This executable is required to fix a startup error.
TODO: Refactor the Nix expressions to allow chromiumVersionAtLeast, etc.
"everywhere" and investigate the VM test failure.
(cherry picked from commit ef7f020ec88c6aa92f3c35a4a83cd3517533d690)
Would need to temporarily remove "ffmpeg" from gnSystemLibraries and
disable use_thin_lto to fix the build (theoretically).
(cherry picked from commit 5cae43456679428a675fb7074b48ceb5aa3f73e4)
The final linking still fails though, even with llvm-git.
We might have to diable use_thin_lto for now:
ld.lld: error: undefined symbol: snappy::Compress(char const*, unsigned long, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*)
>>> referenced by compression_module.cc
>>> thinlto-cache/Thin-ed5ed5.tmp.o:(reporting::CompressionModule::CompressRecord(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, base::OnceCallback<void (std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, absl::optional<reporting::CompressionInformation>)>) const)
clang-13: error: linker command failed with exit code 1 (use -v to see invocation)
(cherry picked from commit fcdcb819362836505e059ef1c5cb33c737883400)
See https://bugs.chromium.org/p/chromium/issues/detail?id=1215229.
Before this the build failed with this error:
[101/47617] ACTION //build/util:chromium_git_revision(//build/toolchain/linux/unbundle:default)oaded_data.pbchain/linux/unbundle:default)
FAILED: gen/build/util/chromium_git_revision.h
python3 ../../build/util/lastchange.py --header gen/build/util/chromium_git_revision.h --revision-id-only --revision-id-prefix @ -m\ CHROMIUM_GIT_REVISION
ERROR:root:Failed to get git top directory from '/build/chromium-93.0.4542.2/build/util': Git command 'git git rev-parse --show-toplevel' in /build/chromium-93.0.4542.2/build/util failed: [Errno 2] No such file or directory: 'git'
(cherry picked from commit 8af443906d795aa562839f4968566dd58b76c0fd)
If our Chrome derivation is Vulkan enabled, the Chrome GPU process
reliably crashes for me under M92 using the proprietary Nvidia drivers.
This is because the PCI-based GPU detection path fails, and we attempt
to use the Vulkan fallback instead, which then crashes(!!)
Including libpci allows us to use Angle's
src/gpu_info_util/SystemInfo_libpci.cpp path instead, which doesn't
crash, unlike src/gpu_info_util/SystemInfo_vulkan.cpp.
(cherry picked from commit 51d83077ffbca115265b04853e244179713c6518)
It's worth to think about setting -DDESKTOP_APP_USE_PACKAGED_FONTS=OFF
since it's impossible to install fonts as dependencies of packages with
Nix and tdesktop's widgets are developed only with Open Sans in mind (it
has a lot of hardcoded values and wide fonts like DejaVu may
even go out of widgets' bounds)
https://github.com/NixOS/nixpkgs/pull/130827#issuecomment-885212649
(cherry picked from commit 27585b98971f8180e12592e694d38a19c072d1bf)
https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html
This update includes 8 security fixes. Google is aware of reports that
an exploit for CVE-2021-30563 exists in the wild.
CVEs:
CVE-2021-30559 CVE-2021-30541 CVE-2021-30560 CVE-2021-30561
CVE-2021-30562 CVE-2021-30563 CVE-2021-30564
(cherry picked from commit 27523cad1edbfc0afd1a562e3408b2fa913f9483)
make gtk3Support non-optional, because it hasn't been for a long time
also make gtk2 conditional on firefox older than 90, because we can get
rid of it with firefox 90, but it's still needed by the current ESR
release
(cherry picked from commit b332794adf841262958424c623c442cc8fab92e8)
Voice messages don’t work without gstreamer “base” and “good” plugins.
This change adds a an override for GST_PLUGIN_SYSTEM_PATH_1_0
environment variable providing necessary dependencies.
(cherry picked from commit 20d4e8bd392ac12a9942fe6a21d2d73ed39231ea)
IPFS evolves quite fast. The network protocol is compatible, but we
don't want to force migrations on stable, so we add a new version
instead.
See #100676 for last time we did this.
(Adapted from from commit d96ccfaf16c5454aaa920ff39b38c81bcf104a3a)
Add patch which fixes builds with (at least) ocaml 4.12.0, and
remove build constraint for 4.09. Necessary because unison built
with 4.09 is not compatible with unison built with 4.12, e.g. on
recent Homebrew.
(cherry picked from commit 7282b4fc0389217c60fe788cb80d10f3e80e447d)
Apologies for the pushes straight to release without PR, I will follow
the new workflow moving forward. Unfortunately my last push broke the
package in a way that was invisible locally due to the source already
being downloaded... A perfect example of why we should let ofborg
build!
server.py tries to launch a matrix_sso_helper binary when connecting to
a homeserver that uses some SSO mechanism instead of plain login and
password, but doesn't have $out/bin in $PATH.
Using substituteInPlace to patch server.py so that the helper process is
started by using its actual filesystem location instead of relying on
$PATH.
Fixes: https://github.com/NixOS/nixpkgs/issues/124186
(cherry picked from commit f7ccc5f35d0e1fe11a7e01e3dddd1ff28566ba1d)
Firefox 81 introduced a new print dialog. Under NixOS, this dialog
offers only "Save as PDF" as the destination. To print to a real
printer, one has to click "Print using the system dialog" and print
from there. This is not only one unnecessary extra click, but the
system dialog also does not offer preview.
With this commit, Firefox starts offering real printers in its
printing dialog, removing the above mentioned deficiencies.
CUPS is needed because Firefox uses dlopen() to load libcups.so.2 at
runtime. See
https://searchfox.org/mozilla-central/rev/b52cf6bbe214bd9d93ed9333d0403f7d556ad7c8/widget/nsCUPSShim.cpp#28
(cherry picked from commit 5102a1247103e7f23fdad9710f1887807b31e37f)
This executable is required to fix a startup error:
[990:990:0609/092114.482805:FATAL:double_fork_and_exec.cc(131)] execv /nix/store/k02xhxzn6sn2cihaal68wwsyk8cg9pkg-chromium-unwrapped-93.0.4535.3/libexec/chromium/crashpad_handler: No such file or directory (2)
Unfortunately Chromium M93 still segfaults in the VM test:
machine # [0610/100626.225850:ERROR:process_memory_range.cc(75)] read out of range
machine # [0610/100626.227312:ERROR:file_io_posix.cc(144)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq: No such file or directory (2)
machine # [0610/100626.240410:ERROR:file_io_posix.cc(144)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq: No such file or directory (2)
machine # [ 19.810981] systemd-coredump[1015]: Process 987 (chromium) of user 1000 dumped core.
(cherry picked from commit 1d6a0d3cf24f2edcf6755fd4db1901f9e1db1ac6)
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html
This update includes 14 security fixes. Google is aware that an exploit
for CVE-2021-30551 exists in the wild.
CVEs:
CVE-2021-30544 CVE-2021-30545 CVE-2021-30546 CVE-2021-30547
CVE-2021-30548 CVE-2021-30549 CVE-2021-30550 CVE-2021-30551
CVE-2021-30552 CVE-2021-30553
(cherry picked from commit 053f1dc49028f8f438506b187739d80d83984c16)
The build was failing with:
clang++: error: unknown argument: '-fsanitize-ignorelist=../../tools/cfi/ignores.txt'
(cherry picked from commit 950b321244d541e3c4d05bb163912d53c6c063df)
Quickfix to allow firefox to recognize certificates as trusted by
Mozilla.
Related: #126065
(cherry picked from commit 42e25d855fa959b7832fbdbc0a384294460d9258)
Fixes https://nvd.nist.gov/vuln/detail/CVE-2021-33896.
The current 9acb54df9254609f2fe4de83c9047d408412de28 patch landed in
dino as 4592b72dfa324d8a4b9f8c25b359110889b2206c. Removing it from the
patch list.
(cherry picked from commit 70173c1519118a5ec79b8e7969b2f91c78e8c297)
In order to make the man pages accessible, the previous code used
nix-support/propagated-user-env-packages. However this file is also used to set
the PATH when the application is executed with `nix run`, thus including the
wrapped and the wrappee in the environment.
Having the wrappee enumerated first in the environment caused `firefox` to
default to the wrappee, and as such not being able to find a proper GTK. This
was a source of failures while opening a file-picker.
This change removes the code to propagate the wrappe in the environment, as the
man pages are already linked in the wrapper output.
(cherry picked from commit efef092ba59259fb2654038bbd952baca5c8bab7)
ChangeLog: 1886c8abed/CHANGELOG.md (560-beta6-2021-05-31)
Even though this isn't explicitly noted in the Changelog, this seems to
have fixed the Element integration for me.
Additionally, I added a (hacky) `xdg-open` wrapper which removes the
`GDK_BACKEND` variable to fix the XWayland integration[1]. The problem
is that if a Firefox is running with Wayland (`ferdi` is running under
X11) and `GDK_BACKEND=x11` is passed to the `xdg-open` (and thus
`firefox`) process, Firefox refuses to start since another instance of
it is running under Wayland (but attempts to start in X11 mode because of
`GDK_BACKEND=x11`).
[1] https://github.com/electron/electron/issues/28436
(cherry picked from commit cd4ad7d2fee90fc3afb9f3f3957a7289f02f89dc)
Rambox hasn't had a stable release in a while and an increasing number
of issues which is why I don't intend to use this anymore.
While taking a closer look at the source I also realized that it uses
Electron 7.2.4[1]. This is not only EOLed[2], it also contains a few
security vulnerabilities which is why I decided to mark it as insecure.
A few (most likely not all) vulnerabilities can be found by looking at
the Electron 7 changelog[3]: after 7.2.4 there were a few more releases
with security backports - mostly from Chromium. Security issues that
were found later on (and are probably exploitable on the dependency
chain of rambox) aren't listed here. I only added two issues that seemed
applicable to `rambox`, but I haven't researched enough to check the
other ones.
[1] https://github.com/ramboxapp/community-edition/blob/0.7.7/package.json#L70
[2] https://www.electronjs.org/docs/tutorial/support#currently-supported-versions
[3] https://www.electronjs.org/releases/stable?version=7
(cherry picked from commit e2a15cd395f1e137c680d22f83cd195caf3d6c14)
The patch proved to be an incomplete solution while developing
nixosTests.podman-dnsname
(cherry picked from commit 651777934941480a36f7df9c434e6044957d045d)
Michael Weiss
Luke Granger-Brown
Angus Trau
Martin Weinelt
oxalica
Luflosi
Maximilian Bosch
FliegendeWurst
OPNA2608
Artturin
Thomas Gerbet
TredwellGit
taku0
Viacheslav Lotsmanov
Sandro
Moritz Hedtke
Robert Hensing
ajs124
ckie
Eduardo Sánchez Muñoz
John Ericson
Charlotte Van Petegem
Michael Ashton
fortuneteller2k
Vladimír Čunát
Shea Levy
Martin Weinelt
Robert Scott
Enno Richter
github-actions[bot]
R. RyanTM
taku0
Yurii Matsiuk
Stig Palmquist
Simon Thoby
Robert Gerus
Maciej Krüger
Anderson Torres
Michal Sojka
Félix Baylac-Jacqué
Nicolas B. Pierron
Ilan Joselevich
Jonathan Ringer
Johannes Schleifenbaum
Robert Schütz
Robert Hensing
Mark Vainomaa
wearemnr