This release in a RC for gnupg-2.2. The main difference as far as
nixpkgs is concerned is that the binary `gpg2` is now called `gpg` and
`gpgv2` is called `gpgv`.
This update fixed all explicit use of `gpg2` and `gpgv2` across nixpkgs,
but there might be some packaged software that internally use `gpg2`
not handeled by this commit.
See http://lists.gnu.org/archive/html/info-gnu/2017-08/msg00001.html
for full release information
* pkgs: refactor needless quoting of homepage meta attribute
A lot of packages are needlessly quoting the homepage meta attribute
(about 1400, 22%), this commit refactors all of those instances.
* pkgs: Fixing some links that were wrongfully unquoted in the previous
commit
* Fixed some instances
When trying to open or save a file using the file chooser GUI, Vivaldi
would crash with the message
GLib-GIO-ERROR **: Settings schema 'org.gtk.Settings.FileChooser' is
not installed
This commit adds the GTK directory to XDG_DATA_DIRS which fixes the
crash.
The `extraPrefs` parameter is injected verbatim into the mozilla.cfg
file.
Note that the syntax is a superset of the usual prefs.js syntax. The
following procedures are of particular interest:
pref() to set a preference as if it had been toggled in about:config
defaultPref() to set the *default* value of a preference
lockPref() to set a preference & prevent further modification
clearPref() to reset a preference to its default state
Example:
```nix
tor-browser-bundle-bin.override {
extraPrefs = ''
// Increase default security level
pref("extensions.torbutton.security_slider", 2);
'';
}
```
The following errors occur when you start Chromium prior to this commit:
[2534:2534:0625/202928.673160:ERROR:gl_implementation.cc(246)] Failed to
load .../libexec/chromium/swiftshader/libGLESv2.so:
../libexec/chromium/swiftshader/libGLESv2.so: cannot open shared object
file: No such file or directory
[2534:2534:0625/202928.674434:ERROR:gpu_child_thread.cc(174)] Exiting
GPU process due to errors during initialization
While in theory we do not strictly need libGLESv2.so, in practice this
means that the GPU process isn't starting up at all which in turn leads
to crawling rendering performance on some sites.
So let's install all shared libraries in swiftshader.
I've tested this with the chromium.stable NixOS VM test and also locally
on my machine and the errors as well as the performance issues are gone.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Due to licensing costs, Vivaldi bundles a version of ffmpeg compiled
without support for the common H.264 codec. However, it is possible to
supply a custom libffmpeg.so with additional codecs. This derivation
uses the Chromium source to compile a compatible libffmpeg.so.
This approach is recommended by a Vivaldi developer, see
https://gist.github.com/ruario/bec42d156d30affef655
- Update to version 1.10.867.38-1
- Drop i386 arch. Vivaldi has suspended support for Linux 32-bit for
Vivaldi 1.10. Unfortunately, this is due to Chromium suspending support
for it and maintaining it themselves would take too much resources.
See https://forum.vivaldi.net/post/142489.
- Update dependency on gtk2 to gtk3.
- Move dependency patchelf from buildInputs to nativeBuildInputs.
This should allow us to easily add system-wide Chromium extensions via a
NixOS configuration similar to this:
{ pkgs, ... }: {
environment.pathsToLink = [ "/share/chromium/extensions" ];
environment.systemPackages = [ pkgs.my-shiny-extension ];
}
For more details about what Chromium expects within that directory, see:
https://developer.chrome.com/extensions/external_extensions
I've introduced this because of a personal desire to gain more control
about which extensions are installed and what they are able to do. All
of the extensions I use are free software, but despite that it's useful
to either easily patch them and also prevent unwanted automatic updates.
Tested this using the NixOS "chromium.stable" test on x86_64-linux.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @offlinehacker because of #21050
Also updates beta, nightly, nightlyBin, and bootstrap compilers.
Also updates the registry.
Also consolidates logic between bootstrap and nightlyBin compilers.
Also contains some miscellaneous cleanups.
Also patches firefox to build with the newer cargo
* firefox-beta-bin: 51.0b8 -> 54.0b13
* firefox-devedition-bin: init at 54.0b14
Firefox DevEdition became a new product of Mozilla and is "repackaged"
Firefox Beta with its own release channel and six weeks release cycle as
other channels. It is no longer being built on nightly basis
* updated the update.nix script to facilitata firefox-devedition-bin
* disabling automatic updates by pointing to non existing channel
* f firefoxWrapper looks for gtk3 attribute to wrap the executable gtk3 to wrap the binary with needed ``XDG_DATA_DIRS``
* lynx: Fix SSL support by letting it use pkgconfig
lynx wants both the "include" and "lib/lib*.so" paths
to be children of the path given to "--with-ssl",
which is not provided by any of the current openssl outputs.
To fix lynx so it supports SSL (and https URLs),
let it use pkgconfig to figure out where openssl's bits are.
* lynx: Always enable widec support.
somehow, the build seems to have changed with chromium 58, to not auto
download the node binary. It is needed to generate webui files and we
can substitute our own.
CVE-2017-5055: Use after free in printing. Credit to Wadih Matar
CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar of Zimperium zLabs
CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin
CVE-2017-5056: Use after free in Blink. Credit to anonymous
CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587)
This patch restructures the expression and wrapper to minimize Nix store
references captured by the user's state directory.
The previous version would write lots of references to the Nix store into
the user's state directory, resulting in synchronization issues between
the Store and the local state directory. At best, this would cause TBB to
stop working when the version used to instantiate the local state was
garbage collected; at worst, a user would continue to use the old version
even after an upgrade.
To solve the issue, hard-code as much as possible at the Store side and
minimize the amount of stuff being copied into the local state dir.
Currently, only a few files generated at firefox startup and fontconfig
cache files end up capturing store paths; these files are simply removed
upon every startup. Otherwise, no capture should occur and the user
should always be using the TBB associated with the tor-browser wrapper
script.
To check for stale Store paths, do
`grep -Ero '/nix/store/[^/]+' ~/.local/share/tor-browser`
This command should *never* return any other store path than the one
associated with the current tor-browser wrapper script, even after an
update (assuming you've run tor-browser at least once after updating).
Deviations from this general rule are considered bugs from now on.
Note that no attempt has been made to support pluggable transports; they
are still broken with this patch (to be fixed in a follow-up patch).
User visible changes:
- Wrapper retains only environment variables required for TBB to work
- pulseaudioSupport can be toggled independently of mediaSupport (the
latter weakly implies the former).
- Store local state under $TBB_HOME. Defaults to $XDG_DATA_HOME/tor-browser
- Stop obnoxious first-run stuff (NoScript redirect, in particular)
- Set desktop item GenericName to Web Browser
Some minor enhancements:
- Disable Hydra builds
- Specify system -> source mapping to make it easier to
extend supported platforms.
Set MOZ_APP_LAUNCHER for firefox as per [1] (see [2] for detailed discussion).
Firefox will recognise itself across verions, skipping the 'not-the-default-browser' prompt.
Firefox will also write sane paths to the generated desktop file, should someone ever set it as default through the 'not-the-default-browser' prompt.
Also removed the unnecessary libtrick cruft.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=611953
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=593948
There was no release for luakit in the last 5 years, so I suggest to
remove it. Also because there are alternatives for vi-like browsers.
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
requiredSystemFeatures is not a meta attribute but a derivation
attribute. So "big-parallel" was being ignored on e.g. chromium,
causing it to be built (and timing out) on slow machines.
http://hydra.nixos.org/build/45819778#tabs-buildsteps
Firefox uses a google API to perform geolocation. This API requires a
key which must be given at build time. This commit adds the key from
Chromium's derivation to Firefox.
Versions before 56 already had experimental support for Gtk 3 and since
version 56, Gtk 3 _seemed_ to become the default. Although it's now
requiring *both* Gtk 2 and Gtk3, so let's supply the dependency for now
to get it to build.
In the future however we might want to add use_gtk3 to the GN flags and
get rid of Gtk 2 completely.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Before version 54, the WideVine CDM plugin was built unconditionally and
it seems since version 54 this now is dependent upon a GYP/GN flag on
whether to include the CDM shared library or not.
Also, we now use a patch from Gentoo which should hopefully get the CDM
plugin to work properly, at least according to their bugtracker:
https://bugs.gentoo.org/show_bug.cgi?id=547630
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Overview of updated versions:
stable: 54.0.2840.71 -> 54.0.2840.90
beta: 55.0.2883.21 -> 55.0.2883.35
dev: 56.0.2897.0 -> 56.0.2906.0
This is to get our Chromium versions in par with the latest upstream
ones before merging in the GN migration changes.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
So far we had the bundled Flash player plugin that came with Chrome, but
since version 54 the Chrome package doesn't include PPAPI Flash anymore.
Instead we're going to download the PPAPI Flash plugin directly from
Adobe and try to use them for all release channels of Chromium.
Of course it would be nice if we'd have an updater for it but for now
it's important that we don't break things for people who are currently
forced to use Flash.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Seems that these libraries aren't the ones Chromium is expecting to be,
so let's switch to use the bundled version of these libraries instead.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Previously I've added the extra file common-gn.nix in addition to
common.nix, so we can possibly have a smooth transition from current
stable to the new version 54.
Unfortunately, version 53 is already EOL and we have to move to version
54 as soon as possible so we can only use GN and thus it doesn't make
sense to provide expressions for GYP anymore.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This should now be the upstream default and there also is no more flag
for GN to set it, so we'll no longer need it on our side as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This only uses the most basic GN flags which should represent the GYP
flags we had before. In order to get rid most of the GYP cruft, we now
have common.nix and common-gn.nix which are mostly the same, just that
the latter is only for GN builds.
The GN implementation is far from complete and currently not even
builds, so we need more work to get the beta and dev channels building.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It seems that upstream has re-uploaded the tarball again (see
0c2683cc11).
I've verified the new hash from two different hosts.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The hash provided in commit 072917ea5d is
faulty, either because the upstream tarball has changed or because it
was wrong in the first place, no matter what happened we can't really
verify if we don't have the tarball with the old hash.
To double-check I've verified the hash against the one from Gentoo[1],
which has the following SHA256:
b46c26a9e773b2c620acd2f96d69408f14a279aefaedfefed002ecf898a1ecf2
After being converted into base 32 the hash does match with ours.
Note that I haven't tested building all Chromium channels (yet), but we
can fix upcoming issues later because right now it doesn't build anyway
because of the failing hash check.
[1]: https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/Manifest?id=2de0f5e4ffeb46a478c589b21d5bbcfd5736e57b
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes the following security problems:
- CVE-2016-5147: Universal XSS in Blink
- CVE-2016-5148: Universal XSS in Blink
- CVE-2016-5149: Script injection in extensions
- CVE-2016-5150: Use after free in Blink
- CVE-2016-5151: Use after free in PDFium
- CVE-2016-5152: Heap overflow in PDFium
- CVE-2016-5153: Use after destruction in Blink
- CVE-2016-5154: Heap overflow in PDFium
- CVE-2016-5155: Address bar spoofing
- CVE-2016-5156: Use after free in event bindings
- CVE-2016-5157: Heap overflow in PDFium
- CVE-2016-5158: Heap overflow in PDFium
- CVE-2016-5159: Heap overflow in PDFium
- CVE-2016-5160: Extensions web accessible resources bypass
- CVE-2016-5161: Type confusion in Blink.
- CVE-2016-5162: Extensions web accessible resources bypass
- CVE-2016-5163: Address bar spoofing
- CVE-2016-5164: Universal XSS using DevTools
- CVE-2016-5165: Script injection in DevTools
- CVE-2016-5166: SMB Relay Attack via Save Page As
- CVE-2016-5167: Various fixes from internal audits, fuzzing and other initiatives
This moves libsystemd.so and libudev.so into systemd.lib, and gets rid
of libudev (which just contained a copy of libudev.so and the udev
headers). It thus reduces the closure size of all packages that
(indirectly) depend on libsystemd, of which there are quite a few (for
instance, PulseAudio and dbus). For example, it reduces the closure of
Blender from 430.8 to 400.8 MiB.
I really wanted it to substitute the html5 player, or at least the direct
player for mp4/webm files in firefox, but I couldn't make it work. The
formats recognized by the firefox internal player were used in all cases. The
plugin worked for formats unknown by firefox.
https://support.mozilla.org/ca/questions/1089501
Nevertheless, as I wrote the nix recipe, I commit it. It may be of interest to
someone else.
taku0
koenigmaximilian
Frederik Rietdijk
Lukas Werling
Robin Gloster
Lancelot SIX
Herwig Hochleitner
Jörg Thalheim
Tim Steinbach
Joachim Fasting
Jan Tojnar
mimadrid
Silvan Mosberger
Tim Steinbach
Franz Pletz
Nicolas B. Pierron
Graham Christensen
Joachim F
239
Victor Calvert
Vladimír Čunát
Linus Heckemann
David McFarland
Nicolas Truessel
aszlig
John Ericson
Rok Garbas
Thomas Tuegel
romildo
Domen Kožar
Charles Strahan
Volth
Daiderd Jordan
Anders Papitto
SLNOS
Will Dietz
spamntaters
Benjamin Staffin
Jan Malakhovski
Tuomas Tynkkynen
Nikolay Amiantov
Frederik Rietdijk
Michael Raskin
José Luis Lafuente
Eelco Dolstra
Lengyel Balázs
Benjamin Smith
Eelco Dolstra
rnhmjoj
Kamil Chmielewski
Nick Hu
taku0
Nick Novitski
Guillaume Maudoux
ndowens
Bjørn Forsman
Matthias Beyer
Thomas Tuegel
Demin Dmitriy
Peter Hoeg
Parnell Springmeyer
Matthew Maurer
Thomas Tuegel
Alexey Shmalko
Robert Helgesson
zimbatm
Gábor Lehel
Shea Levy
Guillaume Koenig
Ricardo M. Correia
Stefan Götz
Eric Sagnes
Jörg Thalheim
Hoang Xuan Phu
Kranium Gikos Mendoza
Aneesh Agrawal
Profpatsch
Mike Cooper
Lancelot SIX
Kirill Boltaev
obadz
Lluís Batlle i Rossell
Ram Kromberg