the fact that I'd personally prefer BPF
anyway), for reasons I wasn't able to find, yet. But let's proceed on BPF
integration and thus gain more insight on the exact reasons.
---
 pkgs/applications/networking/browsers/chromium/default.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 5949be2a4c8..f9424f4d614 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -77,6 +77,10 @@ let
     xdg_utils yasm zlib
   ];
 
+  needSeccompPatch =
+    stdenv.lib.versionOlder sourceInfo.version "22.0.0.0"
+    && !config.selinux;
+
 in stdenv.mkDerivation rec {
   name = "${packageName}-${version}";
   packageName = "chromium";
@@ -108,7 +112,7 @@ in stdenv.mkDerivation rec {
 
   prePatch = "patchShebangs .";
 
-  patches = stdenv.lib.optional (!config.selinux) ./enable_seccomp.patch
+  patches = stdenv.lib.optional needSeccompPatch ./enable_seccomp.patch
          ++ stdenv.lib.optional config.cups ./cups_allow_deprecated.patch
          ++ stdenv.lib.optional config.pulseaudio ./pulseaudio_array_bounds.patch;
 

From d5c2b35b82b7c2c22bcc7d85c4d2f1fe0b810b3c Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Mon, 27 Aug 2012 06:45:32 +0200
Subject: [PATCH 5/5] chromium: Re-enable legacy sandbox for version 22.

This enables legacy seccomp sandbox by default even on chromium 22, because the
BPF sandbox is still work in progress, please see:

http://crbug.com/139872
http://crbug.com/130662

Because the BPF seccomp sandbox is used in case the legacy seccomp mode
initialization fails, we might need to patch this again, as soon as the BPF
sandbox is fully implemented to fall back to legacy seccomp and use BPF by
default.

We now have two patches for "default to seccomp" - one for Chromium 21 and one
for 22 or higher.
---
 .../networking/browsers/chromium/default.nix  |  8 ++++----
 .../browsers/chromium/enable_seccomp22.patch  | 20 +++++++++++++++++++
 2 files changed, 24 insertions(+), 4 deletions(-)
 create mode 100644 pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch

diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index f9424f4d614..e9e9961d1cd 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -77,9 +77,9 @@ let
     xdg_utils yasm zlib
   ];
 
-  needSeccompPatch =
-    stdenv.lib.versionOlder sourceInfo.version "22.0.0.0"
-    && !config.selinux;
+  seccompPatch = let
+    pre22 = stdenv.lib.versionOlder sourceInfo.version "22.0.0.0";
+  in if pre22 then ./enable_seccomp.patch else ./enable_seccomp22.patch;
 
 in stdenv.mkDerivation rec {
   name = "${packageName}-${version}";
@@ -112,7 +112,7 @@ in stdenv.mkDerivation rec {
 
   prePatch = "patchShebangs .";
 
-  patches = stdenv.lib.optional needSeccompPatch ./enable_seccomp.patch
+  patches = stdenv.lib.optional (!config.selinux) seccompPatch
          ++ stdenv.lib.optional config.cups ./cups_allow_deprecated.patch
          ++ stdenv.lib.optional config.pulseaudio ./pulseaudio_array_bounds.patch;
 
diff --git a/pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch b/pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch
new file mode 100644
index 00000000000..f947d796f18
--- /dev/null
+++ b/pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch
@@ -0,0 +1,20 @@
+diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
+index d4618e5..108f846 100644
+--- a/content/common/sandbox_linux.cc
++++ b/content/common/sandbox_linux.cc
+@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) {
+ // Implement the command line enabling logic for seccomp-legacy.
+ bool IsSeccompLegacyDesired() {
+ #if defined(SECCOMP_SANDBOX)
+-#if defined(NDEBUG)
+-  // Off by default; allow turning on with a switch.
+-  return CommandLine::ForCurrentProcess()->HasSwitch(
+-      switches::kEnableSeccompSandbox);
+-#else
+   // On by default; allow turning off with a switch.
+   return !CommandLine::ForCurrentProcess()->HasSwitch(
+       switches::kDisableSeccompSandbox);
+-#endif  // NDEBUG
+ #endif  // SECCOMP_SANDBOX
+   return false;
+ }