nixpkgs/pkgs/applications/networking/browsers/chromium
Michael Weiss 5b6d3c4b13
chromium: 87.0.4280.141 -> 88.0.4324.96
https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html

This update includes 36 security fixes.

CVEs:
CVE-2021-21117 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120
CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124
CVE-2021-21125 CVE-2020-16044 CVE-2021-21126 CVE-2021-21127
CVE-2021-21128 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131
CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135
CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
CVE-2021-21140 CVE-2021-21141
2021-01-19 20:56:29 +01:00
..
patches chromium: Drop the libwebp include patch 2020-10-15 14:33:15 +02:00
browser.nix treewide: stdenv.lib -> lib 2021-01-16 17:58:11 +07:00
common.nix treewide: pkgs.pkgconfig -> pkgs.pkg-config, move pkgconfig to alias.nix 2021-01-19 01:16:25 -08:00
default.nix treewide: stdenv.lib -> lib 2021-01-16 17:58:11 +07:00
plugins.nix treewide: stdenv.lib -> lib 2021-01-16 17:58:11 +07:00
README.md Revert "chromium/doc: mention chromedriver when updating" 2021-01-02 16:15:00 +01:00
ungoogled.nix ungoogled-chromium: Merge back into chromium 2020-12-10 17:41:11 +01:00
update.py chromium: Extend update.py to print a summary of the updates 2021-01-14 21:02:16 +01:00
upstream-info.json chromium: 87.0.4280.141 -> 88.0.4324.96 2021-01-19 20:56:29 +01:00

Maintainers

  • TODO: We need more maintainers:
    • https://github.com/NixOS/nixpkgs/issues/78450
    • If you just want to help out without becoming a maintainer:
      • Look for open Nixpkgs issues or PRs related to Chromium
      • Make your own PRs (but please try to make reviews as easy as possible)
  • Primary maintainer (responsible for updating Chromium): @primeos
  • Testers (test all stable channel updates)
    • nixos-unstable:
      • x86_64: @danielfullmer
      • aarch64: @thefloweringash
    • Stable channel:
      • x86_64: @Frostman
  • Other relevant packages:
    • chromiumBeta and chromiumDev: For testing purposes (not build on Hydra)
    • google-chrome, google-chrome-beta, google-chrome-dev: Updated via Chromium's upstream-info.json
    • ungoogled-chromium: Based on chromium (the expressions are regularly copied over and patched accordingly)

Upstream links

Updating Chromium

Simply run ./pkgs/applications/networking/browsers/chromium/update.py to update upstream-info.json. After updates it is important to test at least nixosTests.chromium (or basic manual testing) and google-chrome (which reuses upstream-info.json).

Backports

All updates are considered security critical and should be ported to the stable channel ASAP. When there is a new stable release the old one should receive security updates for roughly one month. After that it is important to mark Chromium as insecure (see 69e4ae56c4 for an example; it is important that the tested job still succeeds and that all browsers that use upstream-info.json are marked as insecure).

Major version updates

Unfortunately, Chromium regularly breaks on major updates and might need various patches. Either due to issues with the Nix build sandbox (e.g. we cannot fetch dependencies via the network and do not use standard FHS paths) or due to missing upstream fixes that need to be backported.

Good sources for such patches and other hints:

If the build fails immediately due to unknown compiler flags this usually means that a new major release of LLVM is required.

Beta and Dev channels

Those channels are only used to test and fix builds in advance. They may be broken at times and must not delay stable channel updates.