diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-05-11 12:01:38 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-05-11 12:01:38 +0000 |
commit | 06a521308bdbbbf667c7ec410cb2d9b2d5a1826f (patch) | |
tree | 51bc4cb3b49d3b619a434760271b2c6f15bcfc64 /pkgs/applications/networking/browsers/chromium | |
parent | 712ddf7d0d4d252d76e51daf950583b1a14b4d86 (diff) | |
parent | 12da532fe3d9434f6e2370e8c2be437a2683fd56 (diff) |
Merge staging-next into staging
Diffstat (limited to 'pkgs/applications/networking/browsers/chromium')
4 files changed, 63 insertions, 30 deletions
diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index 5770456f177fa..e7597249acdb5 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -242,8 +242,26 @@ let ./patches/cross-compile.patch # Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed): ./patches/no-build-timestamps.patch - # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags: - ./patches/widevine-79.patch + ] ++ lib.optionals (packageName == "chromium") [ + # This patch is limited to chromium and ungoogled-chromium because electron-source sets + # enable_widevine to false. + # + # The patch disables the automatic Widevine download (component) that happens at runtime + # completely (~/.config/chromium/WidevineCdm/). This would happen if chromium encounters DRM + # protected content or when manually opening chrome://components. + # + # It also prevents previously downloaded Widevine blobs in that location from being loaded and + # used at all, while still allowing the use of our -wv wrapper. This is because those old + # versions are out of out our control and may be vulnerable, given we literally disable their + # auto updater. + # + # bundle_widevine_cdm is available as gn flag, but we cannot use it, as it expects a bunch of + # files Widevine files at configure/compile phase that we don't have. Changing the value of the + # BUNDLE_WIDEVINE_CDM build flag does work in the way we want though. + # We also need enable_widevine_cdm_component to be false. Unfortunately it isn't exposed as gn + # flag (declare_args) so we simply hardcode it to false. + ./patches/widevine-disable-auto-download-allow-bundle.patch + ] ++ [ # Required to fix the build with a more recent wayland-protocols version # (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21): # Source: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1 @@ -427,10 +445,11 @@ let # Feature overrides: # Native Client support was deprecated in 2020 and support will end in June 2021: enable_nacl = false; - # Enabling the Widevine component here doesn't affect whether we can - # redistribute the chromium package; the Widevine component is either - # added later in the wrapped -wv build or downloaded from Google: + } // lib.optionalAttrs (packageName == "chromium") { + # Enabling the Widevine here doesn't affect whether we can redistribute the chromium package. + # Widevine in this drv is a bit more complex than just that. See Widevine patch somewhere above. enable_widevine = true; + } // { # Provides the enable-webrtc-pipewire-capturer flag to support Wayland screen capture: rtc_use_pipewire = true; # Disable PGO because the profile data requires a newer compiler version (LLVM 14 isn't sufficient): diff --git a/pkgs/applications/networking/browsers/chromium/patches/widevine-79.patch b/pkgs/applications/networking/browsers/chromium/patches/widevine-79.patch deleted file mode 100644 index 32f0ae2fb5e66..0000000000000 --- a/pkgs/applications/networking/browsers/chromium/patches/widevine-79.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/third_party/widevine/cdm/BUILD.gn b/third_party/widevine/cdm/BUILD.gn -index ed0e2f5208b..5b431a030d5 100644 ---- a/third_party/widevine/cdm/BUILD.gn -+++ b/third_party/widevine/cdm/BUILD.gn -@@ -14,7 +14,7 @@ buildflag_header("buildflags") { - - flags = [ - "ENABLE_WIDEVINE=$enable_widevine", -- "BUNDLE_WIDEVINE_CDM=$bundle_widevine_cdm", -+ "BUNDLE_WIDEVINE_CDM=true", - "ENABLE_WIDEVINE_CDM_COMPONENT=$enable_widevine_cdm_component", - ] - } diff --git a/pkgs/applications/networking/browsers/chromium/patches/widevine-disable-auto-download-allow-bundle.patch b/pkgs/applications/networking/browsers/chromium/patches/widevine-disable-auto-download-allow-bundle.patch new file mode 100644 index 0000000000000..d4f16d26b769e --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/patches/widevine-disable-auto-download-allow-bundle.patch @@ -0,0 +1,27 @@ +diff --git a/third_party/widevine/cdm/BUILD.gn b/third_party/widevine/cdm/BUILD.gn +index 525693b6c10ab..245491e137d39 100644 +--- a/third_party/widevine/cdm/BUILD.gn ++++ b/third_party/widevine/cdm/BUILD.gn +@@ -22,7 +22,7 @@ buildflag_header("buildflags") { + + flags = [ + "ENABLE_WIDEVINE=$enable_widevine", +- "BUNDLE_WIDEVINE_CDM=$bundle_widevine_cdm", ++ "BUNDLE_WIDEVINE_CDM=true", + "ENABLE_WIDEVINE_CDM_COMPONENT=$enable_widevine_cdm_component", + "ENABLE_MEDIA_FOUNDATION_WIDEVINE_CDM=$enable_media_foundation_widevine_cdm", + ] +diff --git a/third_party/widevine/cdm/widevine.gni b/third_party/widevine/cdm/widevine.gni +index 58f073ca562ca..4b242c2618dfb 100644 +--- a/third_party/widevine/cdm/widevine.gni ++++ b/third_party/widevine/cdm/widevine.gni +@@ -41,8 +41,7 @@ enable_library_widevine_cdm = + # Widevine CDM can be deployed as a component. Currently only supported on + # desktop platforms. The CDM can be bundled regardless whether + # it's a component. See below. +-enable_widevine_cdm_component = +- enable_library_widevine_cdm && (is_win || is_mac || is_linux || is_chromeos) ++enable_widevine_cdm_component = false + + # Enable (Windows) Media Foundation Widevine CDM component. + declare_args() { diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix index 245cdd073fc0e..9e91cd5725df0 100644 --- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix +++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix @@ -1,11 +1,11 @@ { stable = { chromedriver = { - hash_darwin = "sha256-4MZwD2jgjOrBTtkjxW0XH+lZfP8wj7Z6eg7LwFziCPU="; + hash_darwin = "sha256-jnWmH6MzqZzzIAblvJFv5jKFJ2LILyGy+eOqb6sWmWc="; hash_darwin_aarch64 = - "sha256-P9qi8rR8DW+WOT+ev2EgA93StnGrBiIHu2UbkEhS+0M="; - hash_linux = "sha256-eudgRu3OMuTBTeX8zrm6ShgmjcsNhzaBYEAP/4n1SJk="; - version = "124.0.6367.155"; + "sha256-FO0kncAPj/cBwlGN2RdFGR7Bn5pKzTRlf2IQ422mm5c="; + hash_linux = "sha256-3khPV+WPcYHrlGNFXhmRrja2+wWsr77BVgHLbSe0IF8="; + version = "124.0.6367.201"; }; deps = { gn = { @@ -15,9 +15,9 @@ version = "2024-03-14"; }; }; - hash = "sha256-Qv1xYofY4Tgj+WT1a8ehOo7R52CwZz2vCK9MDSnjmsg="; - hash_deb_amd64 = "sha256-lFG5l3K2Yo1BYbXS9bK+9gWx6JxFrPxpT+zI7dBXQ6E="; - version = "124.0.6367.155"; + hash = "sha256-nSI+tkJxOedMtYgtiqW37v0ZjgxxU5o/0sH9bPAchBg="; + hash_deb_amd64 = "sha256-RvQdpDmWRcsASh1b8M0Zg+AvZprE5qhi14shfo0WlfE="; + version = "124.0.6367.201"; }; ungoogled-chromium = { deps = { @@ -28,12 +28,12 @@ version = "2024-03-14"; }; ungoogled-patches = { - hash = "sha256-RS6flauUQjd+NPqUIppwlgtjOKxJa5+OTnL4aI3gRcs="; - rev = "124.0.6367.155-1"; + hash = "sha256-fy4SydGRRyDhJZ7IADG54+rGWh2i+2SrSkuCglphhm8="; + rev = "124.0.6367.201-1"; }; }; - hash = "sha256-Qv1xYofY4Tgj+WT1a8ehOo7R52CwZz2vCK9MDSnjmsg="; - hash_deb_amd64 = "sha256-lFG5l3K2Yo1BYbXS9bK+9gWx6JxFrPxpT+zI7dBXQ6E="; - version = "124.0.6367.155"; + hash = "sha256-nSI+tkJxOedMtYgtiqW37v0ZjgxxU5o/0sH9bPAchBg="; + hash_deb_amd64 = "sha256-RvQdpDmWRcsASh1b8M0Zg+AvZprE5qhi14shfo0WlfE="; + version = "124.0.6367.201"; }; } |