2013-05-27 02:32:33 +02:00
|
|
|
{ stdenv, fetchurl, makeWrapper, ninja, which
|
2012-06-19 06:56:50 +02:00
|
|
|
|
|
|
|
# default dependencies
|
2014-03-17 21:53:29 +01:00
|
|
|
, bzip2, flac, speex, icu, libopus
|
|
|
|
, libevent, expat, libjpeg, snappy
|
2014-03-17 22:15:46 +01:00
|
|
|
, libpng, libxml2, libxslt, v8
|
2012-06-20 11:19:01 +02:00
|
|
|
, xdg_utils, yasm, zlib
|
2012-11-20 04:49:49 +01:00
|
|
|
, libusb1, libexif, pciutils
|
2012-06-19 06:56:50 +02:00
|
|
|
|
2013-09-26 09:04:28 +02:00
|
|
|
, python, pythonPackages, perl, pkgconfig
|
2014-04-01 03:18:38 +02:00
|
|
|
, nspr, udev, krb5
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
, utillinux, alsaLib
|
|
|
|
, gcc, bison, gperf
|
2012-06-20 10:41:49 +02:00
|
|
|
, glib, gtk, dbus_glib
|
2013-05-27 05:00:06 +02:00
|
|
|
, libXScrnSaver, libXcursor, libXtst, mesa
|
2013-04-26 08:04:37 +02:00
|
|
|
, protobuf, speechd, libXdamage
|
2013-02-20 06:39:52 +01:00
|
|
|
|
2012-06-20 10:41:49 +02:00
|
|
|
# optional dependencies
|
2012-12-03 18:23:49 +01:00
|
|
|
, libgcrypt ? null # gnomeSupport || cupsSupport
|
2012-12-03 17:55:09 +01:00
|
|
|
|
2012-12-03 18:23:49 +01:00
|
|
|
# package customization
|
2012-12-03 17:55:09 +01:00
|
|
|
, channel ? "stable"
|
2012-12-03 18:23:49 +01:00
|
|
|
, enableSELinux ? false, libselinux ? null
|
|
|
|
, enableNaCl ? false
|
|
|
|
, useOpenSSL ? false, nss ? null, openssl ? null
|
|
|
|
, gnomeSupport ? false, gconf ? null
|
2014-03-17 12:29:59 +01:00
|
|
|
, gnomeKeyringSupport ? false, libgnome_keyring3 ? null
|
2012-12-03 18:23:49 +01:00
|
|
|
, proprietaryCodecs ? true
|
|
|
|
, cupsSupport ? false
|
|
|
|
, pulseSupport ? false, pulseaudio ? null
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
}:
|
2009-10-30 09:45:58 +01:00
|
|
|
|
2012-09-19 19:56:56 +02:00
|
|
|
with stdenv.lib;
|
|
|
|
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
let
|
2013-09-26 09:04:28 +02:00
|
|
|
src = with getAttr channel (import ./sources.nix); stdenv.mkDerivation {
|
|
|
|
name = "chromium-source-${version}";
|
|
|
|
|
|
|
|
src = fetchurl {
|
|
|
|
inherit url sha256;
|
|
|
|
};
|
|
|
|
|
2014-01-26 18:02:03 +01:00
|
|
|
buildInputs = [ python ]; # cannot patch shebangs otherwise
|
|
|
|
|
2013-09-26 09:04:28 +02:00
|
|
|
phases = [ "unpackPhase" "patchPhase" "installPhase" ];
|
|
|
|
|
|
|
|
opensslPatches = optional useOpenSSL openssl.patches;
|
|
|
|
|
|
|
|
prePatch = "patchShebangs .";
|
|
|
|
|
2013-11-22 16:28:30 +01:00
|
|
|
patches = singleton ./sandbox_userns_31.patch;
|
2013-09-26 09:04:28 +02:00
|
|
|
|
|
|
|
postPatch = ''
|
2014-01-29 09:21:07 +01:00
|
|
|
sed -i -r \
|
|
|
|
-e 's/-f(stack-protector)(-all)?/-fno-\1/' \
|
|
|
|
-e 's|/bin/echo|echo|' \
|
2014-04-01 03:18:38 +02:00
|
|
|
-e "/python_arch/s/: *'[^']*'/: '""'/" \
|
2014-04-01 09:33:04 +02:00
|
|
|
build/common.gypi chrome/chrome_tests.gypi
|
2014-01-29 09:21:07 +01:00
|
|
|
sed -i '/not RunGN/,+1d' build/gyp_chromium
|
2013-11-22 16:28:30 +01:00
|
|
|
sed -i -e 's|/usr/bin/gcc|gcc|' \
|
|
|
|
third_party/WebKit/Source/build/scripts/scripts.gypi \
|
|
|
|
third_party/WebKit/Source/build/scripts/preprocessor.pm
|
2014-01-29 09:21:07 +01:00
|
|
|
'' + optionalString useOpenSSL ''
|
2013-09-26 09:04:28 +02:00
|
|
|
cat $opensslPatches | patch -p1 -d third_party/openssl/openssl
|
2014-01-29 09:21:07 +01:00
|
|
|
'' + optionalString (!versionOlder version "34.0.0.0") ''
|
|
|
|
sed -i '/import.*depot/d' build/gyp_chromium
|
2013-09-26 09:04:28 +02:00
|
|
|
'';
|
|
|
|
|
|
|
|
outputs = [ "out" "sandbox" "bundled" "main" ];
|
|
|
|
installPhase = ''
|
|
|
|
ensureDir "$out" "$sandbox" "$bundled" "$main"
|
|
|
|
|
|
|
|
header "copying browser main sources to $main"
|
|
|
|
find . -mindepth 1 -maxdepth 1 \
|
|
|
|
\! -path ./sandbox \
|
|
|
|
\! -path ./third_party \
|
|
|
|
\! -path ./build \
|
|
|
|
\! -path ./tools \
|
|
|
|
\! -name '.*' \
|
|
|
|
-print | xargs cp -rt "$main"
|
|
|
|
stopNest
|
|
|
|
|
|
|
|
header "copying sandbox components to $sandbox"
|
|
|
|
cp -rt "$sandbox" sandbox/*
|
|
|
|
stopNest
|
|
|
|
|
|
|
|
header "copying third party sources to $bundled"
|
|
|
|
cp -rt "$bundled" third_party/*
|
|
|
|
stopNest
|
|
|
|
|
|
|
|
header "copying build requisites to $out"
|
|
|
|
cp -rt "$out" build tools
|
|
|
|
stopNest
|
|
|
|
|
|
|
|
rm -rf "$out/tools/gyp" # XXX: Don't even copy it in the first place.
|
|
|
|
'';
|
|
|
|
|
|
|
|
passthru = {
|
|
|
|
inherit version;
|
|
|
|
};
|
|
|
|
};
|
2012-06-15 10:23:33 +02:00
|
|
|
|
2012-09-19 19:56:56 +02:00
|
|
|
mkGypFlags =
|
|
|
|
let
|
|
|
|
sanitize = value:
|
|
|
|
if value == true then "1"
|
|
|
|
else if value == false then "0"
|
|
|
|
else "${value}";
|
|
|
|
toFlag = key: value: "-D${key}=${sanitize value}";
|
|
|
|
in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs));
|
2011-09-11 22:48:02 +02:00
|
|
|
|
2012-06-19 06:56:50 +02:00
|
|
|
gypFlagsUseSystemLibs = {
|
|
|
|
use_system_bzip2 = true;
|
|
|
|
use_system_flac = true;
|
|
|
|
use_system_libevent = true;
|
|
|
|
use_system_libexpat = true;
|
2012-10-08 15:05:00 +02:00
|
|
|
use_system_libexif = true;
|
2012-06-19 06:56:50 +02:00
|
|
|
use_system_libjpeg = true;
|
2013-02-27 21:36:00 +01:00
|
|
|
use_system_libpng = false; # PNG dlopen() version conflict
|
2012-06-19 06:56:50 +02:00
|
|
|
use_system_libxml = true;
|
2014-03-17 21:53:29 +01:00
|
|
|
use_system_opus = true;
|
|
|
|
use_system_snappy = true;
|
2012-06-19 06:56:50 +02:00
|
|
|
use_system_speex = true;
|
2012-12-03 18:23:49 +01:00
|
|
|
use_system_ssl = useOpenSSL;
|
2012-06-19 06:56:50 +02:00
|
|
|
use_system_stlport = true;
|
|
|
|
use_system_xdg_utils = true;
|
|
|
|
use_system_yasm = true;
|
2012-10-08 04:54:13 +02:00
|
|
|
use_system_zlib = false; # http://crbug.com/143623
|
2013-04-26 08:04:37 +02:00
|
|
|
use_system_protobuf = true;
|
2012-06-20 10:41:49 +02:00
|
|
|
|
2012-06-20 11:19:01 +02:00
|
|
|
use_system_harfbuzz = false;
|
2014-03-17 21:53:29 +01:00
|
|
|
use_system_icu = false; # Doesn't support ICU 52 yet.
|
|
|
|
use_system_libusb = false; # http://crbug.com/266149
|
2012-10-08 04:54:13 +02:00
|
|
|
use_system_libwebp = false; # http://crbug.com/133161
|
2012-06-20 11:19:01 +02:00
|
|
|
use_system_skia = false;
|
2012-10-08 04:54:13 +02:00
|
|
|
use_system_sqlite = false; # http://crbug.com/22208
|
2014-03-17 22:15:46 +01:00
|
|
|
use_system_v8 = !versionOlder src.version "34.0.0.0";
|
2012-06-19 06:56:50 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
defaultDependencies = [
|
2014-03-17 21:53:29 +01:00
|
|
|
bzip2 flac speex icu libopus
|
|
|
|
libevent expat libjpeg snappy
|
2014-03-17 22:15:46 +01:00
|
|
|
libpng libxml2 libxslt v8
|
2012-06-20 11:19:01 +02:00
|
|
|
xdg_utils yasm zlib
|
2012-10-08 15:06:15 +02:00
|
|
|
libusb1 libexif
|
2012-08-26 03:03:24 +02:00
|
|
|
];
|
2012-06-19 06:56:50 +02:00
|
|
|
|
2013-09-25 13:45:13 +02:00
|
|
|
sandbox = import ./sandbox.nix {
|
|
|
|
inherit stdenv;
|
|
|
|
src = src.sandbox;
|
|
|
|
binary = "${packageName}_sandbox";
|
|
|
|
};
|
|
|
|
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
# build paths and release info
|
|
|
|
packageName = "chromium";
|
|
|
|
buildType = "Release";
|
|
|
|
buildPath = "out/${buildType}";
|
|
|
|
libExecPath = "$out/libexec/${packageName}";
|
2013-09-25 13:45:13 +02:00
|
|
|
sandboxPath = "${sandbox}/bin/${packageName}_sandbox";
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
in stdenv.mkDerivation rec {
|
2013-09-26 09:04:28 +02:00
|
|
|
name = "${packageName}-${src.version}";
|
|
|
|
inherit packageName src;
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
|
2012-06-19 06:56:50 +02:00
|
|
|
buildInputs = defaultDependencies ++ [
|
2012-06-19 06:53:00 +02:00
|
|
|
which makeWrapper
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
python perl pkgconfig
|
2012-06-19 06:56:50 +02:00
|
|
|
nspr udev
|
2012-12-03 18:23:49 +01:00
|
|
|
(if useOpenSSL then openssl else nss)
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
utillinux alsaLib
|
2014-04-01 03:18:38 +02:00
|
|
|
gcc bison gperf krb5
|
2012-06-19 20:21:31 +02:00
|
|
|
glib gtk dbus_glib
|
2013-05-27 05:00:06 +02:00
|
|
|
libXScrnSaver libXcursor libXtst mesa
|
2013-04-26 08:04:37 +02:00
|
|
|
pciutils protobuf speechd libXdamage
|
2013-09-26 09:04:28 +02:00
|
|
|
pythonPackages.gyp
|
2014-03-17 12:29:59 +01:00
|
|
|
] ++ optional gnomeKeyringSupport libgnome_keyring3
|
2012-12-03 18:23:49 +01:00
|
|
|
++ optionals gnomeSupport [ gconf libgcrypt ]
|
|
|
|
++ optional enableSELinux libselinux
|
|
|
|
++ optional cupsSupport libgcrypt
|
2013-10-02 20:18:12 +02:00
|
|
|
++ optional pulseSupport pulseaudio;
|
2013-09-26 09:04:28 +02:00
|
|
|
|
|
|
|
prePatch = ''
|
|
|
|
# XXX: Figure out a way how to split these properly.
|
|
|
|
#cpflags="-dsr --no-preserve=mode"
|
|
|
|
cpflags="-dr"
|
|
|
|
cp $cpflags "${src.main}"/* .
|
|
|
|
cp $cpflags "${src.bundled}" third_party
|
|
|
|
cp $cpflags "${src.sandbox}" sandbox
|
|
|
|
chmod -R u+w . # XXX!
|
|
|
|
'';
|
2012-06-15 11:07:30 +02:00
|
|
|
|
2013-10-02 20:18:12 +02:00
|
|
|
postPatch = ''
|
2013-08-22 03:37:27 +02:00
|
|
|
sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \
|
|
|
|
sandbox_binary = \
|
2013-09-25 13:45:13 +02:00
|
|
|
base::FilePath("'"${sandboxPath}"'");
|
2013-08-22 03:37:27 +02:00
|
|
|
' content/browser/browser_main_loop.cc
|
2012-06-19 18:05:38 +02:00
|
|
|
'';
|
|
|
|
|
2012-06-19 06:56:50 +02:00
|
|
|
gypFlags = mkGypFlags (gypFlagsUseSystemLibs // {
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
linux_use_gold_binary = false;
|
|
|
|
linux_use_gold_flags = false;
|
|
|
|
proprietary_codecs = false;
|
2012-12-03 18:23:49 +01:00
|
|
|
use_gnome_keyring = gnomeKeyringSupport;
|
|
|
|
use_gconf = gnomeSupport;
|
|
|
|
use_gio = gnomeSupport;
|
|
|
|
use_pulseaudio = pulseSupport;
|
|
|
|
disable_nacl = !enableNaCl;
|
|
|
|
use_openssl = useOpenSSL;
|
|
|
|
selinux = enableSELinux;
|
|
|
|
use_cups = cupsSupport;
|
2013-09-25 13:45:13 +02:00
|
|
|
linux_sandbox_path="${sandboxPath}";
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
linux_sandbox_chrome_path="${libExecPath}/${packageName}";
|
2013-07-08 03:57:23 +02:00
|
|
|
werror = "";
|
2013-07-24 04:26:14 +02:00
|
|
|
|
|
|
|
# Google API keys, see http://www.chromium.org/developers/how-tos/api-keys.
|
|
|
|
# Note: These are for NixOS/nixpkgs use ONLY. For your own distribution,
|
|
|
|
# please get your own set of keys.
|
|
|
|
google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI";
|
|
|
|
google_default_client_id = "404761575300.apps.googleusercontent.com";
|
|
|
|
google_default_client_secret = "9rIFQjfnkykEmqb6FfjJQD1D";
|
|
|
|
|
2012-12-03 18:23:49 +01:00
|
|
|
} // optionalAttrs proprietaryCodecs {
|
2012-06-20 10:36:26 +02:00
|
|
|
# enable support for the H.264 codec
|
|
|
|
proprietary_codecs = true;
|
|
|
|
ffmpeg_branding = "Chrome";
|
2012-09-19 19:56:56 +02:00
|
|
|
} // optionalAttrs (stdenv.system == "x86_64-linux") {
|
2012-06-15 11:06:07 +02:00
|
|
|
target_arch = "x64";
|
2014-04-01 03:18:38 +02:00
|
|
|
python_arch = "x86-64";
|
2012-09-19 19:56:56 +02:00
|
|
|
} // optionalAttrs (stdenv.system == "i686-linux") {
|
2012-06-15 11:06:07 +02:00
|
|
|
target_arch = "ia32";
|
2014-04-01 03:18:38 +02:00
|
|
|
python_arch = "ia32";
|
2012-06-15 11:06:07 +02:00
|
|
|
});
|
|
|
|
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
configurePhase = ''
|
2014-03-17 21:53:29 +01:00
|
|
|
python build/linux/unbundle/replace_gyp_files.py ${gypFlags}
|
2013-09-26 09:04:28 +02:00
|
|
|
python build/gyp_chromium -f ninja --depth "$(pwd)" ${gypFlags}
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
'';
|
2011-08-12 18:45:17 +02:00
|
|
|
|
2013-05-27 02:32:33 +02:00
|
|
|
buildPhase = let
|
2012-06-15 11:06:07 +02:00
|
|
|
CC = "${gcc}/bin/gcc";
|
|
|
|
CXX = "${gcc}/bin/g++";
|
2013-05-27 02:32:33 +02:00
|
|
|
in ''
|
|
|
|
CC="${CC}" CC_host="${CC}" \
|
|
|
|
CXX="${CXX}" CXX_host="${CXX}" \
|
|
|
|
LINK_host="${CXX}" \
|
2013-09-25 13:45:13 +02:00
|
|
|
"${ninja}/bin/ninja" -C "${buildPath}" \
|
|
|
|
-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
|
2013-05-27 02:32:33 +02:00
|
|
|
chrome ${optionalString (!enableSELinux) "chrome_sandbox"}
|
|
|
|
'';
|
2009-10-30 09:45:58 +01:00
|
|
|
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
installPhase = ''
|
2013-09-25 13:45:13 +02:00
|
|
|
ensureDir "${libExecPath}"
|
2013-05-14 02:34:25 +02:00
|
|
|
cp -v "${buildPath}/"*.pak "${libExecPath}/"
|
2014-03-26 01:33:07 +01:00
|
|
|
${optionalString (!versionOlder src.version "34.0.0.0") ''
|
|
|
|
cp -v "${buildPath}/icudtl.dat" "${libExecPath}/"
|
|
|
|
''}
|
2013-05-14 02:34:25 +02:00
|
|
|
cp -vR "${buildPath}/locales" "${buildPath}/resources" "${libExecPath}/"
|
|
|
|
cp -v ${buildPath}/libffmpegsumo.so "${libExecPath}/"
|
2012-06-15 10:19:26 +02:00
|
|
|
|
2013-05-14 02:34:25 +02:00
|
|
|
cp -v "${buildPath}/chrome" "${libExecPath}/${packageName}"
|
2012-06-15 10:19:26 +02:00
|
|
|
|
|
|
|
mkdir -vp "$out/bin"
|
2013-05-14 02:34:25 +02:00
|
|
|
makeWrapper "${libExecPath}/${packageName}" "$out/bin/${packageName}"
|
2012-06-15 10:19:26 +02:00
|
|
|
|
|
|
|
mkdir -vp "$out/share/man/man1"
|
2013-05-14 02:34:25 +02:00
|
|
|
cp -v "${buildPath}/chrome.1" "$out/share/man/man1/${packageName}.1"
|
2012-06-15 10:19:26 +02:00
|
|
|
|
|
|
|
for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do
|
|
|
|
num_and_suffix="''${icon_file##*logo_}"
|
|
|
|
icon_size="''${num_and_suffix%.*}"
|
2013-05-26 20:44:31 +02:00
|
|
|
expr "$icon_size" : "^[0-9][0-9]*$" || continue
|
2013-05-14 02:34:25 +02:00
|
|
|
logo_output_prefix="$out/share/icons/hicolor"
|
|
|
|
logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps"
|
2012-06-15 10:19:26 +02:00
|
|
|
mkdir -vp "$logo_output_path"
|
2012-06-19 17:56:44 +02:00
|
|
|
cp -v "$icon_file" "$logo_output_path/${packageName}.png"
|
2012-06-15 10:19:26 +02:00
|
|
|
done
|
|
|
|
'';
|
|
|
|
|
2013-09-25 13:45:13 +02:00
|
|
|
passthru = {
|
|
|
|
inherit sandbox;
|
|
|
|
};
|
|
|
|
|
2012-09-19 19:56:56 +02:00
|
|
|
meta = {
|
2013-08-15 11:08:26 +02:00
|
|
|
description = "An open source web browser from Google";
|
2011-02-12 19:47:28 +01:00
|
|
|
homepage = http://www.chromium.org/;
|
2014-03-14 21:18:16 +01:00
|
|
|
maintainers = with maintainers; [ goibhniu chaoflow aszlig wizeman ];
|
2011-02-12 19:47:28 +01:00
|
|
|
license = licenses.bsd3;
|
2012-09-19 19:56:56 +02:00
|
|
|
platforms = platforms.linux;
|
2009-10-30 13:28:44 +01:00
|
|
|
};
|
2009-10-30 09:45:58 +01:00
|
|
|
}
|