GNU bug report logs - #47154
ungoogled-chromium@88.0.4324.182 package vulnerable to various severe CVEs

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47154 in the body.
You can then email your comments to 47154 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Cc: marius <at> gnu.org
Subject: ungoogled-chromium <at> 88.0.4324.182 package vulnerable to various
 severe CVEs
Date: Mon, 15 Mar 2021 09:44:22 +0100

[Message part 1 (text/plain, inline)]

Hello!

Latest version is 89.0.4389.90

ungoogled-chromium upstream has it: 
https://github.com/Eloston/ungoogled-chromium/commit/64cbcbcfee33fd56760173b3a17d2de52cd77258

Debian also upgraded: 
https://salsa.debian.org/chromium-team/chromium/-/commit/8a1f530bdc3fc90993cdc1499e77f9e91468a686

I am not sure how to undertake this upgrade, I tried a little bit but
it failed at failing to delete some bundled third_party directories.

Would love to know in more detail what is the process for upgrading
ungoogled-chromium, license checking and patch rebasing if necessary.

Thank you!

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 47154-done <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47154-done <at> debbugs.gnu.org
Subject: ungoogled-chromium <at> 88.0.4324.182 package vulnerable to various
 severe CVEs
Date: Fri, 19 Mar 2021 09:48:59 +0100

[Message part 1 (text/plain, inline)]

Fixed by 1155a88308df7649fe74bd5bb8279a4d103ce386

[signature.asc (application/pgp-signature, inline)]

Message #13 received at 47154 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <marius <at> gnu.org>
To: Léo Le Bouter <lle-bout <at> zaclys.net>, 47154 <at> debbugs.gnu.org
Subject: Re: ungoogled-chromium <at> 88.0.4324.182 package vulnerable to various
 severe CVEs
Date: Sat, 20 Mar 2021 14:41:04 +0100

[Message part 1 (text/plain, inline)]

Hello!

Sorry for not seeing this earlier.

Léo Le Bouter <lle-bout <at> zaclys.net> skriver:

> I am not sure how to undertake this upgrade, I tried a little bit but
> it failed at failing to delete some bundled third_party directories.
>
> Would love to know in more detail what is the process for upgrading
> ungoogled-chromium, license checking and patch rebasing if necessary.

For major upgrades such as 88->89, I usually comment out the pruning
script from the snippet, and add a phase such as...

  (add-after 'unpack 'prune
    (lambda _
      (apply invoke "python"
             "build/linux/unbundle/remove_bundled_libraries.py"
             "--do-remove" (list ,@%preserved-third-party-files))))

...to avoid having to repack for every change to
%preserved-third-party-files.

Then just run './pre-inst-env guix build ...' as usual, see what the
configure phase reports, and adjust %preserved-third-party-files
accordingly.

Each "third_party" directory contains a README.chromium with license
information.  That file is not always correct (i.e. listing a single
license when multiple are involved), so I typically check the source
files too.

For patch rebasing, sometimes I make the necessary adjustments manually
and use plain old "diff"; other times I'll create a git repository from
the vanilla Chromium source, apply patches, branch out and try to
cherry-pick the patches to the new version in order to benefit from
git's conflict markers.

I also keep an eye on the Arch and Gentoo Chromium packages for
"inspiration" (that's how I found the recent Opus patch).

Hope this helps, and thanks for the interest in helping out with
maintaining this package.  :-)

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.