public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'chromium-refactor', closes #1798. 

This implements some longstanding work of getting the Chromium
derivation more modular. Unfortunately, I didn't manage to decrease the
compile time, which was one of the primary goal for doing the refactor.
A main reason this didn't work out well was the fact that most bundled
libraries are so heavily patched that it's not possible within a limited
time frame to decouple it from the main derivation.

However, it should now be easier to build other derivations that build
upon Chromium, like libcef. Also, it finally adds support for the
non-free PepperAPI Flash and PDF plugins and support for fetching the
corresponding versions through the updater.
This commit is contained in:
aszlig 2014-04-21 09:50:50 +02:00
parent 5701e4e15a 18234b6768
commit cdd1c9caa5
No known key found for this signature in database
GPG Key ID: D0EBD0EC8C2DC961
22 changed files with 1074 additions and 403 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
pkgs/applications/networking/browsers/chromium/browser.nix Normal file
View File

@ -0,0 +1,40 @@
{ stdenv, mkChromiumDerivation }:
with stdenv.lib;
mkChromiumDerivation (base: rec {
name = "chromium-browser";
packageName = "chromium";
buildTargets = [ "chrome" ];
installPhase = ''
ensureDir "$libExecPath"
cp -v "$buildPath/"*.pak "$libExecPath/"
cp -v "$buildPath/icudtl.dat" "$libExecPath/"
cp -vR "$buildPath/locales" "$buildPath/resources" "$libExecPath/"
cp -v $buildPath/libffmpegsumo.so "$libExecPath/"
cp -v "$buildPath/chrome" "$libExecPath/$packageName"
mkdir -vp "$out/share/man/man1"
cp -v "$buildPath/chrome.1" "$out/share/man/man1/$packageName.1"
for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do
num_and_suffix="''${icon_file##*logo_}"
icon_size="''${num_and_suffix%.*}"
expr "$icon_size" : "^[0-9][0-9]*$" || continue
logo_output_prefix="$out/share/icons/hicolor"
logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps"
mkdir -vp "$logo_output_path"
cp -v "$icon_file" "$logo_output_path/$packageName.png"
done
'';
meta = {
description = "An open source web browser from Google";
homepage = http://www.chromium.org/;
maintainers = with maintainers; [ goibhniu chaoflow aszlig wizeman ];
license = licenses.bsd3;
platforms = platforms.linux;
};
})

201
pkgs/applications/networking/browsers/chromium/common.nix Normal file
View File

@ -0,0 +1,201 @@
{ stdenv, fetchurl, ninja, which
# default dependencies
, bzip2, flac, speex, icu, libopus
, libevent, expat, libjpeg, snappy
, libpng, libxml2, libxslt
, xdg_utils, yasm, minizip, libwebp
, libusb1, libexif, pciutils
, python, pythonPackages, perl, pkgconfig
, nspr, udev, krb5
, utillinux, alsaLib
, gcc, bison, gperf
, glib, gtk, dbus_glib
, libXScrnSaver, libXcursor, libXtst, mesa
, protobuf, speechd, libXdamage
# optional dependencies
, libgcrypt ? null # gnomeSupport || cupsSupport
# package customization
, enableSELinux ? false, libselinux ? null
, enableNaCl ? false
, useOpenSSL ? false, nss ? null, openssl ? null
, gnomeSupport ? false, gnome ? null
, gnomeKeyringSupport ? false, libgnome_keyring3 ? null
, proprietaryCodecs ? true
, cupsSupport ? false
, pulseSupport ? false, pulseaudio ? null
, source
, plugins
}:
buildFun:
with stdenv.lib;
let
# The additional attributes for creating derivations based on the chromium
# source tree.
extraAttrs = buildFun base;
mkGypFlags =
let
sanitize = value:
if value == true then "1"
else if value == false then "0"
else "${value}";
toFlag = key: value: "-D${key}=${sanitize value}";
in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs));
gypFlagsUseSystemLibs = {
use_system_bzip2 = true;
use_system_flac = true;
use_system_libevent = true;
use_system_libexpat = true;
use_system_libexif = true;
use_system_libjpeg = true;
use_system_libpng = true;
use_system_libwebp = true;
use_system_libxml = true;
use_system_opus = true;
use_system_snappy = true;
use_system_speex = true;
use_system_ssl = useOpenSSL;
use_system_stlport = true;
use_system_xdg_utils = true;
use_system_yasm = true;
use_system_zlib = false;
use_system_protobuf = true;
use_system_harfbuzz = false;
use_system_icu = false; # Doesn't support ICU 52 yet.
use_system_libusb = false; # http://crbug.com/266149
use_system_skia = false;
use_system_sqlite = false; # http://crbug.com/22208
use_system_v8 = false;
};
opusWithCustomModes = libopus.override {
withCustomModes = !versionOlder source.version "35.0.0.0";
};
defaultDependencies = [
bzip2 flac speex icu opusWithCustomModes
libevent expat libjpeg snappy
libpng libxml2 libxslt
xdg_utils yasm minizip libwebp
libusb1 libexif
];
# build paths and release info
packageName = extraAttrs.packageName or extraAttrs.name;
buildType = "Release";
buildPath = "out/${buildType}";
libExecPath = "$out/libexec/${packageName}";
base = rec {
name = "${packageName}-${version}";
inherit (source) version;
inherit packageName buildType buildPath;
src = source;
buildInputs = defaultDependencies ++ [
which
python perl pkgconfig
nspr udev
(if useOpenSSL then openssl else nss)
utillinux alsaLib
gcc bison gperf krb5
glib gtk dbus_glib
libXScrnSaver libXcursor libXtst mesa
pciutils protobuf speechd libXdamage
pythonPackages.gyp pythonPackages.ply pythonPackages.jinja2
] ++ optional gnomeKeyringSupport libgnome_keyring3
++ optionals gnomeSupport [ gnome.GConf libgcrypt ]
++ optional enableSELinux libselinux
++ optional cupsSupport libgcrypt
++ optional pulseSupport pulseaudio;
# XXX: Wait for https://crbug.com/239107 and https://crbug.com/239181 to
# be fixed, then try again to unbundle everything into separate
# derivations.
prePatch = ''
cp -dsr --no-preserve=mode "${source.main}"/* .
cp -dsr --no-preserve=mode "${source.sandbox}" sandbox
cp -dr "${source.bundled}" third_party
chmod -R u+w third_party
# Hardcode source tree root in all gyp files
find -iname '*.gyp*' \( -type f -o -type l \) \
-exec sed -i -e 's|<(DEPTH)|'"$(pwd)"'|g' {} + \
-exec chmod u+w {} +
'';
postPatch = ''
sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \
sandbox_binary = base::FilePath(getenv("CHROMIUM_SANDBOX_BINARY_PATH"));
' content/browser/browser_main_loop.cc
'';
gypFlags = mkGypFlags (gypFlagsUseSystemLibs // {
linux_use_gold_binary = false;
linux_use_gold_flags = false;
proprietary_codecs = false;
use_gnome_keyring = gnomeKeyringSupport;
use_gconf = gnomeSupport;
use_gio = gnomeSupport;
use_pulseaudio = pulseSupport;
disable_nacl = !enableNaCl;
use_openssl = useOpenSSL;
selinux = enableSELinux;
use_cups = cupsSupport;
linux_sandbox_chrome_path="${libExecPath}/${packageName}";
werror = "";
# Google API keys, see:
# http://www.chromium.org/developers/how-tos/api-keys
# Note: These are for NixOS/nixpkgs use ONLY. For your own distribution,
# please get your own set of keys.
google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI";
google_default_client_id = "404761575300.apps.googleusercontent.com";
google_default_client_secret = "9rIFQjfnkykEmqb6FfjJQD1D";
} // optionalAttrs proprietaryCodecs {
# enable support for the H.264 codec
proprietary_codecs = true;
ffmpeg_branding = "Chrome";
} // optionalAttrs (stdenv.system == "x86_64-linux") {
target_arch = "x64";
python_arch = "x86-64";
} // optionalAttrs (stdenv.system == "i686-linux") {
target_arch = "ia32";
python_arch = "ia32";
} // (extraAttrs.gypFlags or {}));
configurePhase = ''
# This is to ensure expansion of $out.
libExecPath="${libExecPath}"
python build/linux/unbundle/replace_gyp_files.py ${gypFlags}
python build/gyp_chromium -f ninja --depth "$(pwd)" ${gypFlags}
'';
buildPhase = let
CC = "${gcc}/bin/gcc";
CXX = "${gcc}/bin/g++";
in ''
CC="${CC}" CC_host="${CC}" \
CXX="${CXX}" CXX_host="${CXX}" \
LINK_host="${CXX}" \
"${ninja}/bin/ninja" -C "${buildPath}" \
-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
${concatStringsSep " " (extraAttrs.buildTargets or [])}
'';
};
# Remove some extraAttrs we supplied to the base attributes already.
in stdenv.mkDerivation (base // removeAttrs extraAttrs [
"name" "gypFlags" "buildTargets"
])

316
pkgs/applications/networking/browsers/chromium/default.nix
View File

@ -1,287 +1,85 @@
{ stdenv, fetchurl, makeWrapper, ninja, which
# default dependencies
, bzip2, flac, speex
, libevent, expat, libjpeg
, libpng, libxml2, libxslt
, xdg_utils, yasm, zlib
, libusb1, libexif, pciutils
, python, pythonPackages, perl, pkgconfig
, nspr, udev, krb5
, utillinux, alsaLib
, gcc, bison, gperf
, glib, gtk, dbus_glib
, libXScrnSaver, libXcursor, libXtst, mesa
, protobuf, speechd, libXdamage
# optional dependencies
, libgcrypt ? null # gnomeSupport || cupsSupport
{ newScope, stdenv, makeWrapper, makeDesktopItem
# package customization
, channel ? "stable"
, enableSELinux ? false, libselinux ? null
, enableSELinux ? false
, enableNaCl ? false
, useOpenSSL ? false, nss ? null, openssl ? null
, gnomeSupport ? false, gconf ? null
, gnomeKeyringSupport ? false, libgnome_keyring ? null
, useOpenSSL ? false
, gnomeSupport ? false
, gnomeKeyringSupport ? false
, proprietaryCodecs ? true
, enablePepperFlash ? false
, enablePepperPDF ? false
, cupsSupport ? false
, pulseSupport ? false, pulseaudio ? null
, pulseSupport ? false
}:
with stdenv.lib;
let
src = with getAttr channel (import ./sources.nix); stdenv.mkDerivation {
name = "chromium-source-${version}";
callPackage = newScope chromium;
src = fetchurl {
inherit url sha256;
chromium = {
source = callPackage ./source {
inherit channel;
# XXX: common config
inherit useOpenSSL;
};
buildInputs = [ python ]; # cannot patch shebangs otherwise
mkChromiumDerivation = callPackage ./common.nix {
inherit enableSELinux enableNaCl useOpenSSL gnomeSupport
gnomeKeyringSupport proprietaryCodecs cupsSupport
pulseSupport;
};
phases = [ "unpackPhase" "patchPhase" "installPhase" ];
browser = callPackage ./browser.nix { };
sandbox = callPackage ./sandbox.nix { };
opensslPatches = optional useOpenSSL openssl.patches;
prePatch = "patchShebangs .";
patches = singleton ./sandbox_userns_31.patch;
postPatch = ''
sed -i -r \
-e 's/-f(stack-protector)(-all)?/-fno-\1/' \
-e 's|/bin/echo|echo|' \
-e "/python_arch/s/: *'[^']*'/: '""'/" \
build/common.gypi chrome/chrome_tests.gypi
sed -i '/not RunGN/,+1d' build/gyp_chromium
sed -i -e 's|/usr/bin/gcc|gcc|' \
third_party/WebKit/Source/build/scripts/scripts.gypi \
third_party/WebKit/Source/build/scripts/preprocessor.pm
'' + optionalString useOpenSSL ''
cat $opensslPatches | patch -p1 -d third_party/openssl/openssl
'' + optionalString (!versionOlder version "34.0.0.0") ''
sed -i '/import.*depot/d' build/gyp_chromium
'';
outputs = [ "out" "sandbox" "bundled" "main" ];
installPhase = ''
ensureDir "$out" "$sandbox" "$bundled" "$main"
header "copying browser main sources to $main"
find . -mindepth 1 -maxdepth 1 \
\! -path ./sandbox \
\! -path ./third_party \
\! -path ./build \
\! -path ./tools \
\! -name '.*' \
-print | xargs cp -rt "$main"
stopNest
header "copying sandbox components to $sandbox"
cp -rt "$sandbox" sandbox/*
stopNest
header "copying third party sources to $bundled"
cp -rt "$bundled" third_party/*
stopNest
header "copying build requisites to $out"
cp -rt "$out" build tools
stopNest
rm -rf "$out/tools/gyp" # XXX: Don't even copy it in the first place.
'';
passthru = {
inherit version;
plugins = callPackage ./plugins.nix {
inherit enablePepperFlash enablePepperPDF;
};
};
mkGypFlags =
let
sanitize = value:
if value == true then "1"
else if value == false then "0"
else "${value}";
toFlag = key: value: "-D${key}=${sanitize value}";
in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs));
gypFlagsUseSystemLibs = {
use_system_bzip2 = true;
use_system_flac = true;
use_system_libevent = true;
use_system_libexpat = true;
use_system_libexif = true;
use_system_libjpeg = true;
use_system_libpng = false; # PNG dlopen() version conflict
use_system_libusb = true;
use_system_libxml = true;
use_system_speex = true;
use_system_ssl = useOpenSSL;
use_system_stlport = true;
use_system_xdg_utils = true;
use_system_yasm = true;
use_system_zlib = false; # http://crbug.com/143623
use_system_protobuf = true;
use_system_harfbuzz = false;
use_system_icu = false;
use_system_libwebp = false; # http://crbug.com/133161
use_system_skia = false;
use_system_sqlite = false; # http://crbug.com/22208
use_system_v8 = false;
desktopItem = makeDesktopItem {
name = "Chromium";
exec = "chromium";
icon = "chromium";
comment = "An open source web browser from Google";
desktopName = "Chromium";
genericName = "Web browser";
mimeType = stdenv.lib.concatStringsSep ";" [
"text/html"
"text/xml"
"application/xhtml+xml"
"x-scheme-handler/http"
"x-scheme-handler/https"
"x-scheme-handler/ftp"
"x-scheme-handler/mailto"
"x-scheme-handler/webcal"
];
categories = "Network;WebBrowser";
};
defaultDependencies = [
bzip2 flac speex
libevent expat libjpeg
libpng libxml2 libxslt
xdg_utils yasm zlib
libusb1 libexif
];
in stdenv.mkDerivation {
name = "chromium-${channel}-${chromium.browser.version}";
sandbox = import ./sandbox.nix {
inherit stdenv;
src = src.sandbox;
binary = "${packageName}_sandbox";
};
buildInputs = [ makeWrapper ];
# build paths and release info
packageName = "chromium";
buildType = "Release";
buildPath = "out/${buildType}";
libExecPath = "$out/libexec/${packageName}";
sandboxPath = "${sandbox}/bin/${packageName}_sandbox";
in stdenv.mkDerivation rec {
name = "${packageName}-${src.version}";
inherit packageName src;
buildInputs = defaultDependencies ++ [
which makeWrapper
python perl pkgconfig
nspr udev
(if useOpenSSL then openssl else nss)
utillinux alsaLib
gcc bison gperf krb5
glib gtk dbus_glib
libXScrnSaver libXcursor libXtst mesa
pciutils protobuf speechd libXdamage
pythonPackages.gyp
] ++ optional gnomeKeyringSupport libgnome_keyring
++ optionals gnomeSupport [ gconf libgcrypt ]
++ optional enableSELinux libselinux
++ optional cupsSupport libgcrypt
++ optional pulseSupport pulseaudio;
prePatch = ''
# XXX: Figure out a way how to split these properly.
#cpflags="-dsr --no-preserve=mode"
cpflags="-dr"
cp $cpflags "${src.main}"/* .
cp $cpflags "${src.bundled}" third_party
cp $cpflags "${src.sandbox}" sandbox
chmod -R u+w . # XXX!
'';
postPatch = ''
sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \
sandbox_binary = \
base::FilePath("'"${sandboxPath}"'");
' content/browser/browser_main_loop.cc
'';
gypFlags = mkGypFlags (gypFlagsUseSystemLibs // {
linux_use_gold_binary = false;
linux_use_gold_flags = false;
proprietary_codecs = false;
use_gnome_keyring = gnomeKeyringSupport;
use_gconf = gnomeSupport;
use_gio = gnomeSupport;
use_pulseaudio = pulseSupport;
disable_nacl = !enableNaCl;
use_openssl = useOpenSSL;
selinux = enableSELinux;
use_cups = cupsSupport;
linux_sandbox_path="${sandboxPath}";
linux_sandbox_chrome_path="${libExecPath}/${packageName}";
werror = "";
# Google API keys, see http://www.chromium.org/developers/how-tos/api-keys.
# Note: These are for NixOS/nixpkgs use ONLY. For your own distribution,
# please get your own set of keys.
google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI";
google_default_client_id = "404761575300.apps.googleusercontent.com";
google_default_client_secret = "9rIFQjfnkykEmqb6FfjJQD1D";
} // optionalAttrs proprietaryCodecs {
# enable support for the H.264 codec
proprietary_codecs = true;
ffmpeg_branding = "Chrome";
} // optionalAttrs (stdenv.system == "x86_64-linux") {
target_arch = "x64";
python_arch = "x86-64";
} // optionalAttrs (stdenv.system == "i686-linux") {
target_arch = "ia32";
python_arch = "ia32";
});
configurePhase = ''
python build/gyp_chromium -f ninja --depth "$(pwd)" ${gypFlags}
'';
buildPhase = let
CC = "${gcc}/bin/gcc";
CXX = "${gcc}/bin/g++";
buildCommand = let
browserBinary = "${chromium.browser}/libexec/chromium/chromium";
sandboxBinary = "${chromium.sandbox}/bin/chromium-sandbox";
in ''
CC="${CC}" CC_host="${CC}" \
CXX="${CXX}" CXX_host="${CXX}" \
LINK_host="${CXX}" \
"${ninja}/bin/ninja" -C "${buildPath}" \
-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
chrome ${optionalString (!enableSELinux) "chrome_sandbox"}
ensureDir "$out/bin" "$out/share/applications"
ln -s "${chromium.browser}/share" "$out/share"
makeWrapper "${browserBinary}" "$out/bin/chromium" \
--set CHROMIUM_SANDBOX_BINARY_PATH "${sandboxBinary}" \
--add-flags "${chromium.plugins.flagsEnabled}"
cp -v "${desktopItem}/share/applications/"* "$out/share/applications"
'';
installPhase = ''
ensureDir "${libExecPath}"
cp -v "${buildPath}/"*.pak "${libExecPath}/"
${optionalString (!versionOlder src.version "34.0.0.0") ''
cp -v "${buildPath}/icudtl.dat" "${libExecPath}/"
''}
cp -vR "${buildPath}/locales" "${buildPath}/resources" "${libExecPath}/"
cp -v ${buildPath}/libffmpegsumo.so "${libExecPath}/"
cp -v "${buildPath}/chrome" "${libExecPath}/${packageName}"
mkdir -vp "$out/bin"
makeWrapper "${libExecPath}/${packageName}" "$out/bin/${packageName}"
mkdir -vp "$out/share/man/man1"
cp -v "${buildPath}/chrome.1" "$out/share/man/man1/${packageName}.1"
for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do
num_and_suffix="''${icon_file##*logo_}"
icon_size="''${num_and_suffix%.*}"
expr "$icon_size" : "^[0-9][0-9]*$" || continue
logo_output_prefix="$out/share/icons/hicolor"
logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps"
mkdir -vp "$logo_output_path"
cp -v "$icon_file" "$logo_output_path/${packageName}.png"
done
'';
inherit (chromium.browser) meta packageName;
passthru = {
inherit sandbox;
};
meta = {
description = "An open source web browser from Google";
homepage = http://www.chromium.org/;
maintainers = with maintainers; [ goibhniu chaoflow aszlig wizeman ];
license = licenses.bsd3;
platforms = platforms.linux;
mkDerivation = chromium.mkChromiumDerivation;
};
}

78
pkgs/applications/networking/browsers/chromium/plugins.nix Normal file
View File

@ -0,0 +1,78 @@
{ stdenv
, enablePepperFlash ? false
, enablePepperPDF ? false
, source
}:
with stdenv.lib;
let
plugins = stdenv.mkDerivation {
name = "chromium-binary-plugins";
# XXX: Only temporary and has to be version-specific
src = source.plugins;
phases = [ "unpackPhase" "patchPhase" "checkPhase" "installPhase" ];
outputs = [ "pdf" "flash" ];
unpackCmd = let
chan = if source.channel == "dev" then "chrome-unstable"
else if source.channel == "stable" then "chrome"
else "chrome-${source.channel}";
in ''
ensureDir plugins
ar p "$src" data.tar.lzma | tar xJ -C plugins --strip-components=4 \
./opt/google/${chan}/PepperFlash \
./opt/google/${chan}/libpdf.so
'';
doCheck = true;
checkPhase = ''
! find -iname '*.so' -exec ldd {} + | grep 'not found'
'';
patchPhase = let
rpaths = [ stdenv.gcc.gcc ];
mkrpath = p: "${makeSearchPath "lib64" p}:${makeSearchPath "lib" p}";
in ''
for sofile in PepperFlash/libpepflashplayer.so libpdf.so; do
chmod +x "$sofile"
patchelf --set-rpath "${mkrpath rpaths}" "$sofile"
done
'';
installPhase = let
pdfName = "Chrome PDF Viewer";
pdfDescription = "Portable Document Format";
pdfMimeTypes = concatStringsSep ";" [
"application/pdf"
"application/x-google-chrome-print-preview-pdf"
];
pdfInfo = "#${pdfName}#${pdfDescription};${pdfMimeTypes}";
in ''
install -vD libpdf.so "$pdf/lib/libpdf.so"
ensureDir "$pdf/nix-support"
echo "--register-pepper-plugins='$pdf/lib/libpdf.so${pdfInfo}'" \
> "$pdf/nix-support/chromium-flags"
flashVersion="$(
sed -n -r 's/.*"version": "([^"]+)",.*/\1/p' PepperFlash/manifest.json
)"
install -vD PepperFlash/libpepflashplayer.so \
"$flash/lib/libpepflashplayer.so"
ensureDir "$flash/nix-support"
echo "--ppapi-flash-path='$flash/lib/libpepflashplayer.so'" \
"--ppapi-flash-version=$flashVersion" \
> "$flash/nix-support/chromium-flags"
'';
passthru.flagsEnabled = let
enabledPlugins = optional enablePepperFlash plugins.flash
++ optional enablePepperPDF plugins.pdf;
getFlags = plugin: "$(< ${plugin}/nix-support/chromium-flags)";
in concatStringsSep " " (map getFlags enabledPlugins);
};
in plugins

9
pkgs/applications/networking/browsers/chromium/sandbox.nix
View File

@ -1,12 +1,13 @@
{ stdenv, src, binary }:
{ stdenv, source }:
stdenv.mkDerivation {
name = "chromium-sandbox-${src.version}";
inherit src;
name = "chromium-sandbox-${source.version}";
src = source.sandbox;
patchPhase = ''
sed -i -e '/#include.*base_export/c \
#define BASE_EXPORT __attribute__((visibility("default")))
/#include/s|sandbox/linux|'"$(pwd)"'/linux|
' linux/suid/*.[hc]
'';
@ -15,6 +16,6 @@ stdenv.mkDerivation {
'';
installPhase = ''
install -svD sandbox "$out/bin/${binary}"
install -svD sandbox "$out/bin/chromium-sandbox"
'';
}

79
pkgs/applications/networking/browsers/chromium/source/default.nix Normal file
View File

@ -0,0 +1,79 @@
{ stdenv, fetchurl, python
, channel ? "stable"
, useOpenSSL # XXX
}:
with stdenv.lib;
with (import ./update.nix {
inherit (stdenv) system;
}).getChannel channel;
stdenv.mkDerivation {
name = "chromium-source-${version}";
src = fetchurl main;
buildInputs = [ python ]; # cannot patch shebangs otherwise
phases = [ "unpackPhase" "patchPhase" "installPhase" ];
opensslPatches = optional useOpenSSL openssl.patches;
prePatch = "patchShebangs .";
patches = if (versionOlder version "36.0.0.0")
then singleton ./sandbox_userns_31.patch
else singleton ./sandbox_userns_36.patch;
postPatch = ''
sed -i -r \
-e 's/-f(stack-protector)(-all)?/-fno-\1/' \
-e 's|/bin/echo|echo|' \
-e "/python_arch/s/: *'[^']*'/: '""'/" \
build/common.gypi chrome/chrome_tests.gypi
sed -i -e '/not RunGN/,+1d' -e '/import.*depot/d' build/gyp_chromium
sed -i -e 's|/usr/bin/gcc|gcc|' \
third_party/WebKit/Source/build/scripts/scripts.gypi \
third_party/WebKit/Source/build/scripts/preprocessor.pm
'' + optionalString useOpenSSL ''
cat $opensslPatches | patch -p1 -d third_party/openssl/openssl
'' + optionalString (!versionOlder version "34.0.0.0") ''
'';
outputs = [ "out" "sandbox" "bundled" "main" ];
installPhase = ''
ensureDir "$out" "$sandbox" "$bundled" "$main"
header "copying browser main sources to $main"
find . -mindepth 1 -maxdepth 1 \
\! -path ./sandbox \
\! -path ./third_party \
\! -path ./build \
\! -path ./tools \
\! -name '.*' \
-print | xargs cp -rt "$main"
stopNest
header "copying sandbox components to $sandbox"
cp -rt "$sandbox" sandbox/*
stopNest
header "copying third party sources to $bundled"
cp -rt "$bundled" third_party/*
stopNest
header "copying build requisites to $out"
cp -rt "$out" build tools
stopNest
rm -rf "$out/tools/gyp" # XXX: Don't even copy it in the first place.
'';
preferLocalBuild = true;
passthru = {
inherit version channel;
plugins = fetchurl binary;
};
}

0
pkgs/applications/networking/browsers/chromium/sandbox_userns_31.patch → pkgs/applications/networking/browsers/chromium/source/sandbox_userns_31.patch
View File

293
pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch Normal file
View File

@ -0,0 +1,293 @@
commit 3c80951744293441c2e66345ef7d82c199f4600e
Author: aszlig <aszlig@redmoonstudios.org>
Date: Thu May 16 14:17:56 2013 +0200
zygote: Add support for user namespaces on Linux.
The implementation is done by patching the Zygote host to execute the sandbox
binary with CLONE_NEWUSER and setting the uid and gid mapping so that the child
process is using uid 0 and gid 0 which map to the current user of the parent.
Afterwards, the sandbox will continue as if it was called as a setuid binary.
In addition, this adds new_user_namespace as an option in process_util in order
to set the UID and GID mapping correctly. The reason for this is that just
passing CLONE_NEWUSER to clone_flags doesn't help in LaunchProcess(), because
without setting the mappings exec*() will clear the process's capability sets.
If the kernel doesn't support unprivileged user namespaces and the sandbox
binary doesn't have the setuid flag, the Zygote main process will run without a
sandbox. This is to mimic the behaviour if no SUID sandbox binary path is set.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
diff --git a/base/process/launch.cc b/base/process/launch.cc
index 81748f5..930f20f 100644
--- a/base/process/launch.cc
+++ b/base/process/launch.cc
@@ -26,6 +26,7 @@ LaunchOptions::LaunchOptions()
#if defined(OS_LINUX)
, clone_flags(0)
, allow_new_privs(false)
+ , new_user_namespace(false)
#endif // OS_LINUX
#if defined(OS_CHROMEOS)
, ctrl_terminal_fd(-1)
diff --git a/base/process/launch.h b/base/process/launch.h
index 9e39fba..00e4c79 100644
--- a/base/process/launch.h
+++ b/base/process/launch.h
@@ -115,6 +115,9 @@ struct BASE_EXPORT LaunchOptions {
// By default, child processes will have the PR_SET_NO_NEW_PRIVS bit set. If
// true, then this bit will not be set in the new child process.
bool allow_new_privs;
+
+ // If true, start the process in a new user namespace.
+ bool new_user_namespace;
#endif // defined(OS_LINUX)
#if defined(OS_CHROMEOS)
diff --git a/base/process/launch_posix.cc b/base/process/launch_posix.cc
index fe4da1a..7f118b8 100644
--- a/base/process/launch_posix.cc
+++ b/base/process/launch_posix.cc
@@ -40,6 +40,10 @@
#if defined(OS_LINUX)
#include <sys/prctl.h>
+#include <sched.h>
+#if !defined(CLONE_NEWUSER)
+#define CLONE_NEWUSER 0x10000000
+#endif
#endif
#if defined(OS_CHROMEOS)
@@ -301,13 +305,23 @@ bool LaunchProcess(const std::vector<std::string>& argv,
pid_t pid;
#if defined(OS_LINUX)
- if (options.clone_flags) {
+ int map_pipe_fd[2];
+ int flags = options.clone_flags;
+
+ if (options.new_user_namespace) {
+ flags |= CLONE_NEWUSER;
+ if (pipe(map_pipe_fd) < 0) {
+ DPLOG(ERROR) << "user namespace pipe";
+ return false;
+ }
+ }
+
+ if (options.clone_flags || options.new_user_namespace) {
// Signal handling in this function assumes the creation of a new
// process, so we check that a thread is not being created by mistake
// and that signal handling follows the process-creation rules.
- RAW_CHECK(
- !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
- pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0);
+ RAW_CHECK(!(flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
+ pid = syscall(__NR_clone, flags, 0, 0, 0);
} else
#endif
{
@@ -328,6 +342,21 @@ bool LaunchProcess(const std::vector<std::string>& argv,
// DANGER: no calls to malloc or locks are allowed from now on:
// http://crbug.com/36678
+#if defined(OS_LINUX)
+ if (options.new_user_namespace) {
+ // Close the write end of the pipe so we get an EOF when the parent closes
+ // the FD. This is to avoid race conditions when the UID/GID mappings are
+ // written _after_ execvp().
+ close(map_pipe_fd[1]);
+
+ char dummy;
+ if (HANDLE_EINTR(read(map_pipe_fd[0], &dummy, 1)) != 0) {
+ RAW_LOG(ERROR, "Unexpected input in uid/gid mapping pipe.");
+ _exit(127);
+ }
+ }
+#endif
+
// DANGER: fork() rule: in the child, if you don't end up doing exec*(),
// you call _exit() instead of exit(). This is because _exit() does not
// call any previously-registered (in the parent) exit handlers, which
@@ -451,6 +480,40 @@ bool LaunchProcess(const std::vector<std::string>& argv,
_exit(127);
} else {
// Parent process
+#if defined(OS_LINUX)
+ if (options.new_user_namespace) {
+ // We need to write UID/GID mapping here to map the current user outside
+ // the namespace to the root user inside the namespace in order to
+ // correctly "fool" the child process.
+ char buf[256];
+ int map_fd, map_len;
+
+ snprintf(buf, sizeof(buf), "/proc/%d/uid_map", pid);
+ map_fd = open(buf, O_RDWR);
+ DPCHECK(map_fd >= 0);
+ snprintf(buf, sizeof(buf), "0 %d 1", geteuid());
+ map_len = strlen(buf);
+ if (write(map_fd, buf, map_len) != map_len) {
+ RAW_LOG(WARNING, "Can't write to uid_map.");
+ }
+ close(map_fd);
+
+ snprintf(buf, sizeof(buf), "/proc/%d/gid_map", pid);
+ map_fd = open(buf, O_RDWR);
+ DPCHECK(map_fd >= 0);
+ snprintf(buf, sizeof(buf), "0 %d 1", getegid());
+ map_len = strlen(buf);
+ if (write(map_fd, buf, map_len) != map_len) {
+ RAW_LOG(WARNING, "Can't write to gid_map.");
+ }
+ close(map_fd);
+
+ // Close the pipe on the parent, so the child can continue doing the
+ // execvp() call.
+ close(map_pipe_fd[1]);
+ }
+#endif
+
if (options.wait) {
// While this isn't strictly disk IO, waiting for another process to
// finish is the sort of thing ThreadRestrictions is trying to prevent.
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
index 0106a7a..a0465af 100644
--- a/content/browser/zygote_host/zygote_host_impl_linux.cc
+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
@@ -124,25 +124,31 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) {
sandbox_binary_ = sandbox_cmd.c_str();
- // A non empty sandbox_cmd means we want a SUID sandbox.
- using_suid_sandbox_ = !sandbox_cmd.empty();
+ bool userns_sandbox = false;
+ const std::vector<std::string> cmd_line_unwrapped(cmd_line.argv());
- if (using_suid_sandbox_) {
+ if (!sandbox_cmd.empty()) {
struct stat st;
if (stat(sandbox_binary_.c_str(), &st) != 0) {
LOG(FATAL) << "The SUID sandbox helper binary is missing: "
<< sandbox_binary_ << " Aborting now.";
}
- if (access(sandbox_binary_.c_str(), X_OK) == 0 &&
- (st.st_uid == 0) &&
- (st.st_mode & S_ISUID) &&
- (st.st_mode & S_IXOTH)) {
+ if (access(sandbox_binary_.c_str(), X_OK) == 0) {
+ using_suid_sandbox_ = true;
+
cmd_line.PrependWrapper(sandbox_binary_);
scoped_ptr<sandbox::SetuidSandboxClient>
sandbox_client(sandbox::SetuidSandboxClient::Create());
sandbox_client->SetupLaunchEnvironment();
+
+ if (!((st.st_uid == 0) &&
+ (st.st_mode & S_ISUID) &&
+ (st.st_mode & S_IXOTH))) {
+ userns_sandbox = true;
+ sandbox_client->SetNoSuid();
+ }
} else {
LOG(FATAL) << "The SUID sandbox helper binary was found, but is not "
"configured correctly. Rather than run without sandboxing "
@@ -167,7 +173,19 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) {
base::LaunchOptions options;
options.fds_to_remap = &fds_to_map;
options.allow_new_privs = using_suid_sandbox_; // Don't PR_SET_NO_NEW_PRIVS.
+ if (userns_sandbox)
+ options.new_user_namespace = true;
base::LaunchProcess(cmd_line.argv(), options, &process);
+
+ if (process == -1 && userns_sandbox) {
+ LOG(ERROR) << "User namespace sandbox failed to start, running without "
+ << "sandbox! You need at least kernel 3.8.0 with CONFIG_USER_NS "
+ << "enabled in order to use the sandbox without setuid bit.";
+ using_suid_sandbox_ = false;
+ options.new_user_namespace = false;
+ base::LaunchProcess(cmd_line_unwrapped, options, &process);
+ }
+
CHECK(process != -1) << "Failed to launch zygote process";
if (using_suid_sandbox_) {
diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
index 5dc09fa..4e09bc4 100644
--- a/content/zygote/zygote_main_linux.cc
+++ b/content/zygote/zygote_main_linux.cc
@@ -397,6 +397,13 @@ static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox) {
CHECK(CreateInitProcessReaper());
}
+ // Don't set non-dumpable, as it causes trouble when the host tries to find
+ // the zygote process (XXX: Not quite sure why this happens with user
+ // namespaces). Fortunately, we also have the seccomp filter sandbox which
+ // should disallow the use of ptrace.
+ if (setuid_sandbox->IsNoSuid())
+ return true;
+
#if !defined(OS_OPENBSD)
// Previously, we required that the binary be non-readable. This causes the
// kernel to mark the process as non-dumpable at startup. The thinking was
diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc
index 8ed1a97..cbdfadc 100644
--- a/sandbox/linux/suid/client/setuid_sandbox_client.cc
+++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc
@@ -173,6 +173,10 @@ bool SetuidSandboxClient::IsInNewNETNamespace() const {
return env_->HasVar(kSandboxNETNSEnvironmentVarName);
}
+bool SetuidSandboxClient::IsNoSuid() const {
+ return env_->HasVar(kSandboxNoSuidVarName);
+}
+
bool SetuidSandboxClient::IsSandboxed() const {
return sandboxed_;
}
@@ -182,4 +186,8 @@ void SetuidSandboxClient::SetupLaunchEnvironment() {
SetSandboxAPIEnvironmentVariable(env_);
}
+void SetuidSandboxClient::SetNoSuid() {
+ env_->SetVar(kSandboxNoSuidVarName, "1");
+}
+
} // namespace sandbox
diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h
index 0f6db7a..c629391 100644
--- a/sandbox/linux/suid/client/setuid_sandbox_client.h
+++ b/sandbox/linux/suid/client/setuid_sandbox_client.h
@@ -46,6 +46,8 @@ class SANDBOX_EXPORT SetuidSandboxClient {
bool IsInNewPIDNamespace() const;
// Did the setuid helper create a new network namespace ?
bool IsInNewNETNamespace() const;
+ // Is sandboxed without SUID binary ?
+ bool IsNoSuid() const;
// Are we done and fully sandboxed ?
bool IsSandboxed() const;
@@ -53,6 +55,8 @@ class SANDBOX_EXPORT SetuidSandboxClient {
// helper.
void SetupLaunchEnvironment();
+ void SetNoSuid();
+
private:
// Holds the environment. Will never be NULL.
base::Environment* env_;
diff --git a/sandbox/linux/suid/common/sandbox.h b/sandbox/linux/suid/common/sandbox.h
index 9345287..2db659e 100644
--- a/sandbox/linux/suid/common/sandbox.h
+++ b/sandbox/linux/suid/common/sandbox.h
@@ -15,6 +15,7 @@ static const char kAdjustOOMScoreSwitch[] = "--adjust-oom-score";
static const char kSandboxDescriptorEnvironmentVarName[] = "SBX_D";
static const char kSandboxHelperPidEnvironmentVarName[] = "SBX_HELPER_PID";
+static const char kSandboxNoSuidVarName[] = "SBX_NO_SUID";
static const long kSUIDSandboxApiNumber = 1;
static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ";

21
pkgs/applications/networking/browsers/chromium/source/sources.nix Normal file
View File

@ -0,0 +1,21 @@
# This file is autogenerated from update.sh in the parent directory.
{
dev = {
version = "36.0.1941.0";
sha256 = "12rhyq8hliwc8b3371h2axzlzabg99c06d02kl9ldag2kxfpsfps";
sha256bin32 = "1rbl5x0pjid5lypdplbqvcx4lgvr2rlbiv83ivvqb5dbg6p7886g";
sha256bin64 = "18440spj541w4bqjblb2wpf94slg4if176gprccbxw9sy6b7z38w";
};
beta = {
version = "35.0.1916.47";
sha256 = "0pq87aybfna4pgsf02v97lprj5kbsrzim7c44nqarmcvlj4l65ch";
sha256bin32 = "057l59any3hiqdg1gh4nxry542083lxdaychhljbrfkipq1gy4yv";
sha256bin64 = "07n8sqv234dg959id023w3mz5n9ascwrcmxq3px96bqgqim2vf8s";
};
stable = {
version = "34.0.1847.116";
sha256 = "04cpfav5rqa117igvzmrw0045r2ljxg5fqb46qgqvkgff30pjrfx";
sha256bin32 = "1k24j80xgc91p8ssynql9ifjdhpz6w7vl3pk9lvkr0sdhg16hlrf";
sha256bin64 = "16gidav4ilc95fr1d6832xzpyynfwnglbz7b33gq62vp8bj77da4";
};
}

118
pkgs/applications/networking/browsers/chromium/source/update.nix Normal file
View File

@ -0,0 +1,118 @@
{ system ? builtins.currentSystem }:
let
inherit (import <nixpkgs> {}) lib writeText stdenv;
sources = if builtins.pathExists ./sources.nix
then import ./sources.nix
else null;
bucketURL = "http://commondatastorage.googleapis.com/"
+ "chromium-browser-official";
debURL = "https://dl.google.com/linux/chrome/deb/pool/main/g";
# Untrusted mirrors, don't try to update from them!
debMirrors = [
"http://95.31.35.30/chrome/pool/main/g"
"http://mirror.pcbeta.com/google/chrome/deb/pool/main/g"
];
tryChannel = channel: let
chan = builtins.getAttr channel sources;
in if sources != null then ''
oldver="${chan.version}";
echo -n "Checking if $oldver ($channel) is up to date..." >&2;
if [ "x$(get_newest_ver "$version" "$oldver")" != "x$oldver" ];
then
echo " no, getting sha256 for new version $version:" >&2;
sha256="$(prefetch_sha "$channel" "$version")" || return 1;
else
echo " yes, keeping old sha256." >&2;
sha256="${chan.sha256}";
${if (chan ? sha256bin32 && chan ? sha256bin64) then ''
sha256="$sha256.${chan.sha256bin32}.${chan.sha256bin64}";
'' else ''
sha256="$sha256.$(prefetch_deb_sha "$channel" "$version")";
''}
fi;
'' else ''
sha256="$(prefetch_sha "$channel" "$version")" || return 1;
'';
caseChannel = channel: ''
${channel}) ${tryChannel channel};;
'';
in rec {
getChannel = channel: let
chanAttrs = builtins.getAttr channel sources;
in {
inherit (chanAttrs) version;
main = {
url = "${bucketURL}/chromium-${chanAttrs.version}.tar.xz";
inherit (chanAttrs) sha256;
};
binary = let
pname = if channel == "dev"
then "google-chrome-unstable"
else "google-chrome-${channel}";
arch = if stdenv.is64bit then "amd64" else "i386";
relpath = "${pname}/${pname}_${chanAttrs.version}-1_${arch}.deb";
in lib.optionalAttrs (chanAttrs ? sha256bin64) {
urls = map (url: "${url}/${relpath}") ([ debURL ] ++ debMirrors);
sha256 = if stdenv.is64bit
then chanAttrs.sha256bin64
else chanAttrs.sha256bin32;
};
};
updateHelpers = writeText "update-helpers.sh" ''
prefetch_main_sha()
{
nix-prefetch-url "${bucketURL}/chromium-$2.tar.xz";
}
prefetch_deb_sha()
{
channel="$1";
version="$2";
case "$1" in
dev) pname="google-chrome-unstable";;
*) pname="google-chrome-$channel";;
esac;
deb_pre="${debURL}/$pname/$pname";
deb32=$(nix-prefetch-url "''${deb_pre}_$version-1_i386.deb");
deb64=$(nix-prefetch-url "''${deb_pre}_$version-1_amd64.deb");
echo "$deb32.$deb64";
return 0;
}
prefetch_sha()
{
echo "$(prefetch_main_sha "$@").$(prefetch_deb_sha "$@")";
return 0;
}
get_sha256()
{
channel="$1";
version="$2";
case "$channel" in
${lib.concatMapStrings caseChannel [ "stable" "dev" "beta" ]}
esac;
sha_insert "$version" "$sha256";
echo "$sha256";
return 0;
}
'';
}

18
pkgs/applications/networking/browsers/chromium/sources.nix
View File

@ -1,18 +0,0 @@
# This file is autogenerated from update.sh in the same directory.
{
dev = {
version = "35.0.1883.0";
url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-35.0.1883.0.tar.xz";
sha256 = "0qbv6prxl18y5824pfd13ng9798g561gzb6nypwp502hqr45jvb6";
};
beta = {
version = "34.0.1847.60";
url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-34.0.1847.60.tar.xz";
sha256 = "1na5d6z4a0wkabn7cj62vyiv3mmvcb6qdvrkyy6fj79h7gk2hb7k";
};
stable = {
version = "34.0.1847.116";
url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-34.0.1847.116.tar.xz";
sha256 = "04cpfav5rqa117igvzmrw0045r2ljxg5fqb46qgqvkgff30pjrfx";
};
}

78
pkgs/applications/networking/browsers/chromium/update.sh
View File

@ -3,16 +3,9 @@
channels_url="http://omahaproxy.appspot.com/all?csv=1";
history_url="http://omahaproxy.appspot.com/history";
bucket_url="http://commondatastorage.googleapis.com/chromium-browser-official/";
output_file="$(cd "$(dirname "$0")" && pwd)/sources.nix";
base_path="$(cd "$(dirname "$0")" && pwd)/source";
nix_getattr()
{
input_file="$1";
attr="$2";
var="$(nix-instantiate --eval-only -A "$attr" "$output_file")";
echo "$var" | tr -d '\\"';
}
source "$(nix-build --no-out-link "$base_path/update.nix" -A updateHelpers)";
### poor mans key/value-store :-) ###
@ -53,39 +46,6 @@ get_newest_ver()
fi;
}
if [ -e "$output_file" ];
then
get_sha256()
{
channel="$1";
version="$2";
url="$3";
oldver="$(nix_getattr "$output_file" "$channel.version")";
echo -n "Checking if $oldver ($channel) is up to date..." >&2;
if [ "x$(get_newest_ver "$version" "$oldver")" != "x$oldver" ];
then
echo " no, getting sha256 for new version $version:" >&2;
sha256="$(nix-prefetch-url "$url")" || return 1;
else
echo " yes, keeping old sha256." >&2;
sha256="$(nix_getattr "$output_file" "$channel.sha256")" \
|| return 1;
fi;
sha_insert "$version" "$sha256";
echo "$sha256";
return 0;
}
else
get_sha256()
{
nix-prefetch-url "$3";
}
fi;
fetch_filtered_history()
{
curl -s "$history_url" | sed -nr 's/^'"linux,$1"',([^,]+).*$/\1/p';
@ -99,9 +59,8 @@ get_prev_sha256()
for version in $(fetch_filtered_history "$channel");
do
[ "x$version" = "x$current_version" ] && continue;
url="${bucket_url%/}/chromium-$version.tar.xz";
sha256="$(get_sha256 "$channel" "$version" "$url")" || continue;
echo "$sha256:$version:$url";
sha256="$(get_sha256 "$channel" "$version")" || continue;
echo "$sha256:$version";
return 0;
done;
}
@ -113,34 +72,39 @@ get_channel_exprs()
channel="${chline%%,*}";
version="${chline##*,}";
url="${bucket_url%/}/chromium-$version.tar.xz";
echo -n "Checking if sha256 of version $version is cached..." >&2;
if sha256="$(sha_lookup "$version")";
then
echo " yes: $sha256" >&2;
else
echo " no." >&2;
sha256="$(get_sha256 "$channel" "$version" "$url")";
sha256="$(get_sha256 "$channel" "$version")";
if [ $? -ne 0 ];
then
echo "Whoops, failed to fetch $version, trying previous" \
"versions:" >&2;
sha_ver_url="$(get_prev_sha256 "$channel" "$version")";
sha256="${sha_ver_url%%:*}";
ver_url="${sha_ver_url#*:}";
version="${ver_url%%:*}";
url="${ver_url#*:}";
sha_ver="$(get_prev_sha256 "$channel" "$version")";
sha256="${sha_ver%:*}";
version="${sha_ver#*:}";
fi;
fi;
sha_insert "$version" "$sha256";
main="${sha256%%.*}";
deb="${sha256#*.}";
deb32="${deb%.*}";
deb64="${deb#*.}";
echo " $channel = {";
echo " version = \"$version\";";
echo " url = \"$url\";";
echo " sha256 = \"$sha256\";";
echo " sha256 = \"$main\";";
if [ "x${deb#*[a-z0-9].[a-z0-9]}" != "x$deb" ];
then
echo " sha256bin32 = \"$deb32\";";
echo " sha256bin64 = \"$deb64\";";
fi;
echo " };";
done;
}
@ -151,8 +115,8 @@ omaha="$(curl -s "$channels_url")";
versions="$(echo "$omaha" | sed -nr -e 's/^linux,([^,]+,[^,]+).*$/\1/p')";
channel_exprs="$(get_channel_exprs "$versions")";
cat > "$output_file" <<-EOF
# This file is autogenerated from update.sh in the same directory.
cat > "$base_path/sources.nix" <<-EOF
# This file is autogenerated from update.sh in the parent directory.
{
$channel_exprs
}

5
pkgs/development/libraries/libopus/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, fixedPoint ? false }:
{ stdenv, fetchurl, fixedPoint ? false, withCustomModes ? false }:
let
version = "1.1";
@ -11,7 +11,8 @@ stdenv.mkDerivation rec {
sha256 = "158xprn2086arvdib3vbbygz7z6jqkw2nci7nlywzzwallap0wmr";
};
configureFlags = stdenv.lib.optionalString fixedPoint "--enable-fixed-point";
configureFlags = stdenv.lib.optional fixedPoint "--enable-fixed-point"
++ stdenv.lib.optional withCustomModes "--enable-custom-modes";
doCheck = true;

16
pkgs/development/libraries/libwebp/default.nix
View File

@ -1,14 +1,20 @@
{stdenv, fetchurl, libpng, libjpeg}:
{ stdenv, fetchurl, libpng, libjpeg, giflib, libtiff }:
stdenv.mkDerivation rec {
name = "libwebp-0.1.3";
name = "libwebp-0.4.0";
src = fetchurl {
url = "http://webp.googlecode.com/files/${name}.tar.gz";
sha256 = "1fkssvg99s9ypswh4ywkirgcy1wmy3b6388f3cqj4a4vwdb89ca0";
sha256 = "0sadjkx8m6sf064r5gngjvz4b5246q3j27dlaml5b1k3x5vkb49i";
};
buildInputs = [ libpng libjpeg ];
buildInputs = [ libpng libjpeg giflib libtiff ];
configureFlags = [
"--enable-libwebpmux"
"--enable-libwebpdemux"
"--enable-libwebpdecoder"
];
meta = {
homepage = http://code.google.com/p/webp/;

14
pkgs/development/libraries/minizip/default.nix Normal file
View File

@ -0,0 +1,14 @@
{ stdenv, zlib, autoconf, automake, libtool }:
stdenv.mkDerivation {
name = "minizip-${zlib.version}";
inherit (zlib) src;
nativeBuildInputs = [ autoconf automake libtool ];
buildInputs = [ zlib ];
preConfigure = ''
cd contrib/minizip
autoreconf -vfi
'';
}

65
pkgs/development/libraries/v8/3.14.nix Normal file
View File

@ -0,0 +1,65 @@
{ stdenv, fetchsvn, gyp, readline, python, which }:
assert readline != null;
let
system = stdenv.system;
arch = if system == "i686-linux" then "ia32" else if system == "x86_64-linux" || system == "x86_64-darwin" then "x64" else "";
version = "3.14.5.9";
in
assert arch != "";
stdenv.mkDerivation {
name = "v8-${version}";
src = fetchsvn {
url = "http://v8.googlecode.com/svn/tags/${version}";
sha256 = "18qp5qp5xrb6f00w01cklz358yrl54pks963f5rwvwz82d8sfyqr";
name = "v8-${version}-src";
};
patches = [ ./fix-GetLocalizedMessage-usage.patch ];
configurePhase = ''
mkdir build/gyp
ln -sv ${gyp}/bin/gyp build/gyp/gyp
'';
nativeBuildInputs = [ which ];
buildInputs = [ readline python ];
buildFlags = [
"library=shared"
"console=readline"
"${arch}.release"
];
# http://code.google.com/p/v8/issues/detail?id=2149
NIX_CFLAGS_COMPILE = "-Wno-unused-local-typedefs -Wno-aggressive-loop-optimizations";
enableParallelBuilding = true;
installPhase = ''
mkdir -p $out/bin
mkdir -p $out/lib
mv -v out/${arch}.release/d8 $out/bin
${if stdenv.system == "x86_64-darwin" then
"mv -v out/${arch}.release/libv8.dylib $out/lib"
else
"mv -v out/${arch}.release/lib.target/libv8.so $out/lib"}
mv -v include $out/
'';
postFixup = if stdenv.isDarwin then ''
install_name_tool -change /usr/local/lib/libv8.dylib $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/bin/d8
install_name_tool -id $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/lib/libv8.dylib
'' else null;
meta = with stdenv.lib; {
description = "V8 is Google's open source JavaScript engine";
platforms = platforms.linux ++ platforms.darwin;
license = licenses.bsd3;
};
}

101
pkgs/development/libraries/v8/default.nix
View File

@ -1,65 +1,66 @@
{ stdenv, fetchsvn, gyp, readline, python, which }:
{ stdenv, fetchurl, gyp, readline, python, which, icu }:
assert readline != null;
let
system = stdenv.system;
arch = if system == "i686-linux" then "ia32" else if system == "x86_64-linux" || system == "x86_64-darwin" then "x64" else "";
version = "3.14.5.9";
arch = if stdenv.is64bit then "x64" else "ia32";
in
assert arch != "";
stdenv.mkDerivation rec {
name = "v8-${version}";
version = "3.25.9";
stdenv.mkDerivation {
name = "v8-${version}";
src = fetchurl {
url = "https://commondatastorage.googleapis.com/chromium-browser-official/"
+ "${name}.tar.bz2";
sha256 = "0x6czv99dr701vljyb4ghyhhc5rmv7vfkpvigcnrqz2an9q1pc28";
};
src = fetchsvn {
url = "http://v8.googlecode.com/svn/tags/${version}";
sha256 = "18qp5qp5xrb6f00w01cklz358yrl54pks963f5rwvwz82d8sfyqr";
name = "v8-${version}-src";
};
configurePhase = ''
PYTHONPATH="tools/generate_shim_headers:$PYTHONPATH" \
${gyp}/bin/gyp \
-f make \
--generator-output="out" \
-Dflock_index=0 \
-Dv8_enable_i18n_support=1 \
-Duse_system_icu=1 \
-Dconsole=readline \
-Dcomponent=shared_library \
-Dv8_target_arch=${arch} \
--depth=. -Ibuild/standalone.gypi \
build/all.gyp
'';
patches = [ ./fix-GetLocalizedMessage-usage.patch ];
nativeBuildInputs = [ which ];
buildInputs = [ readline python icu ];
configurePhase = ''
mkdir build/gyp
ln -sv ${gyp}/bin/gyp build/gyp/gyp
'';
buildFlags = [
"LINK=g++"
"-C out"
"builddir=$(CURDIR)/Release"
"BUILDTYPE=Release"
];
nativeBuildInputs = [ which ];
buildInputs = [ readline python ];
enableParallelBuilding = true;
buildFlags = [
"library=shared"
"console=readline"
"${arch}.release"
];
installPhase = ''
install -vD out/Release/d8 "$out/bin/d8"
${if stdenv.system == "x86_64-darwin" then ''
install -vD out/Release/lib.target/libv8.dylib "$out/lib/libv8.dylib"
'' else ''
install -vD out/Release/lib.target/libv8.so "$out/lib/libv8.so"
''}
cp -vr include "$out/"
'';
# http://code.google.com/p/v8/issues/detail?id=2149
NIX_CFLAGS_COMPILE = "-Wno-unused-local-typedefs -Wno-aggressive-loop-optimizations";
postFixup = if stdenv.isDarwin then ''
install_name_tool -change /usr/local/lib/libv8.dylib $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/bin/d8
install_name_tool -id $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/lib/libv8.dylib
'' else null;
enableParallelBuilding = true;
installPhase = ''
mkdir -p $out/bin
mkdir -p $out/lib
mv -v out/${arch}.release/d8 $out/bin
${if stdenv.system == "x86_64-darwin" then
"mv -v out/${arch}.release/libv8.dylib $out/lib"
else
"mv -v out/${arch}.release/lib.target/libv8.so $out/lib"}
mv -v include $out/
'';
postFixup = if stdenv.isDarwin then ''
install_name_tool -change /usr/local/lib/libv8.dylib $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/bin/d8
install_name_tool -id $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/lib/libv8.dylib
'' else null;
meta = with stdenv.lib; {
description = "V8 is Google's open source JavaScript engine";
platforms = platforms.linux ++ platforms.darwin;
license = licenses.bsd3;
};
meta = with stdenv.lib; {
description = "V8 is Google's open source JavaScript engine";
platforms = platforms.linux ++ platforms.darwin;
license = licenses.bsd3;
};
}

2
pkgs/development/libraries/zlib/default.nix
View File

@ -40,4 +40,6 @@ stdenv.mkDerivation rec {
# zlib doesn't like the automatic --disable-shared from the Cygwin stdenv.
cygwinConfigureEnableShared = true;
passthru.version = version;
}

4
pkgs/development/web/nodejs/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, openssl, python, zlib, v8, utillinux, http-parser, c-ares, pkgconfig, runCommand }:
{ stdenv, fetchurl, openssl, python, zlib, v8_3_14, utillinux, http-parser, c-ares, pkgconfig, runCommand }:
let
dtrace = runCommand "dtrace-native" {} ''
@ -10,7 +10,7 @@ let
# !!! Should we also do shared libuv?
deps = {
inherit v8 openssl zlib http-parser;
inherit v8_3_14 openssl zlib http-parser;
cares = c-ares;
};

4
pkgs/servers/nosql/mongodb/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, scons, boost, v8, gperftools, pcre, snappy }:
{ stdenv, fetchurl, scons, boost, v8_3_14, gperftools, pcre, snappy }:
let version = "2.4.8"; in stdenv.mkDerivation rec {
name = "mongodb-${version}";
@ -8,7 +8,7 @@ let version = "2.4.8"; in stdenv.mkDerivation rec {
sha256 = "1p6gnharypglfp39halp72fig96fqjhakyy7m76a1prxwpjkqw7x";
};
nativeBuildInputs = [ scons boost v8 gperftools pcre snappy ];
nativeBuildInputs = [ scons boost v8_3_14 gperftools pcre snappy ];
postPatch = ''
substituteInPlace SConstruct \

4
pkgs/servers/nosql/rethinkdb/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, which, protobuf, v8, ncurses, gperftools, boost, m4 }:
{ stdenv, fetchurl, which, protobuf, v8_3_14, ncurses, gperftools, boost, m4 }:
stdenv.mkDerivation rec {
name = "rethinkdb-1.11.2";
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
configureFlags = "--lib-path ${gperftools}/lib";
buildInputs = [ protobuf v8 ncurses boost ];
buildInputs = [ protobuf v8_3_14 ncurses boost ];
nativeBuildInputs = [ which m4 ];

11
pkgs/top-level/all-packages.nix
View File

@ -5409,6 +5409,8 @@ let
ming = callPackage ../development/libraries/ming { };
minizip = callPackage ../development/libraries/minizip { };
minmay = callPackage ../development/libraries/minmay { };
miro = callPackage ../applications/video/miro {
@ -6156,7 +6158,13 @@ let
inherit (gnome) libsoup;
};
v8 = callPackage ../development/libraries/v8 { inherit (pythonPackages) gyp; };
v8 = callPackage ../development/libraries/v8 {
inherit (pythonPackages) gyp;
};
v8_3_14 = callPackage ../development/libraries/v8/3.14.nix {
inherit (pythonPackages) gyp;
};
xmlsec = callPackage ../development/libraries/xmlsec { };
@ -7750,7 +7758,6 @@ let
chromium = lowPrio (callPackage ../applications/networking/browsers/chromium {
channel = "stable";
gconf = gnome.GConf;
pulseSupport = config.pulseaudio or true;
});