GNU bug report logs - #47154
ungoogled-chromium@88.0.4324.182 package vulnerable to various severe CVEs

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Mon, 15 Mar 2021 08:45:02 UTC

Severity: normal

Done: Léo Le Bouter <lle-bout <at> zaclys.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Marius Bakke <marius <at> gnu.org>
To: Léo Le Bouter <lle-bout <at> zaclys.net>, 47154 <at> debbugs.gnu.org
Subject: bug#47154: ungoogled-chromium <at> 88.0.4324.182 package vulnerable to various severe CVEs
Date: Sat, 20 Mar 2021 14:41:04 +0100

[Message part 1 (text/plain, inline)]
Hello!

Sorry for not seeing this earlier.

Léo Le Bouter <lle-bout <at> zaclys.net> skriver:

> I am not sure how to undertake this upgrade, I tried a little bit but
> it failed at failing to delete some bundled third_party directories.
>
> Would love to know in more detail what is the process for upgrading
> ungoogled-chromium, license checking and patch rebasing if necessary.

For major upgrades such as 88->89, I usually comment out the pruning
script from the snippet, and add a phase such as...

  (add-after 'unpack 'prune
    (lambda _
      (apply invoke "python"
             "build/linux/unbundle/remove_bundled_libraries.py"
             "--do-remove" (list ,@%preserved-third-party-files))))

...to avoid having to repack for every change to
%preserved-third-party-files.

Then just run './pre-inst-env guix build ...' as usual, see what the
configure phase reports, and adjust %preserved-third-party-files
accordingly.

Each "third_party" directory contains a README.chromium with license
information.  That file is not always correct (i.e. listing a single
license when multiple are involved), so I typically check the source
files too.

For patch rebasing, sometimes I make the necessary adjustments manually
and use plain old "diff"; other times I'll create a git repository from
the vanilla Chromium source, apply patches, branch out and try to
cherry-pick the patches to the new version in order to benefit from
git's conflict markers.

I also keep an eye on the Arch and Gentoo Chromium packages for
"inspiration" (that's how I found the recent Opus patch).

Hope this helps, and thanks for the interest in helping out with
maintaining this package.  :-)

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 60 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.