Merge branch 'chromium-update-with-gn'

This brings in the new stable version 54 which also introduces a lot of
security fixes:

  CVE-2016-5198: Out of bounds memory access in V8
  CVE-2016-5181: Universal XSS in Blink
  CVE-2016-5182: Heap overflow in Blink
  CVE-2016-5183: Use after free in PDFium
  CVE-2016-5184: Use after free in PDFium
  CVE-2016-5185: Use after free in Blink
  CVE-2016-5187: URL spoofing
  CVE-2016-5188: UI spoofing
  CVE-2016-5192: Cross-origin bypass in Blink
  CVE-2016-5189: URL spoofing
  CVE-2016-5186: Out of bounds read in DevTools
  CVE-2016-5191: Universal XSS in Bookmarks
  CVE-2016-5190: Use after free in Internals
  CVE-2016-5193: Scheme bypass

Detailed announcements about these changes can be found here (latest to
oldest):

https://googlechromereleases.blogspot.de/2016/11/stable-channel-update-for-desktop.html
https://googlechromereleases.blogspot.de/2016/10/stable-channel-update-for-desktop_20.html
https://googlechromereleases.blogspot.de/2016/10/stable-channel-update-for-desktop.html

The update process of Chromium has been a bit bumpy on our side, because
version 54 also did the switch from GYP to GN so it wasn't just a matter
of updating the upstream-info file.

I've tested the Flash plugin (which runs fine) and WideVine manually,
although I couldn't get WideVine to work (I was running this within a VM
though).

So if people want to use WideVine they need to use Chrome instead until
we got this sorted out.

VM test results along with builds for all platforms can be found here:

https://headcounter.org/hydra/eval/339328

I'm going to backport these changes to stable as soon as the
tests/builds succeed there as well.

Closes: #19565
Closes: #20120

nixos/tests/chromium.nix

@@ -118,7 +118,7 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
       "ulimit -c unlimited; ".
       "chromium $args \"$url\" & disown"
     );
-    $machine->waitForText(qr/Type to search or enter a URL to navigate/);
+    $machine->waitForText(qr/startup done/);
     $machine->waitUntilSucceeds("${xdo "check-startup" ''
       search --sync --onlyvisible --name "startup done"
       # close first start help popup

pkgs/applications/networking/browsers/chromium/browser.nix

@@ -18,6 +18,11 @@ mkChromiumDerivation (base: rec {
     cp -vLR "$buildPath/locales" "$buildPath/resources" "$libExecPath/"
     cp -v "$buildPath/chrome" "$libExecPath/$packageName"
 
+    if [ -e "$buildPath/libwidevinecdmadapter.so" ]; then
+      cp -v "$buildPath/libwidevinecdmadapter.so" \
+            "$libExecPath/libwidevinecdmadapter.so"
+    fi
+
     mkdir -p "$sandbox/bin"
     cp -v "$buildPath/chrome_sandbox" "$sandbox/bin/${sandboxExecutableName}"
 

pkgs/applications/networking/browsers/chromium/common.nix

@@ -1,17 +1,17 @@
-{ stdenv, ninja, which
+{ stdenv, gn, ninja, which
 
 # default dependencies
 , bzip2, flac, speex, libopus
 , libevent, expat, libjpeg, snappy
 , libpng, libxml2, libxslt, libcap
 , xdg_utils, yasm, minizip, libwebp
-, libusb1, pciutils, nss
+, libusb1, pciutils, nss, re2, zlib, libvpx
 
-, python2Packages, perl, pkgconfig
+, python, pythonPackages, perl, pkgconfig
 , nspr, systemd, kerberos
 , utillinux, alsaLib
 , bison, gperf
-, glib, gtk2, dbus_glib
+, glib, gtk2, gtk3, dbus_glib
 , libXScrnSaver, libXcursor, libXtst, mesa
 , protobuf, speechd, libXdamage, cups
 
@@ -23,12 +23,12 @@
 , enableSELinux ? false, libselinux ? null
 , enableNaCl ? false
 , enableHotwording ? false
+, enableWideVine ? false
 , gnomeSupport ? false, gnome ? null
 , gnomeKeyringSupport ? false, libgnome_keyring3 ? null
 , proprietaryCodecs ? true
 , cupsSupport ? true
 , pulseSupport ? false, libpulseaudio ? null
-, hiDPISupport ? false
 
 , upstream-info
 }:
@@ -38,47 +38,28 @@ buildFun:
 with stdenv.lib;
 
 let
-  inherit (python2Packages) python gyp ply jinja2;
-
   # The additional attributes for creating derivations based on the chromium
   # source tree.
   extraAttrs = buildFun base;
 
-  mkGypFlags =
+  mkGnFlags =
     let
+      # Serialize Nix types into GN types according to this document:
+      # https://chromium.googlesource.com/chromium/src/+/master/tools/gn/docs/language.md
+      mkGnString = value: "\"${escape ["\"" "$" "\\"] value}\"";
       sanitize = value:
-        if value == true then "1"
-        else if value == false then "0"
-        else "${value}";
-      toFlag = key: value: "-D${key}=${sanitize value}";
+        if value == true then "true"
+        else if value == false then "false"
+        else if isList value then "[${concatMapStringsSep ", " sanitize value}]"
+        else if isInt value then toString value
+        else if isString value then mkGnString value
+        else throw "Unsupported type for GN value `${value}'.";
+      toFlag = key: value: "${key}=${sanitize value}";
     in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs));
 
-  gypFlagsUseSystemLibs = {
-    use_system_bzip2 = true;
-    use_system_flac = true;
-    use_system_libevent = true;
-    use_system_libexpat = true;
-    # XXX: System libjpeg fails to link for version 52.0.2743.10
-    use_system_libjpeg = versionOlder upstream-info.version "52.0.2743.10";
-    use_system_libpng = false;
-    use_system_libwebp = true;
-    use_system_libxml = true;
-    use_system_opus = true;
-    use_system_snappy = true;
-    use_system_speex = true;
-    use_system_stlport = true;
-    use_system_xdg_utils = true;
-    use_system_yasm = true;
-    use_system_zlib = false;
-    use_system_protobuf = false; # needs newer protobuf
-
-    use_system_harfbuzz = false;
-    use_system_icu = false; # Doesn't support ICU 52 yet.
-    use_system_libusb = false; # http://crbug.com/266149
-    use_system_skia = false;
-    use_system_sqlite = false; # http://crbug.com/22208
-    use_system_v8 = false;
-  };
+  gnSystemLibraries = [
+    "flac" "libwebp" "libxml" "libxslt" "snappy" "yasm"
+  ];
 
   opusWithCustomModes = libopus.override {
     withCustomModes = true;
@@ -89,7 +70,7 @@ let
     libevent expat libjpeg snappy
     libpng libxml2 libxslt libcap
     xdg_utils yasm minizip libwebp
-    libusb1
+    libusb1 re2 zlib
   ];
 
   # build paths and release info
@@ -105,36 +86,27 @@ let
 
     src = upstream-info.main;
 
-    unpackCmd = ''
-      tar xf "$src" \
-        --anchored \
-        --no-wildcards-match-slash \
-        --exclude='*/tools/gyp'
-    '';
+    nativeBuildInputs = [ gn which python perl pkgconfig ];
 
     buildInputs = defaultDependencies ++ [
-      which
-      python perl pkgconfig
       nspr nss systemd
       utillinux alsaLib
       bison gperf kerberos
       glib gtk2 dbus_glib
       libXScrnSaver libXcursor libXtst mesa
       pciutils protobuf speechd libXdamage
-      gyp ply jinja2
+      pythonPackages.ply pythonPackages.jinja2
     ] ++ optional gnomeKeyringSupport libgnome_keyring3
       ++ optionals gnomeSupport [ gnome.GConf libgcrypt ]
       ++ optional enableSELinux libselinux
       ++ optionals cupsSupport [ libgcrypt cups ]
-      ++ optional pulseSupport libpulseaudio;
+      ++ optional pulseSupport libpulseaudio
+      ++ optional (versionAtLeast version "56.0.0.0") gtk3;
 
     patches = [
-      ./patches/widevine.patch
       ./patches/glibc-2.24.patch
-      (if versionOlder version "52.0.0.0"
-       then ./patches/nix_plugin_paths_50.patch
-       else ./patches/nix_plugin_paths_52.patch)
-    ];
+      ./patches/nix_plugin_paths_52.patch
+    ] ++ optional enableWideVine ./patches/widevine.patch;
 
     postPatch = ''
       # We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
@@ -143,12 +115,6 @@ let
           'return sandbox_binary;' \
           'return base::FilePath(GetDevelSandboxPath());'
 
-      sed -i -r \
-        -e 's/-f(stack-protector)(-all)?/-fno-\1/' \
-        -e 's|/bin/echo|echo|' \
-        -e "/python_arch/s/: *'[^']*'/: '""'/" \
-        build/common.gypi chrome/chrome_tests.gypi
-
       sed -i -e '/lib_loader.*Load/s!"\(libudev\.so\)!"${systemd.lib}/lib/\1!' \
         device/udev_linux/udev?_loader.cc
 
@@ -157,31 +123,37 @@ let
 
       sed -i -re 's/([^:])\<(isnan *\()/\1std::\2/g' \
         chrome/browser/ui/webui/engagement/site_engagement_ui.cc
+
+      sed -i -e '/#include/ {
+        i #include <algorithm>
+        :l; n; bl
+      }' gpu/config/gpu_control_list.cc
+
+      patchShebangs .
     '' + optionalString (versionAtLeast version "52.0.0.0") ''
       sed -i -re 's/([^:])\<(isnan *\()/\1std::\2/g' \
         third_party/pdfium/xfa/fxbarcode/utils.h
     '';
 
-    gypFlags = mkGypFlags (gypFlagsUseSystemLibs // {
+    gnFlags = mkGnFlags ({
       linux_use_bundled_binutils = false;
       linux_use_bundled_gold = false;
       linux_use_gold_flags = true;
+      is_debug = false;
 
       proprietary_codecs = false;
       use_sysroot = false;
       use_gnome_keyring = gnomeKeyringSupport;
       use_gconf = gnomeSupport;
       use_gio = gnomeSupport;
-      use_pulseaudio = pulseSupport;
-      linux_link_pulseaudio = pulseSupport;
-      disable_nacl = !enableNaCl;
+      enable_nacl = enableNaCl;
       enable_hotwording = enableHotwording;
+      enable_widevine = enableWideVine;
       selinux = enableSELinux;
       use_cups = cupsSupport;
     } // {
-      werror = "";
-      clang = false;
-      enable_hidpi = hiDPISupport;
+      treat_warnings_as_errors = false;
+      is_clang = false;
 
       # Google API keys, see:
       #   http://www.chromium.org/developers/how-tos/api-keys
@@ -195,22 +167,17 @@ let
       proprietary_codecs = true;
       enable_hangout_services_extension = true;
       ffmpeg_branding = "Chrome";
-    } // optionalAttrs (stdenv.system == "x86_64-linux") {
-      target_arch = "x64";
-      python_arch = "x86-64";
-    } // optionalAttrs (stdenv.system == "i686-linux") {
-      target_arch = "ia32";
-      python_arch = "ia32";
-    } // (extraAttrs.gypFlags or {}));
+    } // optionalAttrs pulseSupport {
+      use_pulseaudio = true;
+      link_pulseaudio = true;
+    } // (extraAttrs.gnFlags or {}));
 
     configurePhase = ''
-      echo "Precompiling .py files to prevent race conditions..." >&2
-      python -m compileall -q -f . > /dev/null 2>&1 || : # ignore errors
-
       # This is to ensure expansion of $out.
       libExecPath="${libExecPath}"
-      python build/linux/unbundle/replace_gyp_files.py ${gypFlags}
-      python build/gyp_chromium -f ninja --depth . ${gypFlags}
+      python build/linux/unbundle/replace_gn_files.py \
+        --system-libraries ${toString gnSystemLibraries}
+      gn gen --args=${escapeShellArg gnFlags} out/Release
     '';
 
     buildPhase = let
@@ -228,5 +195,5 @@ let
 
 # Remove some extraAttrs we supplied to the base attributes already.
 in stdenv.mkDerivation (base // removeAttrs extraAttrs [
-  "name" "gypFlags" "buildTargets"
+  "name" "gnFlags" "buildTargets"
 ])

pkgs/applications/networking/browsers/chromium/default.nix

@@ -12,7 +12,6 @@
 , enableWideVine ? false
 , cupsSupport ? true
 , pulseSupport ? false
-, hiDPISupport ? false
 }:
 
 let
@@ -24,7 +23,7 @@ let
     mkChromiumDerivation = callPackage ./common.nix {
       inherit enableSELinux enableNaCl enableHotwording gnomeSupport gnome
               gnomeKeyringSupport proprietaryCodecs cupsSupport pulseSupport
-              hiDPISupport;
+              enableWideVine;
     };
 
     browser = callPackage ./browser.nix { inherit channel; };

pkgs/applications/networking/browsers/chromium/patches/nix_plugin_paths_50.patch

@@ -1,75 +0,0 @@
-diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc
-index 74bf041..5f34198 100644
---- a/chrome/common/chrome_paths.cc
-+++ b/chrome/common/chrome_paths.cc
-@@ -66,21 +66,14 @@ static base::LazyInstance<base::FilePath>
-     g_invalid_specified_user_data_dir = LAZY_INSTANCE_INITIALIZER;
- 
- // Gets the path for internal plugins.
--bool GetInternalPluginsDirectory(base::FilePath* result) {
--#if defined(OS_MACOSX)
--  // If called from Chrome, get internal plugins from a subdirectory of the
--  // framework.
--  if (base::mac::AmIBundled()) {
--    *result = chrome::GetFrameworkBundlePath();
--    DCHECK(!result->empty());
--    *result = result->Append("Internet Plug-Ins");
--    return true;
--  }
--  // In tests, just look in the module directory (below).
--#endif
--
--  // The rest of the world expects plugins in the module directory.
--  return PathService::Get(base::DIR_MODULE, result);
-+bool GetInternalPluginsDirectory(base::FilePath* result,
-+                                 const std::string& ident) {
-+  std::string full_env = std::string("NIX_CHROMIUM_PLUGIN_PATH_") + ident;
-+  const char* value = getenv(full_env.c_str());
-+  if (value == NULL)
-+      return PathService::Get(base::DIR_MODULE, result);
-+  else
-+      *result = base::FilePath(value);
- }
- 
- #if defined(OS_WIN)
-@@ -253,11 +246,11 @@ bool PathProvider(int key, base::FilePath* result) {
-       create_dir = true;
-       break;
-     case chrome::DIR_INTERNAL_PLUGINS:
--      if (!GetInternalPluginsDirectory(&cur))
-+      if (!GetInternalPluginsDirectory(&cur, "ALL"))
-         return false;
-       break;
-     case chrome::DIR_PEPPER_FLASH_PLUGIN:
--      if (!GetInternalPluginsDirectory(&cur))
-+      if (!GetInternalPluginsDirectory(&cur, "PEPPERFLASH"))
-         return false;
-       cur = cur.Append(kPepperFlashBaseDirectory);
-       break;
-@@ -314,7 +307,7 @@ bool PathProvider(int key, base::FilePath* result) {
-     // We currently need a path here to look up whether the plugin is disabled
-     // and what its permissions are.
-     case chrome::FILE_NACL_PLUGIN:
--      if (!GetInternalPluginsDirectory(&cur))
-+      if (!GetInternalPluginsDirectory(&cur, "NACL"))
-         return false;
-       cur = cur.Append(kInternalNaClPluginFileName);
-       break;
-@@ -349,7 +342,7 @@ bool PathProvider(int key, base::FilePath* result) {
-         cur = cur.DirName();
-       }
- #else
--      if (!GetInternalPluginsDirectory(&cur))
-+      if (!GetInternalPluginsDirectory(&cur, "PNACL"))
-         return false;
- #endif
-       cur = cur.Append(FILE_PATH_LITERAL("pnacl"));
-@@ -366,7 +359,7 @@ bool PathProvider(int key, base::FilePath* result) {
-     // In the component case, this is the source adapter. Otherwise, it is the
-     // actual Pepper module that gets loaded.
-     case chrome::FILE_WIDEVINE_CDM_ADAPTER:
--      if (!GetInternalPluginsDirectory(&cur))
-+      if (!GetInternalPluginsDirectory(&cur, "WIDEVINE"))
-         return false;
-       cur = cur.AppendASCII(kWidevineCdmAdapterFileName);
-       break;

pkgs/applications/networking/browsers/chromium/patches/widevine.patch

@@ -1,12 +1,16 @@
-diff -upr chromium-42.0.2311.90.orig/third_party/widevine/cdm/widevine_cdm_version.h chromium-42.0.2311.90/third_party/widevine/cdm/widevine_cdm_version.h
---- chromium-42.0.2311.90.orig/third_party/widevine/cdm/widevine_cdm_version.h	2015-04-15 01:18:59.000000000 +0300
-+++ chromium-42.0.2311.90/third_party/widevine/cdm/widevine_cdm_version.h	2015-04-15 09:09:49.157260050 +0300
-@@ -14,4 +14,8 @@
- //  - WIDEVINE_CDM_VERSION_STRING (with the version of the CDM that's available
- //    as a string, e.g., "1.0.123.456").
+Minimal WideVine patch from Gentoo:
+
+https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/files/chromium-widevine-r1.patch
+
+BTS: https://bugs.gentoo.org/show_bug.cgi?id=547630
+
+--- a/third_party/widevine/cdm/stub/widevine_cdm_version.h
++++ b/third_party/widevine/cdm/stub/widevine_cdm_version.h
+@@ -10,6 +10,7 @@
+ 
+ #include "third_party/widevine/cdm/widevine_cdm_common.h"
+ 
++#define WIDEVINE_CDM_VERSION_STRING "unknown"
+ #define WIDEVINE_CDM_AVAILABLE
  
-+#include "third_party/widevine/cdm/widevine_cdm_common.h"
-+#define WIDEVINE_CDM_AVAILABLE
-+#define WIDEVINE_CDM_VERSION_STRING "@WIDEVINE_VERSION@"
-+
  #endif  // WIDEVINE_CDM_VERSION_H_

pkgs/applications/networking/browsers/chromium/plugins.nix

@@ -1,5 +1,6 @@
 { stdenv
 , jshon
+, fetchzip
 , enablePepperFlash ? false
 , enableWideVine ? false
 
@@ -9,6 +10,8 @@
 with stdenv.lib;
 
 let
+  mkrpath = p: "${makeSearchPathOutput "lib" "lib64" p}:${makeLibraryPath p}";
+
   # Generate a shell fragment that emits flags appended to the
   # final makeWrapper call for wrapping the browser's main binary.
   #
@@ -37,14 +40,12 @@ let
     echo ${toString quoted} > "''$${output}/nix-support/wrapper-flags"
   '';
 
-  plugins = stdenv.mkDerivation {
-    name = "chromium-binary-plugins";
+  widevine = stdenv.mkDerivation {
+    name = "chromium-binary-plugin-widevine";
 
     src = upstream-info.binary;
 
     phases = [ "unpackPhase" "patchPhase" "installPhase" "checkPhase" ];
-    outputs = [ "flash" "widevine" ];
-    out = "flash"; # outputs TODO: is this a hack?
 
     unpackCmd = let
       chan = if upstream-info.channel == "dev"    then "chrome-unstable"
@@ -53,7 +54,6 @@ let
     in ''
       mkdir -p plugins
       ar p "$src" data.tar.xz | tar xJ -C plugins --strip-components=4 \
-        ./opt/google/${chan}/PepperFlash \
         ./opt/google/${chan}/libwidevinecdm.so \
         ./opt/google/${chan}/libwidevinecdmadapter.so
     '';
@@ -63,17 +63,13 @@ let
       ! find -iname '*.so' -exec ldd {} + | grep 'not found'
     '';
 
-    patchPhase = let
-      rpaths = [ stdenv.cc.cc ];
-      mkrpath = p: "${makeSearchPathOutput "lib" "lib64" p}:${makeLibraryPath p}";
-    in ''
-      for sofile in PepperFlash/libpepflashplayer.so \
-                    libwidevinecdm.so libwidevinecdmadapter.so; do
+    patchPhase = ''
+      for sofile in libwidevinecdm.so libwidevinecdmadapter.so; do
         chmod +x "$sofile"
-        patchelf --set-rpath "${mkrpath rpaths}" "$sofile"
+        patchelf --set-rpath "${mkrpath [ stdenv.cc.cc ]}" "$sofile"
       done
 
-      patchelf --set-rpath "$widevine/lib:${mkrpath rpaths}" \
+      patchelf --set-rpath "$out/lib:${mkrpath [ stdenv.cc.cc ]}" \
         libwidevinecdmadapter.so
     '';
 
@@ -81,38 +77,62 @@ let
       wvName = "Widevine Content Decryption Module";
       wvDescription = "Playback of encrypted HTML audio/video content";
       wvMimeTypes = "application/x-ppapi-widevine-cdm";
-      wvModule = "@widevine@/lib/libwidevinecdmadapter.so";
+      wvModule = "@out@/lib/libwidevinecdmadapter.so";
       wvInfo = "#${wvName}#${wvDescription};${wvMimeTypes}";
     in ''
-      flashVersion="$(
-        "${jshon}/bin/jshon" -F PepperFlash/manifest.json -e version -u
-      )"
-
-      install -vD PepperFlash/libpepflashplayer.so \
-        "$flash/lib/libpepflashplayer.so"
+      install -vD libwidevinecdm.so \
+        "$out/lib/libwidevinecdm.so"
+      install -vD libwidevinecdmadapter.so \
+        "$out/lib/libwidevinecdmadapter.so"
 
       ${mkPluginInfo {
-        output = "flash";
-        allowedVars = [ "flash" "flashVersion" ];
+        flags = [ "--register-pepper-plugins=${wvModule}${wvInfo}" ];
+        envVars.NIX_CHROMIUM_PLUGIN_PATH_WIDEVINE = "@out@/lib";
+      }}
+    '';
+  };
+
+  flash = stdenv.mkDerivation rec {
+    name = "flashplayer-ppapi-${version}";
+    version = "23.0.0.205";
+
+    src = fetchzip {
+      url = "https://fpdownload.adobe.com/pub/flashplayer/pdc/"
+          + "${version}/flash_player_ppapi_linux.x86_64.tar.gz";
+      sha256 = "0gj5d8475qcplm3iqs3hkq0i6qkmbhci1zp3ljnhafc6xz0avyhj";
+      stripRoot = false;
+    };
+
+    patchPhase = ''
+      chmod +x libpepflashplayer.so
+      patchelf --set-rpath "${mkrpath [ stdenv.cc.cc ]}" libpepflashplayer.so
+    '';
+
+    doCheck = true;
+    checkPhase = ''
+      ! find -iname '*.so' -exec ldd {} + | grep 'not found'
+    '';
+
+    installPhase = ''
+      flashVersion="$(
+        "${jshon}/bin/jshon" -F manifest.json -e version -u
+      )"
+
+      install -vD libpepflashplayer.so "$out/lib/libpepflashplayer.so"
+
+      ${mkPluginInfo {
+        allowedVars = [ "out" "flashVersion" ];
         flags = [
-          "--ppapi-flash-path=@flash@/lib/libpepflashplayer.so"
+          "--ppapi-flash-path=@out@/lib/libpepflashplayer.so"
           "--ppapi-flash-version=@flashVersion@"
         ];
       }}
-
-      install -vD libwidevinecdm.so \
-        "$widevine/lib/libwidevinecdm.so"
-      install -vD libwidevinecdmadapter.so \
-        "$widevine/lib/libwidevinecdmadapter.so"
-
-      ${mkPluginInfo {
-        output = "widevine";
-        flags = [ "--register-pepper-plugins=${wvModule}${wvInfo}" ];
-        envVars.NIX_CHROMIUM_PLUGIN_PATH_WIDEVINE = "@widevine@/lib";
-      }}
     '';
 
-    passthru.enabled = optional enablePepperFlash plugins.flash
-                    ++ optional enableWideVine    plugins.widevine;
+    dontStrip = true;
   };
-in plugins
+
+in {
+  enabled = optional enableWideVine widevine
+         ++ optional enablePepperFlash flash;
+}

pkgs/applications/networking/browsers/chromium/upstream-info.nix

@@ -1,18 +1,18 @@
 # This file is autogenerated from update.sh in the same directory.
 {
   beta = {
-    sha256 = "0f6cqvhlg06lrf4bzaiwzm9yi3fi1dk5jrzvjcg7alw3mzrmh2wv";
-    sha256bin64 = "02cv9vc1l2nlwa4a0lc7cj9c9czrwp1jd8d024bq16a5fvmhl01l";
-    version = "54.0.2840.50";
+    sha256 = "11a98nknz7lh5jmjslznccg11nr0wla4c9l40fvxqxjm2gs6qags";
+    sha256bin64 = "0qdydj0i9ll72f5m9r48gc3dyc22q6qas5nq8h0mbnrxrwd9dnyj";
+    version = "55.0.2883.35";
   };
   dev = {
-    sha256 = "06kcymwi0wfir7w10g8viayk2h0b5a66dav76mlia4lm30p502kz";
-    sha256bin64 = "0mgamiffnnkaw8c68b5kyna84x7hlhrzmqfc36kzf434fmm8v5d6";
-    version = "55.0.2873.0";
+    sha256 = "1pfgb5dnygyxiwfq6ini5s159c178zz7235npaag7k8gcc10ybnz";
+    sha256bin64 = "14s185361inkqh8ykl94xhgv01z68gxqh7j6gyb4jbr0rhcsd9pl";
+    version = "56.0.2906.0";
   };
   stable = {
-    sha256 = "1hyw0z7dsfaxyy8b4mvnfjy5yj0160hzz9m0wj3vn9zvkfvmhan5";
-    sha256bin64 = "0n0px7yi94gdxq7p6pjqfdz04bnh3mcvbaccjaglj6h5p0jc8abq";
-    version = "53.0.2785.143";
+    sha256 = "01h1qkdw5dpwz61dybpf4bhag198j082lzwpkdx2nj55k2j3lawl";
+    sha256bin64 = "18mxgzi79qhi07wgyyx6bb0lqm9pzkw85ypg6vmqv8gh0abn7dn1";
+    version = "54.0.2840.90";
   };
 }

pkgs/development/tools/build-managers/gn/default.nix

@@ -0,0 +1,80 @@
+{ stdenv, fetchgit, fetchurl, python, ninja, libevent, xdg-user-dirs }:
+
+let
+  date = "20161008";
+
+  sourceTree = {
+    "src/base" = {
+      rev = "e71a514e60b085cc92bf6ef951ec329f52c79f9f";
+      sha256 = "0zycbssmd2za0zij8czcs1fr66fi12f1g5ysc8fzkf8khbs5h6a9";
+    };
+    "src/build" = {
+      rev = "17093d45bf738e9ae4b6294492860ee65218a657";
+      sha256 = "0i9py78c3f46sc789qvdhmgjgyrghysbqjgr67iypwphw52jv2dz";
+    };
+    "src/tools/gn" = {
+      rev = "9ff32cf3f1f4ad0212ac674b6303e7aa68f44f3f";
+      sha256 = "14jr45k5fgcqk9d18fd77sijlqavvnv0knndh74zyb0b60464hz1";
+    };
+    "testing/gtest" = {
+      rev = "585ec31ea716f08233a815e680fc0d4699843938";
+      sha256 = "0csn1cza66851nmxxiw42smsm3422mx67vcyykwn0a71lcjng6rc";
+    };
+  };
+
+  mkDepend = path: attrs: fetchgit {
+    url = "https://chromium.googlesource.com/chromium/${path}";
+    inherit (attrs) rev sha256;
+  };
+
+in stdenv.mkDerivation rec {
+  name = "gn-${version}";
+  version = "0.0.0.${date}";
+
+  unpackPhase = ''
+    ${with stdenv.lib; concatStrings (mapAttrsToList (path: sha256: ''
+      dest=source/${escapeShellArg (removePrefix "src/" path)}
+      mkdir -p "$(dirname "$dest")"
+      cp --no-preserve=all -rT ${escapeShellArg (mkDepend path sha256)} "$dest"
+    '') sourceTree)}
+    ( mkdir -p source/third_party
+      cd source/third_party
+      unpackFile ${xdg-user-dirs.src}
+      mv * xdg_user
+    )
+  '';
+
+  sourceRoot = "source";
+
+  postPatch = ''
+    # GN's bootstrap script relies on shebangs (which are relying on FHS paths),
+    # except when on Windows. So instead of patchShebang-ing it, let's just
+    # force the same behaviour as on Windows.
+    sed -i -e '/^def  *check_call/,/^[^ ]/ {
+      s/is_win/True/
+    }' tools/gn/bootstrap/bootstrap.py
+
+    # Patch out Chromium-bundled libevent and xdg_user_dirs
+    sed -i -e '/static_libraries.*libevent/,/^ *\]\?[})]$/d' \
+      tools/gn/bootstrap/bootstrap.py
+  '';
+
+  NIX_LDFLAGS = "-levent";
+
+  nativeBuildInputs = [ python ninja ];
+  buildInputs = [ libevent ];
+
+  buildPhase = ''
+    python tools/gn/bootstrap/bootstrap.py -v -s --no-clean
+  '';
+
+  installPhase = ''
+    install -vD out_bootstrap/gn "$out/bin/gn"
+  '';
+
+  meta = {
+    description = "A meta-build system that generates NinjaBuild files";
+    homepage = "https://chromium.googlesource.com/chromium/src/tools/gn/";
+    license = stdenv.lib.licenses.bsd3;
+  };
+}

pkgs/top-level/all-packages.nix

@@ -6079,6 +6079,8 @@ in
 
   global = callPackage ../development/tools/misc/global { };
 
+  gn = callPackage ../development/tools/build-managers/gn { };
+
   gnome_doc_utils = callPackage ../development/tools/documentation/gnome-doc-utils {};
 
   gnum4 = callPackage ../development/tools/misc/gnum4 { };
@@ -12275,7 +12277,6 @@ in
     pulseSupport = config.pulseaudio or true;
     enablePepperFlash = config.chromium.enablePepperFlash or false;
     enableWideVine = config.chromium.enableWideVine or false;
-    hiDPISupport = config.chromium.hiDPISupport or false;
     gnome = gnome2;
   };