Package: guix-patches;
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Mon, 7 Aug 2017 20:00:01 UTC
Severity: normal
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: ng0 <ng0 <at> n0.is> To: Marius Bakke <mbakke <at> fastmail.com> Cc: 28004 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, ng0 <ng0 <at> n0.is>, Leo Famulari <leo <at> famulari.name> Subject: [bug#28004] Chromium Date: Thu, 4 Jan 2018 19:16:48 +0000
[Message part 1 (text/plain, inline)]
Marius Bakke transcribed 37K bytes:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
> > I think we should make sure that our package does not call home in any
> > way. That’s what I expect from a security- and privacy-conscious
> > distro.
>
> Currently, it calls home at first launch, prompting for a login. But
> I've verified that it does not send any unsolicited requests for
> subsequent startups, as long as the user does not change the
> command-line flags.
>
> Anyway I'm attaching the current iteration of this patch. Chromium 62
> is out today, I'll try to update this weekend and will push it after
> that in lieu of other feedback.
>
> I would be very happy if someone managed to complete the 62 upgrade
> before me, however! ;-)
>
> From d6e3ef7f28a9bc4ace0c52e09b1e4bdde84e01e0 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke <at> fastmail.com>
> Date: Wed, 12 Oct 2016 17:25:05 +0100
> Subject: [PATCH] gnu: Add chromium.
...
> +(define-public chromium
> + (package
> + (name "chromium")
...
> + (substitute* "chrome/common/chrome_paths.cc"
> + (("/usr/share/chromium/extensions")
> + ;; TODO: Add ~/.guix-profile.
> + "/run/current-system/profile/share/chromium/extensions"))
What's the idea behind this? Did you test it? Do you have any guix build-system
using Chromium extensions as an example? So far this completely disables the
installation of any plugins and addons.
> +
> + (substitute* "breakpad/src/common/linux/libcurl_wrapper.h"
> + (("include \"third_party/curl") "include \"curl"))
> + (substitute* "media/base/decode_capabilities.cc"
> + (("third_party/libvpx/source/libvpx/") ""))
> +
> + ;; We don't cross compile most packages, so get rid of the
> + ;; unnecessary ARCH-linux-gnu* prefix.
> + (substitute* "build/toolchain/linux/BUILD.gn"
> + (("aarch64-linux-gnu-") "")
> + (("arm-linux-gnueabihf-") ""))
> + #t))
> + (replace 'configure
> + (lambda* (#:key inputs outputs #:allow-other-keys)
> + (let ((gn-flags
> + (list
> + ;; See tools/gn/docs/cookbook.md and
> + ;; https://www.chromium.org/developers/gn-build-configuration
> + ;; for usage. Run "./gn args . --list" in the Release
> + ;; directory for an exhaustive list of supported flags.
> + "is_debug=false"
> + "is_official_build=false"
> + "is_clang=false"
> + "use_gold=false"
> + "linux_use_bundled_binutils=false"
> + "use_custom_libcxx=false"
> + "use_sysroot=false"
> + "remove_webcore_debug_symbols=true"
> + "enable_iterator_debugging=false"
> + "override_build_date=\"01 01 2000 05:00:00\""
> + ;; Don't fail when using deprecated ffmpeg features.
> + "treat_warnings_as_errors=false"
> + "enable_nacl=false"
> + "enable_nacl_nonsfi=false"
> + "use_allocator=\"none\"" ; Don't use tcmalloc.
> + ;; Don't add any API keys. End users can set them in the
> + ;; environment if necessary.
> + ;; https://www.chromium.org/developers/how-tos/api-keys
> + "use_official_google_api_keys=false"
> + ;; Disable "field trials".
> + "fieldtrial_testing_like_official_build=true"
> +
> + "use_system_libjpeg=true"
> + ;; This is currently not supported on Linux:
> + ;; https://bugs.chromium.org/p/chromium/issues/detail?id=22208
> + ;; "use_system_sqlite=true"
> + "use_gtk3=true"
> + "use_gconf=false" ; deprecated by gsettings
> + "use_gnome_keyring=false" ; deprecated by libsecret
> + "use_xkbcommon=true"
> + "link_pulseaudio=true"
> + "use_openh264=true"
> +
> + ;; Don't arbitrarily restrict formats supported by system ffmpeg.
> + "proprietary_codecs=true"
> + "ffmpeg_branding=\"Chrome\""
> +
> + ;; WebRTC stuff.
> + "rtc_use_h264=true"
> + ;; Don't use bundled sources.
> + "rtc_build_json=false"
> + "rtc_build_libevent=false"
> + "rtc_build_libjpeg=false"
> + "rtc_build_libvpx=false"
> + "rtc_build_opus=false"
> + "rtc_build_ssl=false"
> + ;; TODO: Package these.
> + "rtc_build_libsrtp=true" ; 2.0
> + "rtc_build_libyuv=true"
> + "rtc_build_openmax_dl=true"
> + "rtc_build_usrsctp=true"
> + (string-append "rtc_jsoncpp_root=\""
> + (assoc-ref inputs "jsoncpp")
> + "/include/jsoncpp/json\"")
> + (string-append "rtc_ssl_root=\""
> + (assoc-ref inputs "openssl")
> + "/include/openssl\""))))
> +
> + ;; XXX: How portable is this.
> + (mkdir-p "third_party/node/linux/node-linux-x64")
> + (symlink (string-append (assoc-ref inputs "node") "/bin")
> + "third_party/node/linux/node-linux-x64/bin")
> +
> + (setenv "CC" "gcc")
> + (setenv "CXX" "g++")
> + ;; TODO: pre-compile instead. Avoids a race condition.
> + (setenv "PYTHONDONTWRITEBYTECODE" "1")
> + (and
> + ;; Build the "gn" tool.
> + (zero? (system* "python"
> + "tools/gn/bootstrap/bootstrap.py" "-s" "-v"))
> + ;; Generate ninja build files.
> + (zero? (system* "./out/Release/gn" "gen" "out/Release"
> + (string-append "--args="
> + (string-join gn-flags " "))))))))
> + (replace 'build
> + (lambda* (#:key outputs #:allow-other-keys)
> + (zero? (system* "ninja" "-C" "out/Release"
> + "-j" (number->string (parallel-job-count))
> + "chrome"))))
> + (replace 'install
> + (lambda* (#:key inputs outputs #:allow-other-keys)
> + (let* ((out (assoc-ref outputs "out"))
> + (bin (string-append out "/bin"))
> + (exe (string-append bin "/chromium"))
> + (lib (string-append out "/lib"))
> + (man (string-append out "/share/man/man1"))
> + (applications (string-append out "/share/applications"))
> + (install-regexp (make-regexp "\\.(so|bin|pak)$"))
> + (locales (string-append lib "/locales"))
> + (resources (string-append lib "/resources"))
> + (gtk+ (assoc-ref inputs "gtk+"))
> + (mesa (assoc-ref inputs "mesa"))
> + (nss (assoc-ref inputs "nss"))
> + (udev (assoc-ref inputs "udev"))
> + (sh (which "sh")))
> +
> + (mkdir-p applications)
> + (call-with-output-file (string-append applications
> + "/chromium.desktop")
> + (lambda (port)
> + (format port
> + "[Desktop Entry]~@
> + Name=Chromium~@
> + Comment=~a~@
> + Exec=~a~@
> + Icon=chromium.png~@
> + Type=Application~%" ,synopsis exe)))
> +
> + (with-directory-excursion "out/Release"
> + (for-each (lambda (file)
> + (install-file file lib))
> + (scandir "." (cut regexp-exec install-regexp <>)))
> + (copy-file "chrome" (string-append lib "/chromium"))
> +
> + ;; TODO: Install icons from "../../chrome/app/themes" into
> + ;; "out/share/icons/hicolor/$size".
> + (install-file
> + "product_logo_48.png"
> + (string-append out "/share/icons/48x48/chromium.png"))
> +
> + (copy-recursively "locales" locales)
> + (copy-recursively "resources" resources)
> +
> + (mkdir-p man)
> + (copy-file "chrome.1" (string-append man "/chromium.1"))
> +
> + (mkdir-p bin)
> + ;; Add a thin wrapper to prevent the user from inadvertently
> + ;; installing non-free software through the Web Store.
> + ;; TODO: Discover extensions from the profile and pass
> + ;; something like "--disable-extensions-except=...".
Same question here.
If you need help, there's at least 3 users of Chromium now. I'd like to read
your ideas on how to solve the TODOs, aswell as: Do you have any unpushed
progress? Maybe we can team collaborate on this huge browser.
> + (call-with-output-file exe
> + (lambda (port)
> + (format port
> + "#!~a~@
> + CHROMIUM_FLAGS=\"--disable-background-networking\"~@
> + if [ -z \"$CHROMIUM_ENABLE_WEB_STORE\" ]~@
> + then~@
> + CHROMIUM_FLAGS=\"$CHROMIUM_FLAGS --disable-extensions\"~@
> + fi~@
> + exec ~a $CHROMIUM_FLAGS \"$@\"~%"
> + sh (string-append lib "/chromium"))))
> + (chmod exe #o755)
> +
> + (wrap-program exe
> + ;; TODO: Get these in RUNPATH.
> + `("LD_LIBRARY_PATH" ":" prefix
> + (,(string-append lib ":" nss "/lib/nss:" gtk+ "/lib:"
> + mesa "/lib:" udev "/lib")))
> + ;; Avoid file manager crash. See <https://bugs.gnu.org/26593>.
> + `("XDG_DATA_DIRS" ":" prefix (,(string-append gtk+ "/share"))))
> + #t)))))))
--
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys
WWW: https://n0.is/a/ :: https://ea.n0.is
[signature.asc (application/pgp-signature, inline)]
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.