Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport release-24.05] chromium: fetch src, {ungoogled-,}chromium,chromedriver: 130.0.6723.116 -> 131.0.6778.85, chromedriver: build from source #357925

Merged
merged 16 commits into from
Nov 26, 2024
Merged

[Backport release-24.05] chromium: fetch src, {ungoogled-,}chromium,chromedriver: 130.0.6723.116 -> 131.0.6778.85, chromedriver: build from source #357925

merged 16 commits into from
Nov 26, 2024

Conversation

emilylange
Copy link
Member

@emilylange emilylange commented Nov 21, 2024
edited
Loading

Partial backports of a few PRs that are needed for #357371 and #357691:

We need the new fetch from source to get chromium M131, chromedriver and chromium major version must stay in sync.
Chromium releases roughly once a week, so if we don't do it this way, chromedriver will be rendered incompatible, or we have to flag everything as insecure or the next few weeks until 24.05 is EOL will be a pain to backport.

This shouldn't cause any breakage.

nixpkgs-review will be posted below as usual.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@emilylange emilylange added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 21, 2024
This was referenced Nov 21, 2024
Merged
Merged
@emilylange emilylange force-pushed the backport-357371-to-release-24.05 branch from 59721b7 to 71c3d9a Compare November 21, 2024 19:35
@emilylange emilylange marked this pull request as draft November 21, 2024 19:43
@emilylange emilylange force-pushed the backport-357371-to-release-24.05 branch from 71c3d9a to 40a4201 Compare November 21, 2024 20:12
@ofborg ofborg bot added ofborg-internal-error Ofborg encountered an error 8.has: clean-up 8.has: package (new) This PR adds a new package labels Nov 22, 2024
@ofborg ofborg bot requested a review from networkException November 22, 2024 11:26
@ofborg ofborg bot added 11.by: package-maintainer This PR was created by the maintainer of the package it changes 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100 labels Nov 22, 2024
alyssais and others added 6 commits November 23, 2024 19:17
@alyssais @emilylange
chromium: don't use pkgsBuildTarget
22bf977 
I'm pretty sure this was a mistake — in Nixpkgs the target platform is
the platform that the program being built should output executables
for — i.e., it's only relevant for a compiler, which Chromium is not.

Tested that cross-compilation of Electron still works.

(cherry picked from commit a269b98)
@alyssais @emilylange
electron: fix build
79113b6 
Just like with Firefox, we need to make sure there's only a single
version of LLVM involved in building Chromium, or we get errors like
this:

	ld.lld: error: Invalid record (Producer: 'LLVM18.1.7' Reader: 'LLVM 17.0.6')

Fixes: 23d4f83 ("cargo,clippy,rustc,rustfmt: 1.77.2 -> 1.78.0")
(cherry picked from commit a717626)
@alyssais @emilylange
chromium: remove unused arguments
5bd5b86 
(cherry picked from commit 9a95b60)
@K900 @emilylange
chromedriver: use autoPatchelfHook, clean up deps
5754376 
(cherry picked from commit 372fac0)
@K900 @emilylange
chromedriver: build from source where possible
f3a936e 
(cherry picked from commit 4919b62)
@n8henrie @emilylange
chromedriver: fix build failure on aarch64-darwin
fa533e1 
Darwin seems to need `unzip` and chokes on `autoPatchelfHook`. Because
linux now builds from source, the package has been updated to remove
references to Linux-specific settings and build options, remove the
conditionals checking for darwin, and adjust the platforms to reflect
that the binary chromedriver is darwin-only.

Fixes NixOS#329202

(cherry picked from commit dc96961)
@emilylange emilylange force-pushed the backport-357371-to-release-24.05 branch from 40a4201 to 4b07d0b Compare November 23, 2024 18:34
@emilylange emilylange marked this pull request as ready for review November 23, 2024 19:31
emilylange and others added 9 commits November 23, 2024 21:19
@emilylange
chromium: use newer rustc 1.77 -> 1.80 in preparation of M131
334e1ca 
chromium expects nightly/bleeding edge rustc features which we enable in
our stable rustc release by setting RUSTC_BOOTSTRAP=1.

The default rustc in 24.05 however is too old even with that workaround,
but thankfully we also have 1.80 as opt-in. So we use that.

This is slightly closer to the rustc version we have in unstable (1.82)
and unbreaks building the upcoming M131.

Previously: bad7d0f
@SuperSandro2000 @emilylange
zstd: set meta.mainProgram
f84264d 
(cherry picked from commit d3a139b)
@emilylange
chromium: remove "channel" argument
62f48f8 
This is no longer used as we only differentiate between stable and
ungoogled-chromium, which we already track in the "ungoogled" boolean.

Beta and dev channels are gone for good.
It's been a year since their removal in 59719f7.

There is, however, an additional channel mapping in nixos/tests/chromium
but that one is independent from this one here.

(cherry picked from commit ebb40bd)
@emilylange
chromium: fetch src from git instead of using release tarball
a7b637c 
This builds upon Yureka's work to build electron from source.
A lot of the newly introduced changes to the chromium derivation and
update script are 1-to-1 copies or slight derivates of that work.

Especially the newly added depot_tools.py to resolve the DEPS files does
most of the heavy lifting and is an ever so slightly modified version of
that section Yureka implemented in electron's update.py.

Some coordination between the chromium and electron maintainers should
allow us to deduplicate a lot of the duplicated code fairly easily in
the future.

That just wasn't a goal with this commit, due to time constraints and
the urgency to switch away from the release tarballs.

Instead of taking just a few hours for a tarball to be available for
download after a release, it now takes multiple days at least.

At the time of writing, roughly a week after M131 was released, the
tarball is still not available. It's unclear if it will ever be.

Reason for this are CI issues on Google's side.

Note that virtually every release contains some security critical fixes.

Also note that this commit is written with a lot of conditionals so the
electron derivation doesn't change (just yet).

The new update.mjs update script is still very much work-in-progress but
gets the job done.

Co-Authored-By: Yureka <yuka@yuka.dev>
(cherry picked from commit 8dd2f1a)
@emilylange
chromium,chromedriver: 130.0.6723.116 -> 131.0.6778.69
b32338f 
https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html

This update includes 12 security fixes.

CVEs:
CVE-2024-11110 CVE-2024-11111 CVE-2024-11112 CVE-2024-11113
CVE-2024-11114 CVE-2024-11115 CVE-2024-11116 CVE-2024-11117

(cherry picked from commit 875ae81)
@emilylange
ungoogled-chromium: 130.0.6723.116-1 -> 131.0.6778.69-1
2743550 
https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html

This update includes 12 security fixes.

CVEs:
CVE-2024-11110 CVE-2024-11111 CVE-2024-11112 CVE-2024-11113
CVE-2024-11114 CVE-2024-11115 CVE-2024-11116 CVE-2024-11117

(cherry picked from commit 54d69a3)
@emilylange
chromium,chromedriver: 131.0.6778.69 -> 131.0.6778.85
b3cd6e4 
https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_19.html

This update includes 3 security fixes.

CVEs:
CVE-2024-11395

(cherry picked from commit eaa1bb9)
@networkException @emilylange
chromium: use cached dependencies from other attributes in update script
fd26d38 
This patch extends the caching mechanism of the chromium
update scripts to use cached dependencies of all attributes
in the lockfile.

When updating ungoogled-chromium for example, the update script
will now use cached dependencies from vanilla chromium, usually
meaning that no additional fetching has to be done.

(cherry picked from commit 68d5161)
@networkException @emilylange
ungoogled-chromium: 131.0.6778.69-1 -> 131.0.6778.85-1
2a396b1 
https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_19.html

This update includes 3 security fixes.

CVEs:
CVE-2024-11395

(cherry picked from commit bd84f1c)
@emilylange emilylange force-pushed the backport-357371-to-release-24.05 branch from 4b07d0b to 2a396b1 Compare November 23, 2024 20:20
@emilylange
Copy link
Member Author

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 357925

x86_64-linux

⏩ 1 package marked as broken and skipped:
  • itch
❌ 1 package failed to build:
  • single-file-cli
✅ 87 packages built:
  • affine
  • antares
  • aws-azure-login
  • bilibili
  • bitwarden-desktop
  • bitwarden-directory-connector
  • blockbench
  • breitbandmessung
  • bruno
  • camunda-modeler
  • chatd
  • chromedriver
  • chromium
  • chromium.sandbox
  • drawio
  • drawio-headless
  • electron
  • electron_32
  • electron_33
  • element-desktop
  • element-desktop-wayland
  • fast-cli
  • fcast-receiver
  • feishin
  • freetube
  • geogebra6
  • grafana-kiosk
  • headset
  • heroic
  • heroic-unwrapped
  • jitsi-meet-electron
  • koodo-reader
  • mattermost-desktop
  • mermaid-cli
  • mermaid-filter
  • morgen
  • nix-tour
  • obsidian
  • open-stage-control
  • pandoc-drawio-filter
  • pandoc-drawio-filter.dist
  • percollate
  • playwright-test
  • podman-desktop
  • pritunl-client
  • protonmail-desktop
  • puppeteer-cli
  • python311Packages.mkdocs-drawio-exporter
  • python311Packages.mkdocs-drawio-exporter.dist
  • python311Packages.pytest-playwright
  • python311Packages.pytest-playwright.dist
  • python312Packages.mkdocs-drawio-exporter
  • python312Packages.mkdocs-drawio-exporter.dist
  • python312Packages.pytest-playwright
  • python312Packages.pytest-playwright.dist
  • r2modman
  • redisinsight
  • revolt-desktop
  • ride
  • selendroid
  • selenium-server-standalone
  • sharedown
  • sitespeed-io
  • siyuan
  • standardnotes
  • stretchly
  • super-productivity
  • teams-for-linux
  • terra-station
  • tetrio-desktop
  • thedesk
  • threema-desktop
  • uhk-agent
  • uhk-udev-rules
  • uivonim
  • ungoogled-chromium
  • ungoogled-chromium.sandbox
  • vesktop
  • vhs
  • vieb
  • wayback
  • webcord
  • webcord-vencord
  • webtorrent_desktop
  • youtube-music
  • ytdownloader
  • ytmdesktop

single-file-cli is failing because our version strings don't quite match upstream. This is something I was aware, I just didn't expect something to rely on it that badly.

Relevant build/test error logs:

single-file-core/vendor/zip/zip.min.js → lib/single-file-zip.min.js...
created lib/single-file-zip.min.js in 5.8s
patching script interpreter paths in ./single-file
./single-file: interpreter directive changed from "#!/usr/bin/env node" to "/nix/store/if6aqyl3sl0hz14a12mndj35swb1mcwi-nodejs-20.17.0/bin/node"
Finished npmBuildHook
buildPhase completed in 54 seconds
Running phase: checkPhase
Serving HTTP on 127.0.0.1 port 8000 (http://127.0.0.1:8000/) ...
session not created
from unknown error: unrecognized Blink revision: 131.0.6778.85 URL: http://127.0.0.1:8000
Stack: SessionNotCreatedError: session not created
from unknown error: unrecognized Blink revision: 131.0.6778.85
    at Object.throwDecodedError (/build/source/node_modules/selenium-webdriver/lib/error.js:524:15)
    at parseHttpResponse (/build/source/node_modules/selenium-webdriver/lib/http.js:601:13)
    at Executor.execute (/build/source/node_modules/selenium-webdriver/lib/http.js:529:28)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

node:internal/process/promises:391
    triggerUncaughtException(err, true /* fromPromise */);
    ^

SessionNotCreatedError: session not created
from unknown error: unrecognized Blink revision: 131.0.6778.85
    at Object.throwDecodedError (/build/source/node_modules/selenium-webdriver/lib/error.js:524:15)
    at parseHttpResponse (/build/source/node_modules/selenium-webdriver/lib/http.js:601:13)
    at Executor.execute (/build/source/node_modules/selenium-webdriver/lib/http.js:529:28)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  remoteStacktrace: '#0 0x5555560e262e base::debug::StackTrace::StackTrace()\n' +
    '#1 0x555555be9cf1 Status::Status()\n' +
    '#2 0x555555bbe4f7 BrowserInfo::ParseBlinkVersionString()\n' +
    '#3 0x555555bbe234 BrowserInfo::ParseBrowserInfo()\n' +
    '#4 0x555555bbdd77 BrowserInfo::ParseBrowserInfo()\n' +
    '#5 0x555555bd7842 DevToolsHttpClient::Init()\n' +
    '#6 0x555555c231d7 (anonymous namespace)::WaitForDevToolsAndCheckVersion()\n' +
    '#7 0x555555c1f1c2 (anonymous namespace)::LaunchDesktopChrome()\n' +
    '#8 0x555555c19bc3 LaunchChrome()\n' +
    '#9 0x555555c64b0c (anonymous namespace)::InitSessionHelper()\n' +
    '#10 0x555555c64136 ExecuteInitSession()\n' +
    '#11 0x555555c57b13 base::internal::Invoker<>::Run()\n' +
    '#12 0x555555c2741d _ZN12_GLOBAL__N_136ExecuteSessionCommandOnSessionThreadEPKcRKNSt4__Cr12basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEERKN4base17RepeatingCallbackIF6StatusP7SessionRKNSB_5Value4DictE
PNS2_10unique_ptrISG_NS2_14default_deleteISG_EEEEEEEbbSJ_13scoped_refptrINSB_22SingleThreadTaskRunnerEERKNSC_IFvRKSD_SN_SA_bEEERKNSC_IFvvEEE.00738819ce408aa52811629e05e5035a\n' +
    '#13 0x555555c2813e base::internal::Invoker<>::RunOnce()\n' +
    '#14 0x5555560b6e31 base::TaskAnnotator::RunTaskImpl()\n' +
    '#15 0x5555560ba217 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl()\n' +
    '#16 0x5555560b9c58 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork()\n' +
    '#17 0x5555560ba6d5 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork()\n' +
    '#18 0x5555560a878b base::MessagePumpDefault::Run()\n' +
    '#19 0x5555560baa8e base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run()\n' +
    '#20 0x555556093475 base::RunLoop::Run()\n' +
    '#21 0x5555560d2e88 base::Thread::Run()\n' +
    '#22 0x5555560d30a6 base::Thread::ThreadMain()\n' +
    '#23 0x5555560e13ec _ZN4base12_GLOBAL__N_110ThreadFuncEPv.a67435033112019129ad5c28ddc47327\n' +
    '#24 0x7ffff7a2b272 start_thread\n'
}

Node.js v20.17.0

# previously, using the version embedded in the release tarball
# chromedriver --version
ChromeDriver 130.0.6723.91 (53ac076783696778ecc8f360ea31765c29c240ad-refs/branch-heads/6723@{#1517})

# now, fetching source from git
# chromedriver --version
ChromeDriver 131.0.6778.85 (131.0.6778.85-refs/heads/master@{#0})

nixpkgs/pkgs/applications/networking/browsers/chromium/common.nix

Line 382 in 55fdcb4

echo 'LASTCHANGE=${upstream-info.DEPS."src".rev}-refs/heads/master@{#0}' > build/util/LASTCHANGE

https://chromium.googlesource.com/chromium/src/+/131.0.6778.85/chrome/test/chromedriver/chrome/browser_info.cc#189

We did not encounter that issue in nixos-unstable nor release-24.11 because of 0a5e4d1.

We could cherry-pick that, but given the reason the commit was made no longer applies anyway, we should probably just fix the version embedding, e.g. by writing the true sha rev instead of a tag ref.

@emilylange emilylange mentioned this pull request Nov 25, 2024
Merged
13 tasks
@emilylange
chromium: resolve ref to rev for blink version string
2891716 
This allows us to match the version the binaries use more closely.

For example, chromedriver darwin (binary) reports the following:

~~~bash
chromedriver --version
ChromeDriver 131.0.6778.85 (3d81e41b6f3ac8bcae63b32e8145c9eb0cd60a2d-refs/branch-heads/6778@{NixOS#2285})
~~~

while on Linux, where we build chromedriver based on the chromium
derivation from source and control the string ourselves:

~~~bash
chromedriver --version
ChromeDriver 131.0.6778.85 (131.0.6778.85-refs/heads/master@{#0})
~~~

With this commit, the version string now reports:

~~~bash
chromedriver --version
ChromeDriver 131.0.6778.85 (3d81e41b6f3ac8bcae63b32e8145c9eb0cd60a2d-refs/tags/131.0.6778.85@{#0})
~~~

This may seem like a small and unimportant detail, but turns out an
internal function within chromedriver depends on the git hash.

See https://chromium.googlesource.com/chromium/src/+/131.0.6778.85/chrome/test/chromedriver/chrome/browser_info.cc#172

This caused the tests of one package (single-file-cli) that use
selenium with chromium and chromedriver to fail in 24.05.

Only in 24.05, because 24.11 and unstable removed their test dependency
on chromedriver because it wasn't available for aarch64-linux at that
time.

~~~
Running phase: checkPhase
Serving HTTP on 127.0.0.1 port 8000 (http://127.0.0.1:8000/) ...
session not created
from unknown error: unrecognized Blink revision: 131.0.6778.85 URL: http://127.0.0.1:8000
Stack: SessionNotCreatedError: session not created
from unknown error: unrecognized Blink revision: 131.0.6778.85
    at Object.throwDecodedError (/build/source/node_modules/selenium-webdriver/lib/error.js:524:15)
    at parseHttpResponse (/build/source/node_modules/selenium-webdriver/lib/http.js:601:13)
    at Executor.execute (/build/source/node_modules/selenium-webdriver/lib/http.js:529:28)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
~~~

(cherry picked from commit 2a765df)
@emilylange
Copy link
Member Author

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 357925

x86_64-linux

⏩ 1 package marked as broken and skipped:
  • itch
✅ 88 packages built:
  • affine
  • antares
  • aws-azure-login
  • bilibili
  • bitwarden-desktop
  • bitwarden-directory-connector
  • blockbench
  • breitbandmessung
  • bruno
  • camunda-modeler
  • chatd
  • chromedriver
  • chromium
  • chromium.sandbox
  • drawio
  • drawio-headless
  • electron
  • electron_32
  • electron_33
  • element-desktop
  • element-desktop-wayland
  • fast-cli
  • fcast-receiver
  • feishin
  • freetube
  • geogebra6
  • grafana-kiosk
  • headset
  • heroic
  • heroic-unwrapped
  • jitsi-meet-electron
  • koodo-reader
  • mattermost-desktop
  • mermaid-cli
  • mermaid-filter
  • morgen
  • nix-tour
  • obsidian
  • open-stage-control
  • pandoc-drawio-filter
  • pandoc-drawio-filter.dist
  • percollate
  • playwright-test
  • podman-desktop
  • pritunl-client
  • protonmail-desktop
  • puppeteer-cli
  • python311Packages.mkdocs-drawio-exporter
  • python311Packages.mkdocs-drawio-exporter.dist
  • python311Packages.pytest-playwright
  • python311Packages.pytest-playwright.dist
  • python312Packages.mkdocs-drawio-exporter
  • python312Packages.mkdocs-drawio-exporter.dist
  • python312Packages.pytest-playwright
  • python312Packages.pytest-playwright.dist
  • r2modman
  • redisinsight
  • revolt-desktop
  • ride
  • selendroid
  • selenium-server-standalone
  • sharedown
  • single-file-cli
  • sitespeed-io
  • siyuan
  • standardnotes
  • stretchly
  • super-productivity
  • teams-for-linux
  • terra-station
  • tetrio-desktop
  • thedesk
  • threema-desktop
  • uhk-agent
  • uhk-udev-rules
  • uivonim
  • ungoogled-chromium
  • ungoogled-chromium.sandbox
  • vesktop
  • vhs
  • vieb
  • wayback
  • webcord
  • webcord-vencord
  • webtorrent_desktop
  • youtube-music
  • ytdownloader
  • ytmdesktop

@emilylange emilylange merged commit 6f6076c into NixOS:release-24.05 Nov 26, 2024
8 of 10 checks passed
@emilylange emilylange deleted the backport-357371-to-release-24.05 branch November 26, 2024 14:50
@cole-h cole-h removed the ofborg-internal-error Ofborg encountered an error label Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@networkException networkException Awaiting requested review from networkException

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: clean-up 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100 11.by: package-maintainer This PR was created by the maintainer of the package it changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@emilylange @cole-h @alyssais @K900 @n8henrie @SuperSandro2000 @networkException