3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/applications/networking/browsers/chromium
TredwellGit 2bb011032c
chromium: use official build settings (#101467)
LLD: https://lld.llvm.org/
When you link a large program on a multicore machine, you can expect that LLD runs more than twice as fast as the GNU gold linker. Your mileage may vary, though.
Link-time optimization (LTO) is supported by default.
Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security.

LTO & ThinLTO: https://clang.llvm.org/docs/ThinLTO.html
LTO (Link Time Optimization) achieves better runtime performance through whole-program analysis and cross-module optimization. However, monolithic LTO implements this by merging all input into a single module, which is not scalable in time or memory, and also prevents fast incremental compiles. ThinLTO is a new approach that is designed to scale like a non-LTO build, while retaining most of the performance achievement of full LTO.

PGO: https://llvm.org/docs/HowToBuildWithPGO.html https://blog.chromium.org/2020/08/chrome-just-got-faster-with-profile.html
Allows your compiler to better optimize code for how it actually runs. Users report that applying this to Clang and LLVM can decrease overall compile time by 20%.
Because PGO uses real usage scenarios that match the workflows of Chrome users around the world, the most common tasks get prioritized and made faster. Delivers up to 10% faster page loads.

CFI: https://clang.llvm.org/docs/ControlFlowIntegrity.html https://www.chromium.org/developers/testing/control-flow-integrity
Aborts the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. These schemes have been optimized for performance, allowing developers to enable them in release builds.
By default, a program compiled with CFI will crash with SIGILL if it detects a CFI violation.

Additionally:
Use minizip instead of zlib. Chromium says zlib but actually uses minizip.
Remove old unused workarounds.
Make shell scripts POSIX compliant.
Update documentation URLs.
Prepare for using system libraries.
2020-10-24 12:27:40 +02:00
..
patches chromium: Drop the libwebp include patch 2020-10-15 14:33:15 +02:00
browser.nix chromiumDev: Mark as broken for now 2020-10-23 19:47:43 +02:00
common.nix chromium: use official build settings (#101467) 2020-10-24 12:27:40 +02:00
default.nix chromiumDev: 88.0.4292.2 -> 88.0.4298.4 2020-10-23 17:49:46 +02:00
plugins.nix flashplayer: 32.0.0.433 -> 32.0.0.445 2020-10-13 21:13:22 +09:00
README.md chromiumDev: Mark as broken for now 2020-10-23 19:47:43 +02:00
update.py chromium: update.py: Keep the channel order consistent 2020-09-10 12:30:03 +02:00
upstream-info.json chromiumDev: 88.0.4292.2 -> 88.0.4298.4 2020-10-23 17:49:46 +02:00

Maintainers

  • TODO: We need more maintainers:
    • https://github.com/NixOS/nixpkgs/issues/78450
    • If you just want to help out without becoming a maintainer:
      • Look for open Nixpkgs issues or PRs related to Chromium
      • Make your own PRs (but please try to make reviews as easy as possible)
  • Primary maintainer (responsible for updating Chromium): @primeos
  • Testers (test all stable channel updates)
    • nixos-unstable:
      • x86_64: @danielfullmer
      • aarch64: @thefloweringash
    • Stable channel:
      • x86_64: @Frostman
  • Other relevant packages:
    • chromiumBeta and chromiumDev: For testing purposes (not build on Hydra)
    • google-chrome, google-chrome-beta, google-chrome-dev: Updated via Chromium's upstream-info.json
    • ungoogled-chromium: Based on chromium (the expressions are regularly copied over and patched accordingly)

Upstream links

Updating Chromium

Simply run ./pkgs/applications/networking/browsers/chromium/update.py to update upstream-info.json. After updates it is important to test at least nixosTests.chromium (or basic manual testing) and google-chrome (which reuses upstream-info.json).

Backports

All updates are considered security critical and should be ported to the stable channel ASAP. When there is a new stable release the old one should receive security updates for roughly one month. After that it is important to mark Chromium as insecure (see 69e4ae56c4 for an example; it is important that the tested job still succeeds and that all browsers that use upstream-info.json are marked as insecure).

Major version updates

Unfortunately, Chromium regularly breaks on major updates and might need various patches. Either due to issues with the Nix build sandbox (e.g. we cannot fetch dependencies via the network and do not use standard FHS paths) or due to missing upstream fixes that need to be backported.

Good sources for such patches and other hints:

If the build fails immediately due to unknown compiler flags this usually means that a new major release of LLVM is required.

Beta and Dev channels

Those channels are only used to test and fix builds in advance. They may be broken at times and must not delay stable channel updates.