54673b1f3b
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html This update includes 33 security fixes. CVEs: CVE-2020-16018 CVE-2020-16019 CVE-2020-16020 CVE-2020-16021 CVE-2020-16022 CVE-2020-16015 CVE-2020-16014 CVE-2020-16023 CVE-2020-16024 CVE-2020-16025 CVE-2020-16026 CVE-2020-16027 CVE-2020-16028 CVE-2020-16029 CVE-2020-16030 CVE-2019-8075 CVE-2020-16031 CVE-2020-16032 CVE-2020-16033 CVE-2020-16034 CVE-2020-16035 CVE-2020-16012 CVE-2020-16036 Note: We'll finally build with use_ozone=true on Hydra now :) \o/ |
||
---|---|---|
.. | ||
patches | ||
browser.nix | ||
common.nix | ||
default.nix | ||
plugins.nix | ||
README.md | ||
update.py | ||
upstream-info.json |
Maintainers
- TODO: We need more maintainers:
- https://github.com/NixOS/nixpkgs/issues/78450
- If you just want to help out without becoming a maintainer:
- Look for open Nixpkgs issues or PRs related to Chromium
- Make your own PRs (but please try to make reviews as easy as possible)
- Primary maintainer (responsible for updating Chromium): @primeos
- Testers (test all stable channel updates)
nixos-unstable
:x86_64
: @danielfullmeraarch64
: @thefloweringash
- Stable channel:
x86_64
: @Frostman
- Other relevant packages:
chromiumBeta
andchromiumDev
: For testing purposes (not build on Hydra)google-chrome
,google-chrome-beta
,google-chrome-dev
: Updated via Chromium'supstream-info.json
ungoogled-chromium
: Based onchromium
(the expressions are regularly copied over and patched accordingly)
Upstream links
- Source code: https://source.chromium.org/chromium/chromium/src
- Bugs: https://bugs.chromium.org/p/chromium/issues/list
- Release updates: https://chromereleases.googleblog.com/
- Available as Atom or RSS feed (filter for "Stable Channel Update for Desktop")
- Channel overview: https://omahaproxy.appspot.com/
- Release schedule: https://chromiumdash.appspot.com/schedule
Updating Chromium
Simply run ./pkgs/applications/networking/browsers/chromium/update.py
to
update upstream-info.json
. After updates it is important to test at least
nixosTests.chromium
(or basic manual testing) and google-chrome
(which
reuses upstream-info.json
).
Backports
All updates are considered security critical and should be ported to the stable
channel ASAP. When there is a new stable release the old one should receive
security updates for roughly one month. After that it is important to mark
Chromium as insecure (see 69e4ae56c4b for an example; it is important that the
tested job still succeeds and that all browsers that use upstream-info.json
are marked as insecure).
Major version updates
Unfortunately, Chromium regularly breaks on major updates and might need various patches. Either due to issues with the Nix build sandbox (e.g. we cannot fetch dependencies via the network and do not use standard FHS paths) or due to missing upstream fixes that need to be backported.
Good sources for such patches and other hints:
- https://github.com/archlinux/svntogit-packages/tree/packages/chromium/trunk
- https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium
- https://src.fedoraproject.org/rpms/chromium/tree/master
If the build fails immediately due to unknown compiler flags this usually means that a new major release of LLVM is required.
Beta and Dev channels
Those channels are only used to test and fix builds in advance. They may be broken at times and must not delay stable channel updates.