bug#47154: ungoogled-chromium@88.0.4324.182 package vulnerable to various severe CVEs

bug#47154: ungoogled-chromium@88.0.4324.182 package vulnerable to various severe CVEs

[Léo Le Bouter via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 601 bytes --]

Hello!

Latest version is 89.0.4389.90

ungoogled-chromium upstream has it: 
https://github.com/Eloston/ungoogled-chromium/commit/64cbcbcfee33fd56760173b3a17d2de52cd77258

Debian also upgraded: 
https://salsa.debian.org/chromium-team/chromium/-/commit/8a1f530bdc3fc90993cdc1499e77f9e91468a686

I am not sure how to undertake this upgrade, I tried a little bit but
it failed at failing to delete some bundled third_party directories.

Would love to know in more detail what is the process for upgrading
ungoogled-chromium, license checking and patch rebasing if necessary.

Thank you!

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#47154: ungoogled-chromium@88.0.4324.182 package vulnerable to various severe CVEs

[Léo Le Bouter via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 51 bytes --]

Fixed by 1155a88308df7649fe74bd5bb8279a4d103ce386

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#47154: ungoogled-chromium@88.0.4324.182 package vulnerable to various severe CVEs

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1718 bytes --]

Hello!

Sorry for not seeing this earlier.

Léo Le Bouter <lle-bout@zaclys.net> skriver:

> I am not sure how to undertake this upgrade, I tried a little bit but
> it failed at failing to delete some bundled third_party directories.
>
> Would love to know in more detail what is the process for upgrading
> ungoogled-chromium, license checking and patch rebasing if necessary.

For major upgrades such as 88->89, I usually comment out the pruning
script from the snippet, and add a phase such as...

  (add-after 'unpack 'prune
    (lambda _
      (apply invoke "python"
             "build/linux/unbundle/remove_bundled_libraries.py"
             "--do-remove" (list ,@%preserved-third-party-files))))

...to avoid having to repack for every change to
%preserved-third-party-files.

Then just run './pre-inst-env guix build ...' as usual, see what the
configure phase reports, and adjust %preserved-third-party-files
accordingly.

Each "third_party" directory contains a README.chromium with license
information.  That file is not always correct (i.e. listing a single
license when multiple are involved), so I typically check the source
files too.

For patch rebasing, sometimes I make the necessary adjustments manually
and use plain old "diff"; other times I'll create a git repository from
the vanilla Chromium source, apply patches, branch out and try to
cherry-pick the patches to the new version in order to benefit from
git's conflict markers.

I also keep an eye on the Arch and Gentoo Chromium packages for
"inspiration" (that's how I found the recent Opus patch).

Hope this helps, and thanks for the interest in helping out with
maintaining this package.  :-)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]