Merge pull request #262316 from emilylange/backport-262147-to-release-23.05

[Backport release-23.05] {ungoogled-,}chromium: 118.0.5993.70 -> 118.0.5993.88, fix update.py
author: Emily <git@emilylange.de> 2023-10-20 22:54:26 +0200
committer: GitHub <noreply@github.com> 2023-10-20 22:54:26 +0200
commit: 155977c87c1bd279418a2ed4a5ab324ec95bda4b (patch)
tree: 5b7c29037d28da10926feae58b8589f5cfa6b279
parent: Merge pull request #262342 from vcunat/p/python3-saml-23.05 (diff)
parent: ungoogled-chromium: 118.0.5993.70-1 -> 118.0.5993.88-1 (diff)
download: nixpkgs-155977c87c1bd279418a2ed4a5ab324ec95bda4b.tar.gz
3 files changed, 59 insertions, 36 deletions
diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 4b8a79111a43..e17a43966cca 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -117,36 +117,39 @@ let
     inherit (upstream-info.deps.ungoogled-patches) rev sha256;
   };
 
-  base = rec {
-    pname = "${packageName}-unwrapped";
-    inherit (upstream-info) version;
-    inherit packageName buildType buildPath;
+  recompressTarball = { version, sha256 ? "" }: fetchzip {
+    name = "chromium-${version}.tar.zstd";
+    url = "https://commondatastorage.googleapis.com/chromium-browser-official/chromium-${version}.tar.xz";
+    inherit sha256;
 
-    src = fetchzip {
-      name = "chromium-${version}.tar.zstd";
-      url = "https://commondatastorage.googleapis.com/chromium-browser-official/chromium-${version}.tar.xz";
-      inherit (upstream-info) sha256;
+    nativeBuildInputs = [ zstd ];
 
-      nativeBuildInputs = [ zstd ];
+    postFetch = ''
+      echo removing unused code from tarball to stay under hydra limit
+      rm -r $out/third_party/{rust-src,llvm}
 
-      postFetch = ''
-        echo removing unused code from tarball to stay under hydra limit
-        rm -r $out/third_party/{rust-src,llvm}
+      echo moving remains out of \$out
+      mv $out source
 
-        echo moving remains out of \$out
-        mv $out source
+      echo recompressing final contents into new tarball
+      # try to make a deterministic tarball
+      tar \
+        --use-compress-program "zstd -T$NIX_BUILD_CORES" \
+        --sort name \
+        --mtime 1970-01-01 \
+        --owner=root --group=root \
+        --numeric-owner --mode=go=rX,u+rw,a-s \
+        -cf $out source
+    '';
+  };
 
-        echo recompressing final contents into new tarball
-        # try to make a deterministic tarball
-        tar \
-          --use-compress-program "zstd -T$NIX_BUILD_CORES" \
-          --sort name \
-          --mtime 1970-01-01 \
-          --owner=root --group=root \
-          --numeric-owner --mode=go=rX,u+rw,a-s \
-          -cf $out source
-      '';
-    };
+
+  base = rec {
+    pname = "${packageName}-unwrapped";
+    inherit (upstream-info) version;
+    inherit packageName buildType buildPath;
+
+    src = recompressTarball { inherit version; inherit (upstream-info) sha256; };
 
     nativeBuildInputs = [
       ninja pkg-config
@@ -402,6 +405,7 @@ let
       chromiumDeps = {
         gn = gnChromium;
       };
+      inherit recompressTarball;
     };
   }
   # overwrite `version` with the exact same `version` from the same source,
diff --git a/pkgs/applications/networking/browsers/chromium/update.py b/pkgs/applications/networking/browsers/chromium/update.py
index b8af11ee61d0..4f7b060062bc 100755
--- a/pkgs/applications/networking/browsers/chromium/update.py
+++ b/pkgs/applications/networking/browsers/chromium/update.py
@@ -21,12 +21,11 @@ from urllib.request import urlopen
 
 RELEASES_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms/linux/channels/all/versions/all/releases'
 DEB_URL = 'https://dl.google.com/linux/chrome/deb/pool/main/g'
-BUCKET_URL = 'https://commondatastorage.googleapis.com/chromium-browser-official'
 
 PIN_PATH = dirname(abspath(__file__)) + '/upstream-info.nix'
 UNGOOGLED_FLAGS_PATH = dirname(abspath(__file__)) + '/ungoogled-flags.toml'
 COMMIT_MESSAGE_SCRIPT = dirname(abspath(__file__)) + '/get-commit-message.py'
-
+NIXPKGS_PATH = subprocess.check_output(["git", "rev-parse", "--show-toplevel"], cwd=dirname(PIN_PATH)).strip()
 
 def load_as_json(path):
     """Loads the given nix file as JSON."""
@@ -41,6 +40,23 @@ def save_dict_as_nix(path, input):
     with open(path, 'w') as out:
         out.write(formatted.decode())
 
+def prefetch_src_sri_hash(attr_path, version):
+    """Prefetches the fixed-output-derivation source tarball and returns its SRI-Hash."""
+    print(f'nix-build (FOD prefetch) {attr_path} {version}')
+    out = subprocess.run(
+        ["nix-build", "--expr", f'(import ./. {{}}).{attr_path}.browser.passthru.recompressTarball {{ version = "{version}"; }}'],
+        cwd=NIXPKGS_PATH,
+        stderr=subprocess.PIPE
+    ).stderr.decode()
+
+    for line in iter(out.split("\n")):
+        match = re.match(r"\s+got:\s+(.+)$", line)
+        if match:
+            print(f'Hash: {match.group(1)}')
+            return match.group(1)
+    print(f'{out}\n\nError: Expected hash in nix-build stderr output.', file=sys.stderr)
+    sys.exit(1)
+
 def nix_prefetch_url(url, algo='sha256'):
     """Prefetches the content of the given URL."""
     print(f'nix-prefetch-url {url}')
@@ -201,7 +217,10 @@ with urlopen(RELEASES_URL) as resp:
             google_chrome_suffix = channel_name
 
         try:
-            channel['sha256'] = nix_prefetch_url(f'{BUCKET_URL}/chromium-{release["version"]}.tar.xz')
+            channel['sha256'] = prefetch_src_sri_hash(
+                channel_name_to_attr_name(channel_name),
+                release["version"]
+            )
             channel['sha256bin64'] = nix_prefetch_url(
                 f'{DEB_URL}/google-chrome-{google_chrome_suffix}/' +
                 f'google-chrome-{google_chrome_suffix}_{release["version"]}-1_amd64.deb')
diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
index 3086f82c9c48..b8004a7d4b39 100644
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
@@ -41,9 +41,9 @@
         version = "2023-08-10";
       };
     };
-    sha256 = "1g8rllmnmhmmpjzrmi3cww0nszxicq0kim2wd0l0ip2mzk2p8qlp";
-    sha256bin64 = "1bq170l0g9yq17x6xlg6fjar6gv3hdi0zijwmx4s02pmw6727484";
-    version = "118.0.5993.70";
+    sha256 = "sha256-CTkw92TiRD2tkYu5a5dy8fjpR2MMOMCvcbxXhJ36Bp8=";
+    sha256bin64 = "06rbsjh4khhl408181ns5nsdwasklb277fdjfajdv5h1j9a190k3";
+    version = "118.0.5993.88";
   };
   ungoogled-chromium = {
     deps = {
@@ -54,12 +54,12 @@
         version = "2023-08-10";
       };
       ungoogled-patches = {
-        rev = "118.0.5993.70-1";
-        sha256 = "0k6684cy1ks6yba2bdz17g244f05qy9769cvis4h2jzhgbf5rysh";
+        rev = "118.0.5993.88-1";
+        sha256 = "17j47d64l97ascp85h8cnfnr5wr4va3bdk95wmagqss7ym5c7zsf";
       };
     };
-    sha256 = "1g8rllmnmhmmpjzrmi3cww0nszxicq0kim2wd0l0ip2mzk2p8qlp";
-    sha256bin64 = "1bq170l0g9yq17x6xlg6fjar6gv3hdi0zijwmx4s02pmw6727484";
-    version = "118.0.5993.70";
+    sha256 = "sha256-CTkw92TiRD2tkYu5a5dy8fjpR2MMOMCvcbxXhJ36Bp8=";
+    sha256bin64 = "06rbsjh4khhl408181ns5nsdwasklb277fdjfajdv5h1j9a190k3";
+    version = "118.0.5993.88";
   };
 }
author	Emily <git@emilylange.de>	2023-10-20 22:54:26 +0200
committer	GitHub <noreply@github.com>	2023-10-20 22:54:26 +0200
commit	155977c87c1bd279418a2ed4a5ab324ec95bda4b (patch)
tree	5b7c29037d28da10926feae58b8589f5cfa6b279
parent	Merge pull request #262342 from vcunat/p/python3-saml-23.05 (diff)
parent	ungoogled-chromium: 118.0.5993.70-1 -> 118.0.5993.88-1 (diff)
download	nixpkgs-155977c87c1bd279418a2ed4a5ab324ec95bda4b.tar.gz