diff --git a/pkgs/applications/networking/browsers/chromium/browser.nix b/pkgs/applications/networking/browsers/chromium/browser.nix new file mode 100644 index 00000000000..a4b99bc5802 --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/browser.nix @@ -0,0 +1,40 @@ +{ stdenv, mkChromiumDerivation }: + +with stdenv.lib; + +mkChromiumDerivation (base: rec { + name = "chromium-browser"; + packageName = "chromium"; + buildTargets = [ "chrome" ]; + + installPhase = '' + ensureDir "$libExecPath" + cp -v "$buildPath/"*.pak "$libExecPath/" + cp -v "$buildPath/icudtl.dat" "$libExecPath/" + cp -vR "$buildPath/locales" "$buildPath/resources" "$libExecPath/" + cp -v $buildPath/libffmpegsumo.so "$libExecPath/" + + cp -v "$buildPath/chrome" "$libExecPath/$packageName" + + mkdir -vp "$out/share/man/man1" + cp -v "$buildPath/chrome.1" "$out/share/man/man1/$packageName.1" + + for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do + num_and_suffix="''${icon_file##*logo_}" + icon_size="''${num_and_suffix%.*}" + expr "$icon_size" : "^[0-9][0-9]*$" || continue + logo_output_prefix="$out/share/icons/hicolor" + logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps" + mkdir -vp "$logo_output_path" + cp -v "$icon_file" "$logo_output_path/$packageName.png" + done + ''; + + meta = { + description = "An open source web browser from Google"; + homepage = http://www.chromium.org/; + maintainers = with maintainers; [ goibhniu chaoflow aszlig wizeman ]; + license = licenses.bsd3; + platforms = platforms.linux; + }; +}) diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix new file mode 100644 index 00000000000..7bed83ac4c6 --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -0,0 +1,201 @@ +{ stdenv, fetchurl, ninja, which + +# default dependencies +, bzip2, flac, speex, icu, libopus +, libevent, expat, libjpeg, snappy +, libpng, libxml2, libxslt +, xdg_utils, yasm, minizip, libwebp +, libusb1, libexif, pciutils + +, python, pythonPackages, perl, pkgconfig +, nspr, udev, krb5 +, utillinux, alsaLib +, gcc, bison, gperf +, glib, gtk, dbus_glib +, libXScrnSaver, libXcursor, libXtst, mesa +, protobuf, speechd, libXdamage + +# optional dependencies +, libgcrypt ? null # gnomeSupport || cupsSupport + +# package customization +, enableSELinux ? false, libselinux ? null +, enableNaCl ? false +, useOpenSSL ? false, nss ? null, openssl ? null +, gnomeSupport ? false, gnome ? null +, gnomeKeyringSupport ? false, libgnome_keyring3 ? null +, proprietaryCodecs ? true +, cupsSupport ? false +, pulseSupport ? false, pulseaudio ? null + +, source +, plugins +}: + +buildFun: + +with stdenv.lib; + +let + # The additional attributes for creating derivations based on the chromium + # source tree. + extraAttrs = buildFun base; + + mkGypFlags = + let + sanitize = value: + if value == true then "1" + else if value == false then "0" + else "${value}"; + toFlag = key: value: "-D${key}=${sanitize value}"; + in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs)); + + gypFlagsUseSystemLibs = { + use_system_bzip2 = true; + use_system_flac = true; + use_system_libevent = true; + use_system_libexpat = true; + use_system_libexif = true; + use_system_libjpeg = true; + use_system_libpng = true; + use_system_libwebp = true; + use_system_libxml = true; + use_system_opus = true; + use_system_snappy = true; + use_system_speex = true; + use_system_ssl = useOpenSSL; + use_system_stlport = true; + use_system_xdg_utils = true; + use_system_yasm = true; + use_system_zlib = false; + use_system_protobuf = true; + + use_system_harfbuzz = false; + use_system_icu = false; # Doesn't support ICU 52 yet. + use_system_libusb = false; # http://crbug.com/266149 + use_system_skia = false; + use_system_sqlite = false; # http://crbug.com/22208 + use_system_v8 = false; + }; + + opusWithCustomModes = libopus.override { + withCustomModes = !versionOlder source.version "35.0.0.0"; + }; + + defaultDependencies = [ + bzip2 flac speex icu opusWithCustomModes + libevent expat libjpeg snappy + libpng libxml2 libxslt + xdg_utils yasm minizip libwebp + libusb1 libexif + ]; + + # build paths and release info + packageName = extraAttrs.packageName or extraAttrs.name; + buildType = "Release"; + buildPath = "out/${buildType}"; + libExecPath = "$out/libexec/${packageName}"; + + base = rec { + name = "${packageName}-${version}"; + inherit (source) version; + inherit packageName buildType buildPath; + src = source; + + buildInputs = defaultDependencies ++ [ + which + python perl pkgconfig + nspr udev + (if useOpenSSL then openssl else nss) + utillinux alsaLib + gcc bison gperf krb5 + glib gtk dbus_glib + libXScrnSaver libXcursor libXtst mesa + pciutils protobuf speechd libXdamage + pythonPackages.gyp pythonPackages.ply pythonPackages.jinja2 + ] ++ optional gnomeKeyringSupport libgnome_keyring3 + ++ optionals gnomeSupport [ gnome.GConf libgcrypt ] + ++ optional enableSELinux libselinux + ++ optional cupsSupport libgcrypt + ++ optional pulseSupport pulseaudio; + + # XXX: Wait for https://crbug.com/239107 and https://crbug.com/239181 to + # be fixed, then try again to unbundle everything into separate + # derivations. + prePatch = '' + cp -dsr --no-preserve=mode "${source.main}"/* . + cp -dsr --no-preserve=mode "${source.sandbox}" sandbox + cp -dr "${source.bundled}" third_party + chmod -R u+w third_party + + # Hardcode source tree root in all gyp files + find -iname '*.gyp*' \( -type f -o -type l \) \ + -exec sed -i -e 's|<(DEPTH)|'"$(pwd)"'|g' {} + \ + -exec chmod u+w {} + + ''; + + postPatch = '' + sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \ + sandbox_binary = base::FilePath(getenv("CHROMIUM_SANDBOX_BINARY_PATH")); + ' content/browser/browser_main_loop.cc + ''; + + gypFlags = mkGypFlags (gypFlagsUseSystemLibs // { + linux_use_gold_binary = false; + linux_use_gold_flags = false; + proprietary_codecs = false; + use_gnome_keyring = gnomeKeyringSupport; + use_gconf = gnomeSupport; + use_gio = gnomeSupport; + use_pulseaudio = pulseSupport; + disable_nacl = !enableNaCl; + use_openssl = useOpenSSL; + selinux = enableSELinux; + use_cups = cupsSupport; + linux_sandbox_chrome_path="${libExecPath}/${packageName}"; + werror = ""; + + # Google API keys, see: + # http://www.chromium.org/developers/how-tos/api-keys + # Note: These are for NixOS/nixpkgs use ONLY. For your own distribution, + # please get your own set of keys. + google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI"; + google_default_client_id = "404761575300.apps.googleusercontent.com"; + google_default_client_secret = "9rIFQjfnkykEmqb6FfjJQD1D"; + + } // optionalAttrs proprietaryCodecs { + # enable support for the H.264 codec + proprietary_codecs = true; + ffmpeg_branding = "Chrome"; + } // optionalAttrs (stdenv.system == "x86_64-linux") { + target_arch = "x64"; + python_arch = "x86-64"; + } // optionalAttrs (stdenv.system == "i686-linux") { + target_arch = "ia32"; + python_arch = "ia32"; + } // (extraAttrs.gypFlags or {})); + + configurePhase = '' + # This is to ensure expansion of $out. + libExecPath="${libExecPath}" + python build/linux/unbundle/replace_gyp_files.py ${gypFlags} + python build/gyp_chromium -f ninja --depth "$(pwd)" ${gypFlags} + ''; + + buildPhase = let + CC = "${gcc}/bin/gcc"; + CXX = "${gcc}/bin/g++"; + in '' + CC="${CC}" CC_host="${CC}" \ + CXX="${CXX}" CXX_host="${CXX}" \ + LINK_host="${CXX}" \ + "${ninja}/bin/ninja" -C "${buildPath}" \ + -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \ + ${concatStringsSep " " (extraAttrs.buildTargets or [])} + ''; + }; + +# Remove some extraAttrs we supplied to the base attributes already. +in stdenv.mkDerivation (base // removeAttrs extraAttrs [ + "name" "gypFlags" "buildTargets" +]) diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index 213e75ee6ef..9e906191afe 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -1,287 +1,85 @@ -{ stdenv, fetchurl, makeWrapper, ninja, which - -# default dependencies -, bzip2, flac, speex -, libevent, expat, libjpeg -, libpng, libxml2, libxslt -, xdg_utils, yasm, zlib -, libusb1, libexif, pciutils - -, python, pythonPackages, perl, pkgconfig -, nspr, udev, krb5 -, utillinux, alsaLib -, gcc, bison, gperf -, glib, gtk, dbus_glib -, libXScrnSaver, libXcursor, libXtst, mesa -, protobuf, speechd, libXdamage - -# optional dependencies -, libgcrypt ? null # gnomeSupport || cupsSupport +{ newScope, stdenv, makeWrapper, makeDesktopItem # package customization , channel ? "stable" -, enableSELinux ? false, libselinux ? null +, enableSELinux ? false , enableNaCl ? false -, useOpenSSL ? false, nss ? null, openssl ? null -, gnomeSupport ? false, gconf ? null -, gnomeKeyringSupport ? false, libgnome_keyring ? null +, useOpenSSL ? false +, gnomeSupport ? false +, gnomeKeyringSupport ? false , proprietaryCodecs ? true +, enablePepperFlash ? false +, enablePepperPDF ? false , cupsSupport ? false -, pulseSupport ? false, pulseaudio ? null +, pulseSupport ? false }: -with stdenv.lib; - let - src = with getAttr channel (import ./sources.nix); stdenv.mkDerivation { - name = "chromium-source-${version}"; + callPackage = newScope chromium; - src = fetchurl { - inherit url sha256; + chromium = { + source = callPackage ./source { + inherit channel; + # XXX: common config + inherit useOpenSSL; }; - buildInputs = [ python ]; # cannot patch shebangs otherwise + mkChromiumDerivation = callPackage ./common.nix { + inherit enableSELinux enableNaCl useOpenSSL gnomeSupport + gnomeKeyringSupport proprietaryCodecs cupsSupport + pulseSupport; + }; - phases = [ "unpackPhase" "patchPhase" "installPhase" ]; + browser = callPackage ./browser.nix { }; + sandbox = callPackage ./sandbox.nix { }; - opensslPatches = optional useOpenSSL openssl.patches; - - prePatch = "patchShebangs ."; - - patches = singleton ./sandbox_userns_31.patch; - - postPatch = '' - sed -i -r \ - -e 's/-f(stack-protector)(-all)?/-fno-\1/' \ - -e 's|/bin/echo|echo|' \ - -e "/python_arch/s/: *'[^']*'/: '""'/" \ - build/common.gypi chrome/chrome_tests.gypi - sed -i '/not RunGN/,+1d' build/gyp_chromium - sed -i -e 's|/usr/bin/gcc|gcc|' \ - third_party/WebKit/Source/build/scripts/scripts.gypi \ - third_party/WebKit/Source/build/scripts/preprocessor.pm - '' + optionalString useOpenSSL '' - cat $opensslPatches | patch -p1 -d third_party/openssl/openssl - '' + optionalString (!versionOlder version "34.0.0.0") '' - sed -i '/import.*depot/d' build/gyp_chromium - ''; - - outputs = [ "out" "sandbox" "bundled" "main" ]; - installPhase = '' - ensureDir "$out" "$sandbox" "$bundled" "$main" - - header "copying browser main sources to $main" - find . -mindepth 1 -maxdepth 1 \ - \! -path ./sandbox \ - \! -path ./third_party \ - \! -path ./build \ - \! -path ./tools \ - \! -name '.*' \ - -print | xargs cp -rt "$main" - stopNest - - header "copying sandbox components to $sandbox" - cp -rt "$sandbox" sandbox/* - stopNest - - header "copying third party sources to $bundled" - cp -rt "$bundled" third_party/* - stopNest - - header "copying build requisites to $out" - cp -rt "$out" build tools - stopNest - - rm -rf "$out/tools/gyp" # XXX: Don't even copy it in the first place. - ''; - - passthru = { - inherit version; + plugins = callPackage ./plugins.nix { + inherit enablePepperFlash enablePepperPDF; }; }; - mkGypFlags = - let - sanitize = value: - if value == true then "1" - else if value == false then "0" - else "${value}"; - toFlag = key: value: "-D${key}=${sanitize value}"; - in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs)); - - gypFlagsUseSystemLibs = { - use_system_bzip2 = true; - use_system_flac = true; - use_system_libevent = true; - use_system_libexpat = true; - use_system_libexif = true; - use_system_libjpeg = true; - use_system_libpng = false; # PNG dlopen() version conflict - use_system_libusb = true; - use_system_libxml = true; - use_system_speex = true; - use_system_ssl = useOpenSSL; - use_system_stlport = true; - use_system_xdg_utils = true; - use_system_yasm = true; - use_system_zlib = false; # http://crbug.com/143623 - use_system_protobuf = true; - - use_system_harfbuzz = false; - use_system_icu = false; - use_system_libwebp = false; # http://crbug.com/133161 - use_system_skia = false; - use_system_sqlite = false; # http://crbug.com/22208 - use_system_v8 = false; + desktopItem = makeDesktopItem { + name = "Chromium"; + exec = "chromium"; + icon = "chromium"; + comment = "An open source web browser from Google"; + desktopName = "Chromium"; + genericName = "Web browser"; + mimeType = stdenv.lib.concatStringsSep ";" [ + "text/html" + "text/xml" + "application/xhtml+xml" + "x-scheme-handler/http" + "x-scheme-handler/https" + "x-scheme-handler/ftp" + "x-scheme-handler/mailto" + "x-scheme-handler/webcal" + ]; + categories = "Network;WebBrowser"; }; - defaultDependencies = [ - bzip2 flac speex - libevent expat libjpeg - libpng libxml2 libxslt - xdg_utils yasm zlib - libusb1 libexif - ]; +in stdenv.mkDerivation { + name = "chromium-${channel}-${chromium.browser.version}"; - sandbox = import ./sandbox.nix { - inherit stdenv; - src = src.sandbox; - binary = "${packageName}_sandbox"; - }; + buildInputs = [ makeWrapper ]; - # build paths and release info - packageName = "chromium"; - buildType = "Release"; - buildPath = "out/${buildType}"; - libExecPath = "$out/libexec/${packageName}"; - sandboxPath = "${sandbox}/bin/${packageName}_sandbox"; - -in stdenv.mkDerivation rec { - name = "${packageName}-${src.version}"; - inherit packageName src; - - buildInputs = defaultDependencies ++ [ - which makeWrapper - python perl pkgconfig - nspr udev - (if useOpenSSL then openssl else nss) - utillinux alsaLib - gcc bison gperf krb5 - glib gtk dbus_glib - libXScrnSaver libXcursor libXtst mesa - pciutils protobuf speechd libXdamage - pythonPackages.gyp - ] ++ optional gnomeKeyringSupport libgnome_keyring - ++ optionals gnomeSupport [ gconf libgcrypt ] - ++ optional enableSELinux libselinux - ++ optional cupsSupport libgcrypt - ++ optional pulseSupport pulseaudio; - - prePatch = '' - # XXX: Figure out a way how to split these properly. - #cpflags="-dsr --no-preserve=mode" - cpflags="-dr" - cp $cpflags "${src.main}"/* . - cp $cpflags "${src.bundled}" third_party - cp $cpflags "${src.sandbox}" sandbox - chmod -R u+w . # XXX! - ''; - - postPatch = '' - sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \ - sandbox_binary = \ - base::FilePath("'"${sandboxPath}"'"); - ' content/browser/browser_main_loop.cc - ''; - - gypFlags = mkGypFlags (gypFlagsUseSystemLibs // { - linux_use_gold_binary = false; - linux_use_gold_flags = false; - proprietary_codecs = false; - use_gnome_keyring = gnomeKeyringSupport; - use_gconf = gnomeSupport; - use_gio = gnomeSupport; - use_pulseaudio = pulseSupport; - disable_nacl = !enableNaCl; - use_openssl = useOpenSSL; - selinux = enableSELinux; - use_cups = cupsSupport; - linux_sandbox_path="${sandboxPath}"; - linux_sandbox_chrome_path="${libExecPath}/${packageName}"; - werror = ""; - - # Google API keys, see http://www.chromium.org/developers/how-tos/api-keys. - # Note: These are for NixOS/nixpkgs use ONLY. For your own distribution, - # please get your own set of keys. - google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI"; - google_default_client_id = "404761575300.apps.googleusercontent.com"; - google_default_client_secret = "9rIFQjfnkykEmqb6FfjJQD1D"; - - } // optionalAttrs proprietaryCodecs { - # enable support for the H.264 codec - proprietary_codecs = true; - ffmpeg_branding = "Chrome"; - } // optionalAttrs (stdenv.system == "x86_64-linux") { - target_arch = "x64"; - python_arch = "x86-64"; - } // optionalAttrs (stdenv.system == "i686-linux") { - target_arch = "ia32"; - python_arch = "ia32"; - }); - - configurePhase = '' - python build/gyp_chromium -f ninja --depth "$(pwd)" ${gypFlags} - ''; - - buildPhase = let - CC = "${gcc}/bin/gcc"; - CXX = "${gcc}/bin/g++"; + buildCommand = let + browserBinary = "${chromium.browser}/libexec/chromium/chromium"; + sandboxBinary = "${chromium.sandbox}/bin/chromium-sandbox"; in '' - CC="${CC}" CC_host="${CC}" \ - CXX="${CXX}" CXX_host="${CXX}" \ - LINK_host="${CXX}" \ - "${ninja}/bin/ninja" -C "${buildPath}" \ - -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \ - chrome ${optionalString (!enableSELinux) "chrome_sandbox"} + ensureDir "$out/bin" "$out/share/applications" + + ln -s "${chromium.browser}/share" "$out/share" + makeWrapper "${browserBinary}" "$out/bin/chromium" \ + --set CHROMIUM_SANDBOX_BINARY_PATH "${sandboxBinary}" \ + --add-flags "${chromium.plugins.flagsEnabled}" + + cp -v "${desktopItem}/share/applications/"* "$out/share/applications" ''; - installPhase = '' - ensureDir "${libExecPath}" - cp -v "${buildPath}/"*.pak "${libExecPath}/" - ${optionalString (!versionOlder src.version "34.0.0.0") '' - cp -v "${buildPath}/icudtl.dat" "${libExecPath}/" - ''} - cp -vR "${buildPath}/locales" "${buildPath}/resources" "${libExecPath}/" - cp -v ${buildPath}/libffmpegsumo.so "${libExecPath}/" - - cp -v "${buildPath}/chrome" "${libExecPath}/${packageName}" - - mkdir -vp "$out/bin" - makeWrapper "${libExecPath}/${packageName}" "$out/bin/${packageName}" - - mkdir -vp "$out/share/man/man1" - cp -v "${buildPath}/chrome.1" "$out/share/man/man1/${packageName}.1" - - for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do - num_and_suffix="''${icon_file##*logo_}" - icon_size="''${num_and_suffix%.*}" - expr "$icon_size" : "^[0-9][0-9]*$" || continue - logo_output_prefix="$out/share/icons/hicolor" - logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps" - mkdir -vp "$logo_output_path" - cp -v "$icon_file" "$logo_output_path/${packageName}.png" - done - ''; + inherit (chromium.browser) meta packageName; passthru = { - inherit sandbox; - }; - - meta = { - description = "An open source web browser from Google"; - homepage = http://www.chromium.org/; - maintainers = with maintainers; [ goibhniu chaoflow aszlig wizeman ]; - license = licenses.bsd3; - platforms = platforms.linux; + mkDerivation = chromium.mkChromiumDerivation; }; } diff --git a/pkgs/applications/networking/browsers/chromium/plugins.nix b/pkgs/applications/networking/browsers/chromium/plugins.nix new file mode 100644 index 00000000000..f760b06fe24 --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/plugins.nix @@ -0,0 +1,78 @@ +{ stdenv +, enablePepperFlash ? false +, enablePepperPDF ? false + +, source +}: + +with stdenv.lib; + +let + plugins = stdenv.mkDerivation { + name = "chromium-binary-plugins"; + + # XXX: Only temporary and has to be version-specific + src = source.plugins; + + phases = [ "unpackPhase" "patchPhase" "checkPhase" "installPhase" ]; + outputs = [ "pdf" "flash" ]; + + unpackCmd = let + chan = if source.channel == "dev" then "chrome-unstable" + else if source.channel == "stable" then "chrome" + else "chrome-${source.channel}"; + in '' + ensureDir plugins + ar p "$src" data.tar.lzma | tar xJ -C plugins --strip-components=4 \ + ./opt/google/${chan}/PepperFlash \ + ./opt/google/${chan}/libpdf.so + ''; + + doCheck = true; + checkPhase = '' + ! find -iname '*.so' -exec ldd {} + | grep 'not found' + ''; + + patchPhase = let + rpaths = [ stdenv.gcc.gcc ]; + mkrpath = p: "${makeSearchPath "lib64" p}:${makeSearchPath "lib" p}"; + in '' + for sofile in PepperFlash/libpepflashplayer.so libpdf.so; do + chmod +x "$sofile" + patchelf --set-rpath "${mkrpath rpaths}" "$sofile" + done + ''; + + installPhase = let + pdfName = "Chrome PDF Viewer"; + pdfDescription = "Portable Document Format"; + pdfMimeTypes = concatStringsSep ";" [ + "application/pdf" + "application/x-google-chrome-print-preview-pdf" + ]; + pdfInfo = "#${pdfName}#${pdfDescription};${pdfMimeTypes}"; + in '' + install -vD libpdf.so "$pdf/lib/libpdf.so" + ensureDir "$pdf/nix-support" + echo "--register-pepper-plugins='$pdf/lib/libpdf.so${pdfInfo}'" \ + > "$pdf/nix-support/chromium-flags" + + flashVersion="$( + sed -n -r 's/.*"version": "([^"]+)",.*/\1/p' PepperFlash/manifest.json + )" + + install -vD PepperFlash/libpepflashplayer.so \ + "$flash/lib/libpepflashplayer.so" + ensureDir "$flash/nix-support" + echo "--ppapi-flash-path='$flash/lib/libpepflashplayer.so'" \ + "--ppapi-flash-version=$flashVersion" \ + > "$flash/nix-support/chromium-flags" + ''; + + passthru.flagsEnabled = let + enabledPlugins = optional enablePepperFlash plugins.flash + ++ optional enablePepperPDF plugins.pdf; + getFlags = plugin: "$(< ${plugin}/nix-support/chromium-flags)"; + in concatStringsSep " " (map getFlags enabledPlugins); + }; +in plugins diff --git a/pkgs/applications/networking/browsers/chromium/sandbox.nix b/pkgs/applications/networking/browsers/chromium/sandbox.nix index b43385e8633..b470ed63325 100644 --- a/pkgs/applications/networking/browsers/chromium/sandbox.nix +++ b/pkgs/applications/networking/browsers/chromium/sandbox.nix @@ -1,12 +1,13 @@ -{ stdenv, src, binary }: +{ stdenv, source }: stdenv.mkDerivation { - name = "chromium-sandbox-${src.version}"; - inherit src; + name = "chromium-sandbox-${source.version}"; + src = source.sandbox; patchPhase = '' sed -i -e '/#include.*base_export/c \ #define BASE_EXPORT __attribute__((visibility("default"))) + /#include/s|sandbox/linux|'"$(pwd)"'/linux| ' linux/suid/*.[hc] ''; @@ -15,6 +16,6 @@ stdenv.mkDerivation { ''; installPhase = '' - install -svD sandbox "$out/bin/${binary}" + install -svD sandbox "$out/bin/chromium-sandbox" ''; } diff --git a/pkgs/applications/networking/browsers/chromium/source/default.nix b/pkgs/applications/networking/browsers/chromium/source/default.nix new file mode 100644 index 00000000000..2c7e7277b81 --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/source/default.nix @@ -0,0 +1,79 @@ +{ stdenv, fetchurl, python +, channel ? "stable" +, useOpenSSL # XXX +}: + +with stdenv.lib; + +with (import ./update.nix { + inherit (stdenv) system; +}).getChannel channel; + +stdenv.mkDerivation { + name = "chromium-source-${version}"; + + src = fetchurl main; + + buildInputs = [ python ]; # cannot patch shebangs otherwise + + phases = [ "unpackPhase" "patchPhase" "installPhase" ]; + + opensslPatches = optional useOpenSSL openssl.patches; + + prePatch = "patchShebangs ."; + + patches = if (versionOlder version "36.0.0.0") + then singleton ./sandbox_userns_31.patch + else singleton ./sandbox_userns_36.patch; + + postPatch = '' + sed -i -r \ + -e 's/-f(stack-protector)(-all)?/-fno-\1/' \ + -e 's|/bin/echo|echo|' \ + -e "/python_arch/s/: *'[^']*'/: '""'/" \ + build/common.gypi chrome/chrome_tests.gypi + sed -i -e '/not RunGN/,+1d' -e '/import.*depot/d' build/gyp_chromium + sed -i -e 's|/usr/bin/gcc|gcc|' \ + third_party/WebKit/Source/build/scripts/scripts.gypi \ + third_party/WebKit/Source/build/scripts/preprocessor.pm + '' + optionalString useOpenSSL '' + cat $opensslPatches | patch -p1 -d third_party/openssl/openssl + '' + optionalString (!versionOlder version "34.0.0.0") '' + ''; + + outputs = [ "out" "sandbox" "bundled" "main" ]; + installPhase = '' + ensureDir "$out" "$sandbox" "$bundled" "$main" + + header "copying browser main sources to $main" + find . -mindepth 1 -maxdepth 1 \ + \! -path ./sandbox \ + \! -path ./third_party \ + \! -path ./build \ + \! -path ./tools \ + \! -name '.*' \ + -print | xargs cp -rt "$main" + stopNest + + header "copying sandbox components to $sandbox" + cp -rt "$sandbox" sandbox/* + stopNest + + header "copying third party sources to $bundled" + cp -rt "$bundled" third_party/* + stopNest + + header "copying build requisites to $out" + cp -rt "$out" build tools + stopNest + + rm -rf "$out/tools/gyp" # XXX: Don't even copy it in the first place. + ''; + + preferLocalBuild = true; + + passthru = { + inherit version channel; + plugins = fetchurl binary; + }; +} diff --git a/pkgs/applications/networking/browsers/chromium/sandbox_userns_31.patch b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_31.patch similarity index 100% rename from pkgs/applications/networking/browsers/chromium/sandbox_userns_31.patch rename to pkgs/applications/networking/browsers/chromium/source/sandbox_userns_31.patch diff --git a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch new file mode 100644 index 00000000000..a8f3ed0befd --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_36.patch @@ -0,0 +1,293 @@ +commit 3c80951744293441c2e66345ef7d82c199f4600e +Author: aszlig +Date: Thu May 16 14:17:56 2013 +0200 + + zygote: Add support for user namespaces on Linux. + + The implementation is done by patching the Zygote host to execute the sandbox + binary with CLONE_NEWUSER and setting the uid and gid mapping so that the child + process is using uid 0 and gid 0 which map to the current user of the parent. + Afterwards, the sandbox will continue as if it was called as a setuid binary. + + In addition, this adds new_user_namespace as an option in process_util in order + to set the UID and GID mapping correctly. The reason for this is that just + passing CLONE_NEWUSER to clone_flags doesn't help in LaunchProcess(), because + without setting the mappings exec*() will clear the process's capability sets. + + If the kernel doesn't support unprivileged user namespaces and the sandbox + binary doesn't have the setuid flag, the Zygote main process will run without a + sandbox. This is to mimic the behaviour if no SUID sandbox binary path is set. + + Signed-off-by: aszlig + +diff --git a/base/process/launch.cc b/base/process/launch.cc +index 81748f5..930f20f 100644 +--- a/base/process/launch.cc ++++ b/base/process/launch.cc +@@ -26,6 +26,7 @@ LaunchOptions::LaunchOptions() + #if defined(OS_LINUX) + , clone_flags(0) + , allow_new_privs(false) ++ , new_user_namespace(false) + #endif // OS_LINUX + #if defined(OS_CHROMEOS) + , ctrl_terminal_fd(-1) +diff --git a/base/process/launch.h b/base/process/launch.h +index 9e39fba..00e4c79 100644 +--- a/base/process/launch.h ++++ b/base/process/launch.h +@@ -115,6 +115,9 @@ struct BASE_EXPORT LaunchOptions { + // By default, child processes will have the PR_SET_NO_NEW_PRIVS bit set. If + // true, then this bit will not be set in the new child process. + bool allow_new_privs; ++ ++ // If true, start the process in a new user namespace. ++ bool new_user_namespace; + #endif // defined(OS_LINUX) + + #if defined(OS_CHROMEOS) +diff --git a/base/process/launch_posix.cc b/base/process/launch_posix.cc +index fe4da1a..7f118b8 100644 +--- a/base/process/launch_posix.cc ++++ b/base/process/launch_posix.cc +@@ -40,6 +40,10 @@ + + #if defined(OS_LINUX) + #include ++#include ++#if !defined(CLONE_NEWUSER) ++#define CLONE_NEWUSER 0x10000000 ++#endif + #endif + + #if defined(OS_CHROMEOS) +@@ -301,13 +305,23 @@ bool LaunchProcess(const std::vector& argv, + + pid_t pid; + #if defined(OS_LINUX) +- if (options.clone_flags) { ++ int map_pipe_fd[2]; ++ int flags = options.clone_flags; ++ ++ if (options.new_user_namespace) { ++ flags |= CLONE_NEWUSER; ++ if (pipe(map_pipe_fd) < 0) { ++ DPLOG(ERROR) << "user namespace pipe"; ++ return false; ++ } ++ } ++ ++ if (options.clone_flags || options.new_user_namespace) { + // Signal handling in this function assumes the creation of a new + // process, so we check that a thread is not being created by mistake + // and that signal handling follows the process-creation rules. +- RAW_CHECK( +- !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM))); +- pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0); ++ RAW_CHECK(!(flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM))); ++ pid = syscall(__NR_clone, flags, 0, 0, 0); + } else + #endif + { +@@ -328,6 +342,21 @@ bool LaunchProcess(const std::vector& argv, + // DANGER: no calls to malloc or locks are allowed from now on: + // http://crbug.com/36678 + ++#if defined(OS_LINUX) ++ if (options.new_user_namespace) { ++ // Close the write end of the pipe so we get an EOF when the parent closes ++ // the FD. This is to avoid race conditions when the UID/GID mappings are ++ // written _after_ execvp(). ++ close(map_pipe_fd[1]); ++ ++ char dummy; ++ if (HANDLE_EINTR(read(map_pipe_fd[0], &dummy, 1)) != 0) { ++ RAW_LOG(ERROR, "Unexpected input in uid/gid mapping pipe."); ++ _exit(127); ++ } ++ } ++#endif ++ + // DANGER: fork() rule: in the child, if you don't end up doing exec*(), + // you call _exit() instead of exit(). This is because _exit() does not + // call any previously-registered (in the parent) exit handlers, which +@@ -451,6 +480,40 @@ bool LaunchProcess(const std::vector& argv, + _exit(127); + } else { + // Parent process ++#if defined(OS_LINUX) ++ if (options.new_user_namespace) { ++ // We need to write UID/GID mapping here to map the current user outside ++ // the namespace to the root user inside the namespace in order to ++ // correctly "fool" the child process. ++ char buf[256]; ++ int map_fd, map_len; ++ ++ snprintf(buf, sizeof(buf), "/proc/%d/uid_map", pid); ++ map_fd = open(buf, O_RDWR); ++ DPCHECK(map_fd >= 0); ++ snprintf(buf, sizeof(buf), "0 %d 1", geteuid()); ++ map_len = strlen(buf); ++ if (write(map_fd, buf, map_len) != map_len) { ++ RAW_LOG(WARNING, "Can't write to uid_map."); ++ } ++ close(map_fd); ++ ++ snprintf(buf, sizeof(buf), "/proc/%d/gid_map", pid); ++ map_fd = open(buf, O_RDWR); ++ DPCHECK(map_fd >= 0); ++ snprintf(buf, sizeof(buf), "0 %d 1", getegid()); ++ map_len = strlen(buf); ++ if (write(map_fd, buf, map_len) != map_len) { ++ RAW_LOG(WARNING, "Can't write to gid_map."); ++ } ++ close(map_fd); ++ ++ // Close the pipe on the parent, so the child can continue doing the ++ // execvp() call. ++ close(map_pipe_fd[1]); ++ } ++#endif ++ + if (options.wait) { + // While this isn't strictly disk IO, waiting for another process to + // finish is the sort of thing ThreadRestrictions is trying to prevent. +diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc +index 0106a7a..a0465af 100644 +--- a/content/browser/zygote_host/zygote_host_impl_linux.cc ++++ b/content/browser/zygote_host/zygote_host_impl_linux.cc +@@ -124,25 +124,31 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { + + sandbox_binary_ = sandbox_cmd.c_str(); + +- // A non empty sandbox_cmd means we want a SUID sandbox. +- using_suid_sandbox_ = !sandbox_cmd.empty(); ++ bool userns_sandbox = false; ++ const std::vector cmd_line_unwrapped(cmd_line.argv()); + +- if (using_suid_sandbox_) { ++ if (!sandbox_cmd.empty()) { + struct stat st; + if (stat(sandbox_binary_.c_str(), &st) != 0) { + LOG(FATAL) << "The SUID sandbox helper binary is missing: " + << sandbox_binary_ << " Aborting now."; + } + +- if (access(sandbox_binary_.c_str(), X_OK) == 0 && +- (st.st_uid == 0) && +- (st.st_mode & S_ISUID) && +- (st.st_mode & S_IXOTH)) { ++ if (access(sandbox_binary_.c_str(), X_OK) == 0) { ++ using_suid_sandbox_ = true; ++ + cmd_line.PrependWrapper(sandbox_binary_); + + scoped_ptr + sandbox_client(sandbox::SetuidSandboxClient::Create()); + sandbox_client->SetupLaunchEnvironment(); ++ ++ if (!((st.st_uid == 0) && ++ (st.st_mode & S_ISUID) && ++ (st.st_mode & S_IXOTH))) { ++ userns_sandbox = true; ++ sandbox_client->SetNoSuid(); ++ } + } else { + LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " + "configured correctly. Rather than run without sandboxing " +@@ -167,7 +173,19 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { + base::LaunchOptions options; + options.fds_to_remap = &fds_to_map; + options.allow_new_privs = using_suid_sandbox_; // Don't PR_SET_NO_NEW_PRIVS. ++ if (userns_sandbox) ++ options.new_user_namespace = true; + base::LaunchProcess(cmd_line.argv(), options, &process); ++ ++ if (process == -1 && userns_sandbox) { ++ LOG(ERROR) << "User namespace sandbox failed to start, running without " ++ << "sandbox! You need at least kernel 3.8.0 with CONFIG_USER_NS " ++ << "enabled in order to use the sandbox without setuid bit."; ++ using_suid_sandbox_ = false; ++ options.new_user_namespace = false; ++ base::LaunchProcess(cmd_line_unwrapped, options, &process); ++ } ++ + CHECK(process != -1) << "Failed to launch zygote process"; + + if (using_suid_sandbox_) { +diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc +index 5dc09fa..4e09bc4 100644 +--- a/content/zygote/zygote_main_linux.cc ++++ b/content/zygote/zygote_main_linux.cc +@@ -397,6 +397,13 @@ static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox) { + CHECK(CreateInitProcessReaper()); + } + ++ // Don't set non-dumpable, as it causes trouble when the host tries to find ++ // the zygote process (XXX: Not quite sure why this happens with user ++ // namespaces). Fortunately, we also have the seccomp filter sandbox which ++ // should disallow the use of ptrace. ++ if (setuid_sandbox->IsNoSuid()) ++ return true; ++ + #if !defined(OS_OPENBSD) + // Previously, we required that the binary be non-readable. This causes the + // kernel to mark the process as non-dumpable at startup. The thinking was +diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc +index 8ed1a97..cbdfadc 100644 +--- a/sandbox/linux/suid/client/setuid_sandbox_client.cc ++++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc +@@ -173,6 +173,10 @@ bool SetuidSandboxClient::IsInNewNETNamespace() const { + return env_->HasVar(kSandboxNETNSEnvironmentVarName); + } + ++bool SetuidSandboxClient::IsNoSuid() const { ++ return env_->HasVar(kSandboxNoSuidVarName); ++} ++ + bool SetuidSandboxClient::IsSandboxed() const { + return sandboxed_; + } +@@ -182,4 +186,8 @@ void SetuidSandboxClient::SetupLaunchEnvironment() { + SetSandboxAPIEnvironmentVariable(env_); + } + ++void SetuidSandboxClient::SetNoSuid() { ++ env_->SetVar(kSandboxNoSuidVarName, "1"); ++} ++ + } // namespace sandbox +diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h +index 0f6db7a..c629391 100644 +--- a/sandbox/linux/suid/client/setuid_sandbox_client.h ++++ b/sandbox/linux/suid/client/setuid_sandbox_client.h +@@ -46,6 +46,8 @@ class SANDBOX_EXPORT SetuidSandboxClient { + bool IsInNewPIDNamespace() const; + // Did the setuid helper create a new network namespace ? + bool IsInNewNETNamespace() const; ++ // Is sandboxed without SUID binary ? ++ bool IsNoSuid() const; + // Are we done and fully sandboxed ? + bool IsSandboxed() const; + +@@ -53,6 +55,8 @@ class SANDBOX_EXPORT SetuidSandboxClient { + // helper. + void SetupLaunchEnvironment(); + ++ void SetNoSuid(); ++ + private: + // Holds the environment. Will never be NULL. + base::Environment* env_; +diff --git a/sandbox/linux/suid/common/sandbox.h b/sandbox/linux/suid/common/sandbox.h +index 9345287..2db659e 100644 +--- a/sandbox/linux/suid/common/sandbox.h ++++ b/sandbox/linux/suid/common/sandbox.h +@@ -15,6 +15,7 @@ static const char kAdjustOOMScoreSwitch[] = "--adjust-oom-score"; + + static const char kSandboxDescriptorEnvironmentVarName[] = "SBX_D"; + static const char kSandboxHelperPidEnvironmentVarName[] = "SBX_HELPER_PID"; ++static const char kSandboxNoSuidVarName[] = "SBX_NO_SUID"; + + static const long kSUIDSandboxApiNumber = 1; + static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ"; diff --git a/pkgs/applications/networking/browsers/chromium/source/sources.nix b/pkgs/applications/networking/browsers/chromium/source/sources.nix new file mode 100644 index 00000000000..6881b8d44e8 --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/source/sources.nix @@ -0,0 +1,21 @@ +# This file is autogenerated from update.sh in the parent directory. +{ + dev = { + version = "36.0.1941.0"; + sha256 = "12rhyq8hliwc8b3371h2axzlzabg99c06d02kl9ldag2kxfpsfps"; + sha256bin32 = "1rbl5x0pjid5lypdplbqvcx4lgvr2rlbiv83ivvqb5dbg6p7886g"; + sha256bin64 = "18440spj541w4bqjblb2wpf94slg4if176gprccbxw9sy6b7z38w"; + }; + beta = { + version = "35.0.1916.47"; + sha256 = "0pq87aybfna4pgsf02v97lprj5kbsrzim7c44nqarmcvlj4l65ch"; + sha256bin32 = "057l59any3hiqdg1gh4nxry542083lxdaychhljbrfkipq1gy4yv"; + sha256bin64 = "07n8sqv234dg959id023w3mz5n9ascwrcmxq3px96bqgqim2vf8s"; + }; + stable = { + version = "34.0.1847.116"; + sha256 = "04cpfav5rqa117igvzmrw0045r2ljxg5fqb46qgqvkgff30pjrfx"; + sha256bin32 = "1k24j80xgc91p8ssynql9ifjdhpz6w7vl3pk9lvkr0sdhg16hlrf"; + sha256bin64 = "16gidav4ilc95fr1d6832xzpyynfwnglbz7b33gq62vp8bj77da4"; + }; +} diff --git a/pkgs/applications/networking/browsers/chromium/source/update.nix b/pkgs/applications/networking/browsers/chromium/source/update.nix new file mode 100644 index 00000000000..09f834a90c6 --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/source/update.nix @@ -0,0 +1,118 @@ +{ system ? builtins.currentSystem }: + +let + inherit (import {}) lib writeText stdenv; + + sources = if builtins.pathExists ./sources.nix + then import ./sources.nix + else null; + + bucketURL = "http://commondatastorage.googleapis.com/" + + "chromium-browser-official"; + + debURL = "https://dl.google.com/linux/chrome/deb/pool/main/g"; + + # Untrusted mirrors, don't try to update from them! + debMirrors = [ + "http://95.31.35.30/chrome/pool/main/g" + "http://mirror.pcbeta.com/google/chrome/deb/pool/main/g" + ]; + + tryChannel = channel: let + chan = builtins.getAttr channel sources; + in if sources != null then '' + oldver="${chan.version}"; + echo -n "Checking if $oldver ($channel) is up to date..." >&2; + if [ "x$(get_newest_ver "$version" "$oldver")" != "x$oldver" ]; + then + echo " no, getting sha256 for new version $version:" >&2; + sha256="$(prefetch_sha "$channel" "$version")" || return 1; + else + echo " yes, keeping old sha256." >&2; + sha256="${chan.sha256}"; + ${if (chan ? sha256bin32 && chan ? sha256bin64) then '' + sha256="$sha256.${chan.sha256bin32}.${chan.sha256bin64}"; + '' else '' + sha256="$sha256.$(prefetch_deb_sha "$channel" "$version")"; + ''} + fi; + '' else '' + sha256="$(prefetch_sha "$channel" "$version")" || return 1; + ''; + + caseChannel = channel: '' + ${channel}) ${tryChannel channel};; + ''; + +in rec { + getChannel = channel: let + chanAttrs = builtins.getAttr channel sources; + in { + inherit (chanAttrs) version; + + main = { + url = "${bucketURL}/chromium-${chanAttrs.version}.tar.xz"; + inherit (chanAttrs) sha256; + }; + + binary = let + pname = if channel == "dev" + then "google-chrome-unstable" + else "google-chrome-${channel}"; + arch = if stdenv.is64bit then "amd64" else "i386"; + relpath = "${pname}/${pname}_${chanAttrs.version}-1_${arch}.deb"; + in lib.optionalAttrs (chanAttrs ? sha256bin64) { + urls = map (url: "${url}/${relpath}") ([ debURL ] ++ debMirrors); + sha256 = if stdenv.is64bit + then chanAttrs.sha256bin64 + else chanAttrs.sha256bin32; + }; + }; + + updateHelpers = writeText "update-helpers.sh" '' + + prefetch_main_sha() + { + nix-prefetch-url "${bucketURL}/chromium-$2.tar.xz"; + } + + prefetch_deb_sha() + { + channel="$1"; + version="$2"; + + case "$1" in + dev) pname="google-chrome-unstable";; + *) pname="google-chrome-$channel";; + esac; + + deb_pre="${debURL}/$pname/$pname"; + + deb32=$(nix-prefetch-url "''${deb_pre}_$version-1_i386.deb"); + deb64=$(nix-prefetch-url "''${deb_pre}_$version-1_amd64.deb"); + + echo "$deb32.$deb64"; + return 0; + } + + prefetch_sha() + { + echo "$(prefetch_main_sha "$@").$(prefetch_deb_sha "$@")"; + return 0; + } + + get_sha256() + { + channel="$1"; + version="$2"; + + case "$channel" in + ${lib.concatMapStrings caseChannel [ "stable" "dev" "beta" ]} + esac; + + sha_insert "$version" "$sha256"; + echo "$sha256"; + return 0; + } + ''; +} diff --git a/pkgs/applications/networking/browsers/chromium/sources.nix b/pkgs/applications/networking/browsers/chromium/sources.nix deleted file mode 100644 index 49b5e2b4221..00000000000 --- a/pkgs/applications/networking/browsers/chromium/sources.nix +++ /dev/null @@ -1,18 +0,0 @@ -# This file is autogenerated from update.sh in the same directory. -{ - dev = { - version = "35.0.1883.0"; - url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-35.0.1883.0.tar.xz"; - sha256 = "0qbv6prxl18y5824pfd13ng9798g561gzb6nypwp502hqr45jvb6"; - }; - beta = { - version = "34.0.1847.60"; - url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-34.0.1847.60.tar.xz"; - sha256 = "1na5d6z4a0wkabn7cj62vyiv3mmvcb6qdvrkyy6fj79h7gk2hb7k"; - }; - stable = { - version = "34.0.1847.116"; - url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-34.0.1847.116.tar.xz"; - sha256 = "04cpfav5rqa117igvzmrw0045r2ljxg5fqb46qgqvkgff30pjrfx"; - }; -} diff --git a/pkgs/applications/networking/browsers/chromium/update.sh b/pkgs/applications/networking/browsers/chromium/update.sh index 0c4881bb396..e82d22f34fd 100755 --- a/pkgs/applications/networking/browsers/chromium/update.sh +++ b/pkgs/applications/networking/browsers/chromium/update.sh @@ -3,16 +3,9 @@ channels_url="http://omahaproxy.appspot.com/all?csv=1"; history_url="http://omahaproxy.appspot.com/history"; bucket_url="http://commondatastorage.googleapis.com/chromium-browser-official/"; -output_file="$(cd "$(dirname "$0")" && pwd)/sources.nix"; +base_path="$(cd "$(dirname "$0")" && pwd)/source"; -nix_getattr() -{ - input_file="$1"; - attr="$2"; - - var="$(nix-instantiate --eval-only -A "$attr" "$output_file")"; - echo "$var" | tr -d '\\"'; -} +source "$(nix-build --no-out-link "$base_path/update.nix" -A updateHelpers)"; ### poor mans key/value-store :-) ### @@ -53,39 +46,6 @@ get_newest_ver() fi; } -if [ -e "$output_file" ]; -then - get_sha256() - { - channel="$1"; - version="$2"; - url="$3"; - - oldver="$(nix_getattr "$output_file" "$channel.version")"; - - echo -n "Checking if $oldver ($channel) is up to date..." >&2; - - if [ "x$(get_newest_ver "$version" "$oldver")" != "x$oldver" ]; - then - echo " no, getting sha256 for new version $version:" >&2; - sha256="$(nix-prefetch-url "$url")" || return 1; - else - echo " yes, keeping old sha256." >&2; - sha256="$(nix_getattr "$output_file" "$channel.sha256")" \ - || return 1; - fi; - - sha_insert "$version" "$sha256"; - echo "$sha256"; - return 0; - } -else - get_sha256() - { - nix-prefetch-url "$3"; - } -fi; - fetch_filtered_history() { curl -s "$history_url" | sed -nr 's/^'"linux,$1"',([^,]+).*$/\1/p'; @@ -99,9 +59,8 @@ get_prev_sha256() for version in $(fetch_filtered_history "$channel"); do [ "x$version" = "x$current_version" ] && continue; - url="${bucket_url%/}/chromium-$version.tar.xz"; - sha256="$(get_sha256 "$channel" "$version" "$url")" || continue; - echo "$sha256:$version:$url"; + sha256="$(get_sha256 "$channel" "$version")" || continue; + echo "$sha256:$version"; return 0; done; } @@ -113,34 +72,39 @@ get_channel_exprs() channel="${chline%%,*}"; version="${chline##*,}"; - url="${bucket_url%/}/chromium-$version.tar.xz"; - echo -n "Checking if sha256 of version $version is cached..." >&2; if sha256="$(sha_lookup "$version")"; then echo " yes: $sha256" >&2; else echo " no." >&2; - sha256="$(get_sha256 "$channel" "$version" "$url")"; + sha256="$(get_sha256 "$channel" "$version")"; if [ $? -ne 0 ]; then echo "Whoops, failed to fetch $version, trying previous" \ "versions:" >&2; - sha_ver_url="$(get_prev_sha256 "$channel" "$version")"; - sha256="${sha_ver_url%%:*}"; - ver_url="${sha_ver_url#*:}"; - version="${ver_url%%:*}"; - url="${ver_url#*:}"; + sha_ver="$(get_prev_sha256 "$channel" "$version")"; + sha256="${sha_ver%:*}"; + version="${sha_ver#*:}"; fi; fi; sha_insert "$version" "$sha256"; + main="${sha256%%.*}"; + deb="${sha256#*.}"; + deb32="${deb%.*}"; + deb64="${deb#*.}"; + echo " $channel = {"; echo " version = \"$version\";"; - echo " url = \"$url\";"; - echo " sha256 = \"$sha256\";"; + echo " sha256 = \"$main\";"; + if [ "x${deb#*[a-z0-9].[a-z0-9]}" != "x$deb" ]; + then + echo " sha256bin32 = \"$deb32\";"; + echo " sha256bin64 = \"$deb64\";"; + fi; echo " };"; done; } @@ -151,8 +115,8 @@ omaha="$(curl -s "$channels_url")"; versions="$(echo "$omaha" | sed -nr -e 's/^linux,([^,]+,[^,]+).*$/\1/p')"; channel_exprs="$(get_channel_exprs "$versions")"; -cat > "$output_file" <<-EOF -# This file is autogenerated from update.sh in the same directory. +cat > "$base_path/sources.nix" <<-EOF +# This file is autogenerated from update.sh in the parent directory. { $channel_exprs } diff --git a/pkgs/development/libraries/libopus/default.nix b/pkgs/development/libraries/libopus/default.nix index b1bf65d0fe6..78b264506f0 100644 --- a/pkgs/development/libraries/libopus/default.nix +++ b/pkgs/development/libraries/libopus/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, fixedPoint ? false }: +{ stdenv, fetchurl, fixedPoint ? false, withCustomModes ? false }: let version = "1.1"; @@ -11,7 +11,8 @@ stdenv.mkDerivation rec { sha256 = "158xprn2086arvdib3vbbygz7z6jqkw2nci7nlywzzwallap0wmr"; }; - configureFlags = stdenv.lib.optionalString fixedPoint "--enable-fixed-point"; + configureFlags = stdenv.lib.optional fixedPoint "--enable-fixed-point" + ++ stdenv.lib.optional withCustomModes "--enable-custom-modes"; doCheck = true; diff --git a/pkgs/development/libraries/libwebp/default.nix b/pkgs/development/libraries/libwebp/default.nix index 854af5942f9..6800541d923 100644 --- a/pkgs/development/libraries/libwebp/default.nix +++ b/pkgs/development/libraries/libwebp/default.nix @@ -1,14 +1,20 @@ -{stdenv, fetchurl, libpng, libjpeg}: +{ stdenv, fetchurl, libpng, libjpeg, giflib, libtiff }: stdenv.mkDerivation rec { - name = "libwebp-0.1.3"; - + name = "libwebp-0.4.0"; + src = fetchurl { url = "http://webp.googlecode.com/files/${name}.tar.gz"; - sha256 = "1fkssvg99s9ypswh4ywkirgcy1wmy3b6388f3cqj4a4vwdb89ca0"; + sha256 = "0sadjkx8m6sf064r5gngjvz4b5246q3j27dlaml5b1k3x5vkb49i"; }; - buildInputs = [ libpng libjpeg ]; + buildInputs = [ libpng libjpeg giflib libtiff ]; + + configureFlags = [ + "--enable-libwebpmux" + "--enable-libwebpdemux" + "--enable-libwebpdecoder" + ]; meta = { homepage = http://code.google.com/p/webp/; diff --git a/pkgs/development/libraries/minizip/default.nix b/pkgs/development/libraries/minizip/default.nix new file mode 100644 index 00000000000..b71920446e4 --- /dev/null +++ b/pkgs/development/libraries/minizip/default.nix @@ -0,0 +1,14 @@ +{ stdenv, zlib, autoconf, automake, libtool }: + +stdenv.mkDerivation { + name = "minizip-${zlib.version}"; + inherit (zlib) src; + + nativeBuildInputs = [ autoconf automake libtool ]; + buildInputs = [ zlib ]; + + preConfigure = '' + cd contrib/minizip + autoreconf -vfi + ''; +} diff --git a/pkgs/development/libraries/v8/3.14.nix b/pkgs/development/libraries/v8/3.14.nix new file mode 100644 index 00000000000..0564e688795 --- /dev/null +++ b/pkgs/development/libraries/v8/3.14.nix @@ -0,0 +1,65 @@ +{ stdenv, fetchsvn, gyp, readline, python, which }: + +assert readline != null; + +let + system = stdenv.system; + arch = if system == "i686-linux" then "ia32" else if system == "x86_64-linux" || system == "x86_64-darwin" then "x64" else ""; + version = "3.14.5.9"; +in + +assert arch != ""; + +stdenv.mkDerivation { + name = "v8-${version}"; + + src = fetchsvn { + url = "http://v8.googlecode.com/svn/tags/${version}"; + sha256 = "18qp5qp5xrb6f00w01cklz358yrl54pks963f5rwvwz82d8sfyqr"; + name = "v8-${version}-src"; + }; + + patches = [ ./fix-GetLocalizedMessage-usage.patch ]; + + configurePhase = '' + mkdir build/gyp + ln -sv ${gyp}/bin/gyp build/gyp/gyp + ''; + + nativeBuildInputs = [ which ]; + buildInputs = [ readline python ]; + + buildFlags = [ + "library=shared" + "console=readline" + "${arch}.release" + ]; + + # http://code.google.com/p/v8/issues/detail?id=2149 + NIX_CFLAGS_COMPILE = "-Wno-unused-local-typedefs -Wno-aggressive-loop-optimizations"; + + enableParallelBuilding = true; + + installPhase = '' + mkdir -p $out/bin + mkdir -p $out/lib + mv -v out/${arch}.release/d8 $out/bin + + ${if stdenv.system == "x86_64-darwin" then + "mv -v out/${arch}.release/libv8.dylib $out/lib" + else + "mv -v out/${arch}.release/lib.target/libv8.so $out/lib"} + mv -v include $out/ + ''; + + postFixup = if stdenv.isDarwin then '' + install_name_tool -change /usr/local/lib/libv8.dylib $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/bin/d8 + install_name_tool -id $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/lib/libv8.dylib + '' else null; + + meta = with stdenv.lib; { + description = "V8 is Google's open source JavaScript engine"; + platforms = platforms.linux ++ platforms.darwin; + license = licenses.bsd3; + }; +} diff --git a/pkgs/development/libraries/v8/default.nix b/pkgs/development/libraries/v8/default.nix index 0564e688795..db8e491caae 100644 --- a/pkgs/development/libraries/v8/default.nix +++ b/pkgs/development/libraries/v8/default.nix @@ -1,65 +1,66 @@ -{ stdenv, fetchsvn, gyp, readline, python, which }: +{ stdenv, fetchurl, gyp, readline, python, which, icu }: assert readline != null; let - system = stdenv.system; - arch = if system == "i686-linux" then "ia32" else if system == "x86_64-linux" || system == "x86_64-darwin" then "x64" else ""; - version = "3.14.5.9"; + arch = if stdenv.is64bit then "x64" else "ia32"; in -assert arch != ""; +stdenv.mkDerivation rec { + name = "v8-${version}"; + version = "3.25.9"; -stdenv.mkDerivation { - name = "v8-${version}"; + src = fetchurl { + url = "https://commondatastorage.googleapis.com/chromium-browser-official/" + + "${name}.tar.bz2"; + sha256 = "0x6czv99dr701vljyb4ghyhhc5rmv7vfkpvigcnrqz2an9q1pc28"; + }; - src = fetchsvn { - url = "http://v8.googlecode.com/svn/tags/${version}"; - sha256 = "18qp5qp5xrb6f00w01cklz358yrl54pks963f5rwvwz82d8sfyqr"; - name = "v8-${version}-src"; - }; + configurePhase = '' + PYTHONPATH="tools/generate_shim_headers:$PYTHONPATH" \ + ${gyp}/bin/gyp \ + -f make \ + --generator-output="out" \ + -Dflock_index=0 \ + -Dv8_enable_i18n_support=1 \ + -Duse_system_icu=1 \ + -Dconsole=readline \ + -Dcomponent=shared_library \ + -Dv8_target_arch=${arch} \ + --depth=. -Ibuild/standalone.gypi \ + build/all.gyp + ''; - patches = [ ./fix-GetLocalizedMessage-usage.patch ]; + nativeBuildInputs = [ which ]; + buildInputs = [ readline python icu ]; - configurePhase = '' - mkdir build/gyp - ln -sv ${gyp}/bin/gyp build/gyp/gyp - ''; + buildFlags = [ + "LINK=g++" + "-C out" + "builddir=$(CURDIR)/Release" + "BUILDTYPE=Release" + ]; - nativeBuildInputs = [ which ]; - buildInputs = [ readline python ]; + enableParallelBuilding = true; - buildFlags = [ - "library=shared" - "console=readline" - "${arch}.release" - ]; + installPhase = '' + install -vD out/Release/d8 "$out/bin/d8" + ${if stdenv.system == "x86_64-darwin" then '' + install -vD out/Release/lib.target/libv8.dylib "$out/lib/libv8.dylib" + '' else '' + install -vD out/Release/lib.target/libv8.so "$out/lib/libv8.so" + ''} + cp -vr include "$out/" + ''; - # http://code.google.com/p/v8/issues/detail?id=2149 - NIX_CFLAGS_COMPILE = "-Wno-unused-local-typedefs -Wno-aggressive-loop-optimizations"; + postFixup = if stdenv.isDarwin then '' + install_name_tool -change /usr/local/lib/libv8.dylib $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/bin/d8 + install_name_tool -id $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/lib/libv8.dylib + '' else null; - enableParallelBuilding = true; - - installPhase = '' - mkdir -p $out/bin - mkdir -p $out/lib - mv -v out/${arch}.release/d8 $out/bin - - ${if stdenv.system == "x86_64-darwin" then - "mv -v out/${arch}.release/libv8.dylib $out/lib" - else - "mv -v out/${arch}.release/lib.target/libv8.so $out/lib"} - mv -v include $out/ - ''; - - postFixup = if stdenv.isDarwin then '' - install_name_tool -change /usr/local/lib/libv8.dylib $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/bin/d8 - install_name_tool -id $out/lib/libv8.dylib -change /usr/lib/libgcc_s.1.dylib ${stdenv.gcc.gcc}/lib/libgcc_s.1.dylib $out/lib/libv8.dylib - '' else null; - - meta = with stdenv.lib; { - description = "V8 is Google's open source JavaScript engine"; - platforms = platforms.linux ++ platforms.darwin; - license = licenses.bsd3; - }; + meta = with stdenv.lib; { + description = "V8 is Google's open source JavaScript engine"; + platforms = platforms.linux ++ platforms.darwin; + license = licenses.bsd3; + }; } diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index 0d4abaf25e0..f1eea80ab7a 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -40,4 +40,6 @@ stdenv.mkDerivation rec { # zlib doesn't like the automatic --disable-shared from the Cygwin stdenv. cygwinConfigureEnableShared = true; + + passthru.version = version; } diff --git a/pkgs/development/web/nodejs/default.nix b/pkgs/development/web/nodejs/default.nix index 062d7f4ec06..3b1b6467972 100644 --- a/pkgs/development/web/nodejs/default.nix +++ b/pkgs/development/web/nodejs/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, openssl, python, zlib, v8, utillinux, http-parser, c-ares, pkgconfig, runCommand }: +{ stdenv, fetchurl, openssl, python, zlib, v8_3_14, utillinux, http-parser, c-ares, pkgconfig, runCommand }: let dtrace = runCommand "dtrace-native" {} '' @@ -10,7 +10,7 @@ let # !!! Should we also do shared libuv? deps = { - inherit v8 openssl zlib http-parser; + inherit v8_3_14 openssl zlib http-parser; cares = c-ares; }; diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix index 6956271e992..a5a021b9354 100644 --- a/pkgs/servers/nosql/mongodb/default.nix +++ b/pkgs/servers/nosql/mongodb/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, scons, boost, v8, gperftools, pcre, snappy }: +{ stdenv, fetchurl, scons, boost, v8_3_14, gperftools, pcre, snappy }: let version = "2.4.8"; in stdenv.mkDerivation rec { name = "mongodb-${version}"; @@ -8,7 +8,7 @@ let version = "2.4.8"; in stdenv.mkDerivation rec { sha256 = "1p6gnharypglfp39halp72fig96fqjhakyy7m76a1prxwpjkqw7x"; }; - nativeBuildInputs = [ scons boost v8 gperftools pcre snappy ]; + nativeBuildInputs = [ scons boost v8_3_14 gperftools pcre snappy ]; postPatch = '' substituteInPlace SConstruct \ diff --git a/pkgs/servers/nosql/rethinkdb/default.nix b/pkgs/servers/nosql/rethinkdb/default.nix index e81ccb39632..ec1dbd76364 100644 --- a/pkgs/servers/nosql/rethinkdb/default.nix +++ b/pkgs/servers/nosql/rethinkdb/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, which, protobuf, v8, ncurses, gperftools, boost, m4 }: +{ stdenv, fetchurl, which, protobuf, v8_3_14, ncurses, gperftools, boost, m4 }: stdenv.mkDerivation rec { name = "rethinkdb-1.11.2"; @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { configureFlags = "--lib-path ${gperftools}/lib"; - buildInputs = [ protobuf v8 ncurses boost ]; + buildInputs = [ protobuf v8_3_14 ncurses boost ]; nativeBuildInputs = [ which m4 ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1475b3f4ed7..9f9b15920b6 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5409,6 +5409,8 @@ let ming = callPackage ../development/libraries/ming { }; + minizip = callPackage ../development/libraries/minizip { }; + minmay = callPackage ../development/libraries/minmay { }; miro = callPackage ../applications/video/miro { @@ -6156,7 +6158,13 @@ let inherit (gnome) libsoup; }; - v8 = callPackage ../development/libraries/v8 { inherit (pythonPackages) gyp; }; + v8 = callPackage ../development/libraries/v8 { + inherit (pythonPackages) gyp; + }; + + v8_3_14 = callPackage ../development/libraries/v8/3.14.nix { + inherit (pythonPackages) gyp; + }; xmlsec = callPackage ../development/libraries/xmlsec { }; @@ -7750,7 +7758,6 @@ let chromium = lowPrio (callPackage ../applications/networking/browsers/chromium { channel = "stable"; - gconf = gnome.GConf; pulseSupport = config.pulseaudio or true; });