nixpkgs-suyu/pkgs/applications/networking/browsers/chromium
Michael Weiss 9f38162b30
chromium: 88.0.4324.182 -> 89.0.4389.72
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html

This update includes 47 security fixes. Google is aware of reports that
an exploit for CVE-2021-21166 exists in the wild.

CVEs:
CVE-2021-21159 CVE-2021-21160 CVE-2021-21161 CVE-2021-21162
CVE-2021-21163 CVE-2021-21164 CVE-2021-21165 CVE-2021-21166
CVE-2021-21167 CVE-2021-21168 CVE-2021-21169 CVE-2021-21170
CVE-2021-21171 CVE-2021-21172 CVE-2021-21173 CVE-2021-21174
CVE-2021-21175 CVE-2021-21176 CVE-2021-21177 CVE-2021-21178
CVE-2021-21179 CVE-2021-21180 CVE-2020-27844 CVE-2021-21181
CVE-2021-21182 CVE-2021-21183 CVE-2021-21184 CVE-2021-21185
CVE-2021-21186 CVE-2021-21187 CVE-2021-21188 CVE-2021-21189
CVE-2021-21190
2021-03-03 12:23:11 +01:00
..
patches chromium: Drop the libwebp include patch 2020-10-15 14:33:15 +02:00
browser.nix treewide: remove stdenv where not needed 2021-01-25 18:31:47 +01:00
common.nix chromium: Remove our old overrides for VA-API and Ozone 2021-02-06 12:28:50 +01:00
default.nix chromium: Remove the Adobe Flash Player plugin support 2021-02-07 12:27:36 +01:00
README.md chromium: Update the documentation 2021-02-07 19:26:14 +01:00
ungoogled.nix ungoogled-chromium: Merge back into chromium 2020-12-10 17:41:11 +01:00
update.py ungoogled-chromium: 87.0.4280.141 -> 88.0.4324.104 2021-01-30 19:22:22 +01:00
upstream-info.json chromium: 88.0.4324.182 -> 89.0.4389.72 2021-03-03 12:23:11 +01:00

Maintainers

  • Note: We could always use more contributors, testers, etc. E.g.:
    • A dedicated maintainer for the NixOS stable channel
    • PRs with cleanups, improvements, fixes, etc. (but please try to make reviews as easy as possible)
    • People who handle stale issues/PRs
  • Primary maintainer (responsible for all updates): @primeos
  • Testers (test all stable channel updates)
    • nixos-unstable:
      • x86_64: @danielfullmer
      • aarch64: @thefloweringash
    • Stable channel:
      • x86_64: @Frostman
  • Other relevant packages:
    • chromiumBeta and chromiumDev: For testing purposes only (not build on Hydra). We use these channels for testing and to fix build errors in advance so that chromium updates are trivial and can be merged fast.
    • google-chrome, google-chrome-beta, google-chrome-dev: Updated via Chromium's upstream-info.json
    • ungoogled-chromium: @squalus
    • chromedriver: Updated via Chromium's upstream-info.json and not built from source.

Upstream links

Updating Chromium

Simply run ./pkgs/applications/networking/browsers/chromium/update.py to update upstream-info.json. After updates it is important to test at least nixosTests.chromium (or basic manual testing) and google-chrome (which reuses upstream-info.json).

Note: The source tarball is often only available a few hours after the release was announced. The CI/CD status can be tracked here:

To run all automated NixOS VM tests for Chromium, ungoogled-chromium, and Google Chrome (not recommended, currently 6x tests!):

nix-build nixos/tests/chromium.nix

A single test can be selected, e.g. to test ungoogled-chromium (see channelMap in nixos/tests/chromium.nix for all available options):

nix-build nixos/tests/chromium.nix -A ungoogled

(Note: Testing Google Chrome requires export NIXPKGS_ALLOW_UNFREE=1.)

For custom builds it's possible to "override" channelMap.

Backports

All updates are considered security critical and should be ported to the stable channel ASAP. When there is a new stable release the old one should receive security updates for roughly one month. After that it is important to mark Chromium as insecure (see 69e4ae56c4b for an example; it is important that the tested job still succeeds and that all browsers that use upstream-info.json are marked as insecure).

Major version updates

Unfortunately, Chromium regularly breaks on major updates and might need various patches. Either due to issues with the Nix build sandbox (e.g. we cannot fetch dependencies via the network and do not use standard FHS paths) or due to missing upstream fixes that need to be backported.

Good sources for such patches and other hints:

If the build fails immediately due to unknown compiler flags this usually means that a new major release of LLVM is required.

Beta and Dev channels

Those channels are only used to test and fix builds in advance. They may be broken at times and must not delay stable channel updates.

Testing

Useful tests: