chromium: 77.0.3865.90 -> 77.0.3865.120

CVE-2019-13693 CVE-2019-13694 CVE-2019-13695 CVE-2019-13696
CVE-2019-13697

Disable jumbo mode because upstream dropped support for it.
(See chromium-dev "We're removing support for the jumbo build")

This makes builds take about 3x as long, but we have no alternative.

pkgs/applications/networking/browsers/chromium/common.nix

@@ -96,18 +96,9 @@ let
   buildPath = "out/${buildType}";
   libExecPath = "$out/libexec/${packageName}";
 
-  versionRange = min-version: upto-version:
-    let inherit (upstream-info) version;
-        result = versionAtLeast version min-version && versionOlder version upto-version;
-        stable-version = (import ./upstream-info.nix).stable.version;
-    in if versionAtLeast stable-version upto-version
-       then warn "chromium: stable version ${stable-version} is newer than a patchset bounded at ${upto-version}. You can safely delete it."
-            result
-       else result;
-
   base = rec {
     name = "${packageName}-unwrapped-${version}";
-    inherit (upstream-info) version;
+    inherit (upstream-info) channel version;
     inherit packageName buildType buildPath;
 
     src = upstream-info.main;
@@ -125,19 +116,22 @@ let
       glib gtk3 dbus-glib
       libXScrnSaver libXcursor libXtst libGLU_combined
       pciutils protobuf speechd libXdamage at-spi2-core
+      jdk.jre
     ] ++ optional gnomeKeyringSupport libgnome-keyring3
       ++ optionals gnomeSupport [ gnome.GConf libgcrypt ]
       ++ optionals cupsSupport [ libgcrypt cups ]
       ++ optional useVaapi libva
-      ++ optional pulseSupport libpulseaudio
-      ++ optional (versionAtLeast version "72") jdk.jre;
+      ++ optional pulseSupport libpulseaudio;
 
     patches = [
       ./patches/nix_plugin_paths_68.patch
       ./patches/remove-webp-include-69.patch
-      ./patches/jumbo-sorted.patch
       ./patches/no-build-timestamps.patch
+    ] ++ optionals (channel == "stable" || channel == "beta") [
       ./patches/widevine.patch
+    ] ++ optionals (channel == "dev") [
+      ./patches/widevine-79.patch
+    ] ++ optionals (channel == "stable") [
       # Revert "Implement GetFallbackFont on Linux" to fix a performance regression
       # Remove after https://bugs.chromium.org/p/chromium/issues/detail?id=1003997 is fixed
       (fetchpatch {
@@ -153,7 +147,7 @@ let
       # - https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/chromium
       # - https://github.com/chromium/chromium/search?q=GCC&s=committer-date&type=Commits
       #
-      # ++ optional (versionRange "68" "72") ( githubPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000" )
+      # ++ optionals (channel == "dev") [ ( githubPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000" ) ]
     ] ++ optionals (useVaapi) [
       # source: https://aur.archlinux.org/cgit/aur.git/plain/chromium-vaapi.patch?h=chromium-vaapi
       ./patches/chromium-vaapi.patch
@@ -234,9 +228,6 @@ let
       use_gold = true;
       gold_path = "${stdenv.cc}/bin";
       is_debug = false;
-      # Use jumbo for a 2x (at least) compilation speedup, except where it is currently broken:
-      # https://gist.github.com/ivan/6fe7014c1b1cc35dec133fa6de0549d9
-      use_jumbo_build = (version != "78.0.3904.17");
 
       proprietary_codecs = false;
       use_sysroot = false;

pkgs/applications/networking/browsers/chromium/default.nix

@@ -62,7 +62,7 @@ in let
         if upstream-info.channel == "stable" then
           "./opt/google/chrome/libwidevinecdm.so"
         else if upstream-info.channel == "beta" then
-          "./opt/google/chrome-beta/libwidevinecdm.so"
+          "./opt/google/chrome-beta/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so"
         else if upstream-info.channel == "dev" then
           "./opt/google/chrome-unstable/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so"
         else

pkgs/applications/networking/browsers/chromium/patches/jumbo-sorted.patch

@@ -1,11 +0,0 @@
---- chromium-70.0.3538.67/build/config/merge_for_jumbo.py.old	2018-10-25 19:15:54.578222230 +0300
-+++ chromium-70.0.3538.67/build/config/merge_for_jumbo.py	2018-10-25 19:20:44.397613032 +0300
-@@ -132,6 +132,8 @@
-       assert not inputs
-       continue
- 
-+    inputs.sort()
-+    outputs.sort()
-     write_jumbo_files(inputs, outputs, written_input_set, written_output_set)
- 
-   assert set(args.outputs) == written_output_set, "Did not fill all outputs"

pkgs/applications/networking/browsers/chromium/patches/widevine-79.patch

@@ -0,0 +1,11 @@
+diff --git a/third_party/widevine/cdm/widevine_cdm_version.h b/third_party/widevine/cdm/widevine_cdm_version.h
+index dd6efed02646..4d8b2b7d85f7 100644
+--- a/third_party/widevine/cdm/widevine_cdm_version.h
++++ b/third_party/widevine/cdm/widevine_cdm_version.h
+@@ -11,5 +11,6 @@
+ // If the Widevine CDM is available define the following:
+ //  - WIDEVINE_CDM_VERSION_STRING (with the version of the CDM that's available
+ //    as a string, e.g., "1.0.123.456").
++#define WIDEVINE_CDM_VERSION_STRING "undefined"
+ 
+ #endif  // WIDEVINE_CDM_VERSION_H_

pkgs/applications/networking/browsers/chromium/upstream-info.nix

@@ -1,18 +1,18 @@
 # This file is autogenerated from update.sh in the same directory.
 {
   beta = {
-    sha256 = "1hzgzmrn0d6cqvqnqayl048zwlcx0f7azg2rhvm7p13lvyqzsk00";
-    sha256bin64 = "0p3275ii8800swlfmljbdrvyqjd5nlw0vgv2my4r8ccszgbhidbd";
-    version = "77.0.3865.90";
+    sha256 = "0al26nfcxa00gvgn02iasjm53wq089r3c6b3rqqanljffng565y7";
+    sha256bin64 = "0qfj08adqn19sxsgd98fy5l23cikvfkpzkz9mqq90mlabmhhrp0z";
+    version = "78.0.3904.50";
   };
   dev = {
-    sha256 = "0zka01ml3hbximswzkkqbqq8wpiz8f4fq4wx5fys002hi69l296l";
-    sha256bin64 = "0nrip45s0ylri34vlpf16xlwv3ybmy2jg7dz8l9rvgbdwwdzdb75";
-    version = "78.0.3904.17";
+    sha256 = "0ck52j5acdns7vqqvb665xpc68yl6qz0ca8lwjfhriw5hn8g1pjy";
+    sha256bin64 = "073gxyfayrb1dqsq8ngmnrs8ajwwrr2qbs311ns64davn1z3sscf";
+    version = "79.0.3928.4";
   };
   stable = {
-    sha256 = "1hzgzmrn0d6cqvqnqayl048zwlcx0f7azg2rhvm7p13lvyqzsk00";
-    sha256bin64 = "1npx867j39mdyivf8nlkcfwgq7j34hl7s948vf6h2kqni0y50hzl";
-    version = "77.0.3865.90";
+    sha256 = "1y3ay0ppwakbw2hqrmxbv4ykil8dahf62ypld17ddkqxkfqgk4np";
+    sha256bin64 = "0j1sk36nfmhx6nk8lmsdi93vcrmn58pidhb5hzkapx8mgk6xraq7";
+    version = "77.0.3865.120";
   };
 }