Merge branch 'chromium-update'.

Was about to open a new pull request about how to proceed with the BPF seccomp
sandbox, but turns out that the Chromium security team not even has finished
reviewing the legacy sandbox (http://crbug.com/26528, next time look at the date
of the issue, shall we?), so it shouldn't make a big difference whether we
enable the old seccomp sandbox or the new BPF one.

Which of course won't make either of these options more secure and leaves us at
the same state we had before, just with chrome://sandbox stating "NOT adequately
sandboxed" which resembles the truth more closely.

4 files changed, 16 insertions, 39 deletions

diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index c8a470ce9da2..7d41f72df207 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -5,7 +5,7 @@
 , libevent, expat, libjpeg
 , libpng, libxml2, libxslt
 , xdg_utils, yasm, zlib
-, libusb1, libexif
+, libusb1, libexif, pciutils
 
 , python, perl, pkgconfig
 , nspr, udev, krb5
@@ -84,13 +84,10 @@ let
     libusb1 libexif
   ];
 
-  maybeSeccompPatch = let
-    pre23 = versionOlder sourceInfo.version "23.0.0.0";
-  in optional pre23 ./enable_seccomp.patch;
+  post23 = !versionOlder sourceInfo.version "24.0.0.0";
+  post24 = !versionOlder sourceInfo.version "25.0.0.0";
 
-  maybeFixPulseAudioBuild = let
-    post23 = !versionOlder sourceInfo.version "24.0.0.0";
-  in optional (post23 && cfg.pulseaudio) (fetchurl {
+  maybeFixPulseAudioBuild = optional (post23 && cfg.pulseaudio) (fetchurl {
     url = http://archrepo.jeago.com/sources/chromium-dev/pulse_audio_fix.patch;
     sha256 = "1w91mirrkqigdhsj892mqxlc0nlv1dsp5shc46w9xf8nl96jxgfb";
   });
@@ -120,7 +117,8 @@ in stdenv.mkDerivation rec {
     ++ optionals cfg.gnome [ gconf libgcrypt ]
     ++ optional cfg.selinux libselinux
     ++ optional cfg.cups libgcrypt
-    ++ optional cfg.pulseaudio pulseaudio;
+    ++ optional cfg.pulseaudio pulseaudio
+    ++ optional post24 pciutils;
 
   opensslPatches = optional cfg.openssl openssl.patches;
 
@@ -128,7 +126,6 @@ in stdenv.mkDerivation rec {
 
   patches = optional cfg.cups ./cups_allow_deprecated.patch
          ++ optional cfg.pulseaudio ./pulseaudio_array_bounds.patch
-         ++ maybeSeccompPatch
          ++ maybeFixPulseAudioBuild;
 
   postPatch = optionalString cfg.openssl ''
diff --git a/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch b/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch
deleted file mode 100644
index f947d796f186..000000000000
--- a/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
-index d4618e5..108f846 100644
---- a/content/common/sandbox_linux.cc
-+++ b/content/common/sandbox_linux.cc
-@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) {
- // Implement the command line enabling logic for seccomp-legacy.
- bool IsSeccompLegacyDesired() {
- #if defined(SECCOMP_SANDBOX)
--#if defined(NDEBUG)
--  // Off by default; allow turning on with a switch.
--  return CommandLine::ForCurrentProcess()->HasSwitch(
--      switches::kEnableSeccompSandbox);
--#else
-   // On by default; allow turning off with a switch.
-   return !CommandLine::ForCurrentProcess()->HasSwitch(
-       switches::kDisableSeccompSandbox);
--#endif  // NDEBUG
- #endif  // SECCOMP_SANDBOX
-   return false;
- }
diff --git a/pkgs/applications/networking/browsers/chromium/sources.nix b/pkgs/applications/networking/browsers/chromium/sources.nix
index e829f00471cf..9b6616ec63c3 100644
--- a/pkgs/applications/networking/browsers/chromium/sources.nix
+++ b/pkgs/applications/networking/browsers/chromium/sources.nix
@@ -1,18 +1,18 @@
 # This file is autogenerated from update.sh in the same directory.
 {
   dev = {
-    version = "24.0.1312.2";
-    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-24.0.1312.2.tar.bz2";
-    sha256 = "155l6sm76cp2vzmm673dnb0vcz7akrz6xfp6jsmaa1175h0yal6h";
+    version = "25.0.1323.1";
+    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-25.0.1323.1.tar.bz2";
+    sha256 = "1i7ga1qhnjvnw2gynmpmsvvl5pxcb5z9sgldp87d9yalim5sra6s";
   };
   beta = {
-    version = "23.0.1271.60";
-    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-23.0.1271.60.tar.bz2";
-    sha256 = "1xsa27ay37jls9jiwqn7wfsc4ag02qd316gszb226hp2vhfv6pf2";
+    version = "24.0.1312.14";
+    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-24.0.1312.14.tar.bz2";
+    sha256 = "03w8cg4kqmpj82976ax9x6y275y9gcri4vc11cvfjp6r1issxzk8";
   };
   stable = {
-    version = "22.0.1229.94";
-    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-22.0.1229.94.tar.bz2";
-    sha256 = "1bqwlgmn0dm1xvd6v52zf9gjmykgq4fnw7rancbplfpl3rl7xbx0";
+    version = "23.0.1271.64";
+    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-23.0.1271.64.tar.bz2";
+    sha256 = "1rzz08sgw07nkmvhhgyrkrcxj3z24lxbx0di6ky6jz3lshibp578";
   };
 }
diff --git a/pkgs/applications/networking/browsers/chromium/update.sh b/pkgs/applications/networking/browsers/chromium/update.sh
index c978ee4adf3a..2d95d466b2a8 100755
--- a/pkgs/applications/networking/browsers/chromium/update.sh
+++ b/pkgs/applications/networking/browsers/chromium/update.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-channels_url="http://omahaproxy.appspot.com/";
+channels_url="http://omahaproxy.appspot.com/all?csv=1";
 bucket_url="http://commondatastorage.googleapis.com/chromium-browser-official/";
 output_file="$(cd "$(dirname "$0")" && pwd)/sources.nix";