[20.09] chromium, llvm_11: Backport additional patches #102758
Merged
+196
−108
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
So that it can be accessed via llvmPackages_11.clang-unwrapped.clang-tools-extra_src (e.g. useful for nix-prefetch-url). (cherry picked from commit 72cc4d2)
NixOS#100190) A port of NixOS#85925 for LLVM 11 to enable CFI for Chromium. This is required for features such as `-fsanitize=cfi` that (by default) load the file `…/resource-root/share/cfi_blacklist.txt`. (cherry picked from commit 03dd1b3)
https://lists.llvm.org/pipermail/release-testers/2020-October/001377.html https://lists.llvm.org/pipermail/llvm-announce/2020-October/000089.html Fixes: - builds on Darwin - builds `libcxx` on Linux (cherry picked from commit cffb7cf)
(cherry picked from commit 7a30df9)
compiler-rt (and as a result clang) can't be build for i686 (as noticed here: NixOS#99984). The patch adds the required variables and should result in the same behavior as in the nixpkgs-llvm10. It essentially forces to use i386 buildins when using i486, i586 or i686, which are not supported. Fixes NixOS#100392 (cherry picked from commit 6948875)
(cherry picked from commit 5742fcd)
(cherry picked from commit 8e861c0)
ld.gold runs out of memory on i686. (cherry picked from commit c557c27)
Wanted to do this for a long time to collect important knowledge and make it easier to pass maintainership. Only time will tell if this'll be useful or become outdated instead. (cherry picked from commit b36db49)
The gn version depends on the channel and new gn versions aren't always backward compatible. Therefore we should also include it in upstream-info.json (I've scoped it under "deps" as we'll likely have to add more like this in the future). (cherry picked from commit d7f5386)
ofborg
bot
requested review from
dtzWill,
7c6f434c,
bendlas and
thefloweringash
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_9.html This update includes 1 security fix (no CVE). (cherry picked from commit 841664a) Backport of NixOS#103294.
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_11.html This update includes 2 security fixes. Google is aware of reports that exploits for CVE-2020-16013 and CVE-2020-16017 exist in the wild. CVEs: CVE-2020-16013 CVE-2020-16017 (cherry picked from commit b91153f) Backport of NixOS#103595.
primeos
force-pushed
the
chromium-backport
branch
from
a9af722 to
ded16fc
Compare
primeos
added
the
1.severity: security
|
I'll merge this right away due to #103595. CI was fine anyway (up to the timeout at least). |
|
@primeos I have some problems with my setup - wasn't able to get it to finish state, will try to debug this weekend and hopefully will work fine for the next time. |
|
@Frostman ok, no problem, thanks for the update :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
I'm trying to keep the differences between 20.09 and nixos-unstable minimal. I didn't backport these patches right away as the last two Chromium updates needed to be merged more quickly for security reasons. A few (two?) Chromium patches are still missing for now.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)