1 files changed, 94 insertions, 52 deletions
diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index df33a2bbe7571..3616189374d30 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -1,8 +1,8 @@
 { stdenv, lib, fetchurl, fetchpatch
 , recompressTarball
 , buildPackages
+, buildPlatform
 , pkgsBuildBuild
-, pkgsBuildTarget
 # Channel data:
 , channel, upstream-info
 # Helper functions:
@@ -12,13 +12,13 @@
 , ninja, pkg-config
 , python3, perl
 , which
-, llvmPackages_attrName
 , libuuid
 , overrideCC
 # postPatch:
 , pkgsBuildHost
 # configurePhase:
 , gnChromium
+, symlinkJoin
 
 # Build inputs:
 , libpng
@@ -114,9 +114,6 @@ let
     # "opus"
   ];
 
-  opusWithCustomModes = libopus.override {
-    withCustomModes = true;
-  };
 
   # build paths and release info
   packageName = extraAttrs.packageName or extraAttrs.name;
@@ -133,7 +130,7 @@ let
   # https://github.com/NixOS/nixpkgs/issues/142901
   buildPlatformLlvmStdenv =
     let
-      llvmPackages = pkgsBuildBuild.${llvmPackages_attrName};
+      llvmPackages = pkgsBuildBuild.rustc.llvmPackages;
     in
       overrideCC llvmPackages.stdenv
         (llvmPackages.stdenv.cc.override {
@@ -166,7 +163,7 @@ let
       ninja pkg-config
       python3WithPackages perl
       which
-      buildPackages.${llvmPackages_attrName}.bintools
+      buildPackages.rustc.llvmPackages.bintools
       bison gperf
     ];
 
@@ -175,7 +172,6 @@ let
       buildPlatformLlvmStdenv.cc
       pkg-config
       libuuid
-      (libpng.override { apngSupport = false; }) # needed for "host/generate_colors_info"
     ]
     # When cross-compiling, chromium builds a huge proportion of its
     # components for both the `buildPlatform` (which it calls
@@ -183,12 +179,39 @@ let
     # half of the dependencies are needed here.  To avoid having to
     # maintain a separate list of buildPlatform-dependencies, we
     # simply throw in the kitchen sink.
-    ++ buildInputs
-    ;
+    # ** Because of overrides, we have to copy the list as it otherwise mess with splicing **
+    ++ [
+      (buildPackages.libpng.override { apngSupport = false; })  # https://bugs.chromium.org/p/chromium/issues/detail?id=752403
+      (buildPackages.libopus.override { withCustomModes = true; })
+      bzip2 flac speex
+      libevent expat libjpeg snappy
+      libcap
+      minizip libwebp
+      libusb1 re2
+      ffmpeg libxslt libxml2
+      nasm
+      nspr nss
+      util-linux alsa-lib
+      libkrb5
+      glib gtk3 dbus-glib
+      libXScrnSaver libXcursor libXtst libxshmfence libGLU libGL
+      mesa # required for libgbm
+      pciutils protobuf speechd libXdamage at-spi2-core
+      pipewire
+      libva
+      libdrm wayland mesa.drivers libxkbcommon
+      curl
+      libepoxy
+      libffi
+      libevdev
+    ] ++ lib.optional systemdSupport systemd
+      ++ lib.optionals cupsSupport [ libgcrypt cups ]
+      ++ lib.optional pulseSupport libpulseaudio;
 
     buildInputs = [
-      (libpng.override { apngSupport = false; }) # https://bugs.chromium.org/p/chromium/issues/detail?id=752403
-      bzip2 flac speex opusWithCustomModes
+      (libpng.override { apngSupport = false; })  # https://bugs.chromium.org/p/chromium/issues/detail?id=752403
+      (libopus.override { withCustomModes = true; })
+      bzip2 flac speex
       libevent expat libjpeg snappy
       libcap
       minizip libwebp
@@ -217,8 +240,34 @@ let
       ./patches/cross-compile.patch
       # Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed):
       ./patches/no-build-timestamps.patch
-      # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags:
-      ./patches/widevine-79.patch
+    ] ++ lib.optionals (packageName == "chromium") [
+      # This patch is limited to chromium and ungoogled-chromium because electron-source sets
+      # enable_widevine to false.
+      #
+      # The patch disables the automatic Widevine download (component) that happens at runtime
+      # completely (~/.config/chromium/WidevineCdm/). This would happen if chromium encounters DRM
+      # protected content or when manually opening chrome://components.
+      #
+      # It also prevents previously downloaded Widevine blobs in that location from being loaded and
+      # used at all, while still allowing the use of our -wv wrapper. This is because those old
+      # versions are out of out our control and may be vulnerable, given we literally disable their
+      # auto updater.
+      #
+      # bundle_widevine_cdm is available as gn flag, but we cannot use it, as it expects a bunch of
+      # files Widevine files at configure/compile phase that we don't have. Changing the value of the
+      # BUNDLE_WIDEVINE_CDM build flag does work in the way we want though.
+      # We also need enable_widevine_cdm_component to be false. Unfortunately it isn't exposed as gn
+      # flag (declare_args) so we simply hardcode it to false.
+      ./patches/widevine-disable-auto-download-allow-bundle.patch
+    ] ++ lib.optionals (versionRange "125" "126") [
+      # Fix building M125 with ninja 1.12. Not needed for M126+.
+      # https://issues.chromium.org/issues/336911498
+      # https://chromium-review.googlesource.com/c/chromium/src/+/5487538
+      (githubPatch {
+        commit = "a976cb05b4024b7a6452d1541378d718cdfe33e6";
+        hash = "sha256-K2PSeJAvhGH2/Yp63/4mJ85NyqXqDDkMWY+ptrpgmOI=";
+      })
+    ] ++ [
       # Required to fix the build with a more recent wayland-protocols version
       # (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21):
       # Source: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1
@@ -226,37 +275,23 @@ let
       # Chromium reads initial_preferences from its own executable directory
       # This patch modifies it to read /etc/chromium/initial_preferences
       ./patches/chromium-initial-prefs.patch
-    ] ++ lib.optionals (chromiumVersionAtLeast "120") [
-      # We need to revert this patch to build M120+ with LLVM 17:
+    ] ++ lib.optionals (versionRange "120" "126") [
+      # Partial revert to build M120+ with LLVM 17:
+      # https://github.com/chromium/chromium/commit/02b6456643700771597c00741937e22068b0f956
+      # https://github.com/chromium/chromium/commit/69736ffe943ff996d4a88d15eb30103a8c854e29
       ./patches/chromium-120-llvm-17.patch
-    ] ++ lib.optionals (!chromiumVersionAtLeast "119.0.6024.0") [
-      # Fix build with at-spi2-core ≥ 2.49
-      # This version is still needed for electron.
-      (githubPatch {
-        commit = "fc09363b2278893790d131c72a4ed96ec9837624";
-        hash = "sha256-l60Npgs/+0ozzuKWjwiHUUV6z59ObUjAPTfXN7eXpzw=";
-      })
-    ] ++ lib.optionals (!chromiumVersionAtLeast "121.0.6104.0") [
-      # Fix build with at-spi2-core ≥ 2.49
-      # https://chromium-review.googlesource.com/c/chromium/src/+/5001687
-      (githubPatch {
-        commit = "b9bef8e9555645fc91fab705bec697214a39dbc1";
-        hash = "sha256-CJ1v/qc8+nwaHQR9xsx08EEcuVRbyBfCZCm/G7hRY+4=";
-      })
-    ] ++ lib.optionals (chromiumVersionAtLeast "121") [
+    ] ++ lib.optionals (chromiumVersionAtLeast "126") [
+      # Rebased variant of patch right above to build M126+ with LLVM 17.
+      # staging-next will bump LLVM to 18, so we will be able to drop this soon.
+      ./patches/chromium-126-llvm-17.patch
+    ] ++ lib.optionals (versionRange "121" "126") [
       # M121 is the first version to require the new rust toolchain.
       # Partial revert of https://github.com/chromium/chromium/commit/3687976b0c6d36cf4157419a24a39f6770098d61
       # allowing us to use our rustc and our clang.
       ./patches/chromium-121-rust.patch
-    ] ++ lib.optionals (chromiumVersionAtLeast "124" && !chromiumVersionAtLeast "125") [
-      # M124 shipped with broken --ozone-platform-hint flag handling, which we rely on
-      # for our NIXOS_OZONE_WL (wayland) environment variable.
-      # See <https://issues.chromium.org/issues/329678163>.
-      # This is the commit for the fix that landed in M125, which applies clean on M124.
-      (githubPatch {
-        commit = "c7f4c58f896a651eba80ad805ebdb49d19ebdbd4";
-        hash = "sha256-6nYWT2zN+j73xAIXLdGYT2eC71vGnGfiLCB0OwT0CAI=";
-      })
+    ] ++ lib.optionals (chromiumVersionAtLeast "126") [
+      # Rebased variant of patch right above to build M126+ with our rust and our clang.
+      ./patches/chromium-126-rust.patch
     ];
 
     postPatch = ''
@@ -345,6 +380,14 @@ let
       ${ungoogler}/utils/domain_substitution.py apply -r ${ungoogler}/domain_regex.list -f ${ungoogler}/domain_substitution.list -c ./ungoogled-domsubcache.tar.gz .
     '';
 
+    llvmCcAndBintools = symlinkJoin {
+      name = "llvmCcAndBintools";
+      paths = [
+        buildPackages.rustc.llvmPackages.llvm
+        buildPackages.rustc.llvmPackages.stdenv.cc
+      ];
+    };
+
     gnFlags = mkGnFlags ({
       # Main build and toolchain settings:
       # Create an official and optimized release build (only official builds
@@ -403,25 +446,22 @@ let
       # Feature overrides:
       # Native Client support was deprecated in 2020 and support will end in June 2021:
       enable_nacl = false;
-      # Enabling the Widevine component here doesn't affect whether we can
-      # redistribute the chromium package; the Widevine component is either
-      # added later in the wrapped -wv build or downloaded from Google:
+    } // lib.optionalAttrs (packageName == "chromium") {
+      # Enabling the Widevine here doesn't affect whether we can redistribute the chromium package.
+      # Widevine in this drv is a bit more complex than just that. See Widevine patch somewhere above.
       enable_widevine = true;
+    } // {
       # Provides the enable-webrtc-pipewire-capturer flag to support Wayland screen capture:
       rtc_use_pipewire = true;
       # Disable PGO because the profile data requires a newer compiler version (LLVM 14 isn't sufficient):
       chrome_pgo_phase = 0;
-      clang_base_path = "${pkgsBuildTarget.${llvmPackages_attrName}.stdenv.cc}";
+      clang_base_path = "${llvmCcAndBintools}";
       use_qt = false;
       # To fix the build as we don't provide libffi_pic.a
       # (ld.lld: error: unable to find library -l:libffi_pic.a):
       use_system_libffi = true;
       # Use nixpkgs Rust compiler instead of the one shipped by Chromium.
       rust_sysroot_absolute = "${buildPackages.rustc}";
-      # Rust is enabled for M121+, see next section:
-      enable_rust = false;
-    } // lib.optionalAttrs (chromiumVersionAtLeast "121") {
-      # M121 the first version to actually require a functioning rust toolchain
       enable_rust = true;
       # While we technically don't need the cache-invalidation rustc_version provides, rustc_version
       # is still used in some scripts (e.g. build/rust/std/find_std_rlibs.py).
@@ -440,10 +480,12 @@ let
     } // lib.optionalAttrs ungoogled (lib.importTOML ./ungoogled-flags.toml)
     // (extraAttrs.gnFlags or {}));
 
-    # We cannot use chromiumVersionAtLeast in mkDerivation's env attrset due
-    # to infinite recursion when chromium.override is used (e.g. electron).
-    # To work aroud this, we use export in the preConfigure phase.
-    preConfigure = lib.optionalString (chromiumVersionAtLeast "121") ''
+    # TODO: Migrate this to env.RUSTC_BOOTSTRAP next mass-rebuild.
+    # Chromium expects nightly/bleeding edge rustc features to be available.
+    # Our rustc in nixpkgs follows stable, but since bootstrapping rustc requires
+    # nightly features too, we can (ab-)use RUSTC_BOOTSTRAP here as well to
+    # enable those features in our stable builds.
+    preConfigure = ''
       export RUSTC_BOOTSTRAP=1
     '';