Nixpkgs: Merge ungoogled-chromium back into the chromium expressions?

Created on 5 Nov 2020  路  4Comments  路  Source: NixOS/nixpkgs

Note: This issue is still WIP, please add feedback, your opinion, advantages/disadvantages, etc. Thanks!

Issue description

In short: To ensure timely security updates (for a web browser, which is a very security critical component) and to avoid an unnecessary duplication of the Nix expressions for building ungoogled-chromium we should integrate it into chromium by using conditionals for the ungoogled-chromium specific parts. IIRC this was also the initial approach in #76082.

Advantages:

  • More timely security updates (since we update Chromium much more timely)
  • Less work for the ungoogled-chromium maintainer? (I assume since this requires regularly copying the Chromium expressions)
  • Security updates will be backported to the stable NixOS release (though we'll probably do so without any additional testing for ungoogled-chromium; normally it should be fine if chromium is fine and if not users could also use it from the unstable channel).
  • Reviewing ungoogled-chromium PRs would become easier (currently the diff will also contain changes from Chromium).

Drawbacks:

  • Requires twice the amount of build time to test changes. Maybe @danielfullmer could help testing Chromium PRs (apart from the regular updates, which @squalus can likely test, there should be few PRs that change/improve our build expressions) for ungoogled-chromium by building it and running a test (we could reuse nixosTests.chromium)?
  • Could delay Chromium updates in case the ungoogled-chromium build fails. I propose adding a new entry for ungoogled-chromium to upstream-info.json so that we can update them separately if required (e.g. if the ungoogled-chromium build fails after major updates or if the ungoogled patches aren't available yet).
  • The Nix expressions will become more complex. I don't think that it'll make a huge difference and at least we avoid the code duplication.

cc:

  • ungoogled-chromium maintainer @squalus
  • Chromium maintainer @primeos @thefloweringash @bendlas
question community feedback
Source
picture primeos
👍5

All 4 comments

What if chromium build succeeds but ungoogle-chromium does not. Is chromiumgoing to be blocked then? chromium maintainers should not be required to fix other packages unless they're fine with it, of course.

IIRC this was also the initial approach in #76082.

When was this undone, and why?

FRidh picture FRidh on 6 Nov 2020

What if chromium build succeeds but ungoogle-chromium does not. Is chromium going to be blocked then?

No, I definitely don't want to delay security updates for Chromium. See my 2nd drawback above for a proposed solution.

chromium maintainers should not be required to fix other packages unless they're fine with it, of course.

Yeah, I'm the Chromium maintainer and I really don't want more work. Right now my only/main concern is the build time required to test ungoogle-chromium. My main hope is that they're similar enough so that we don't really need to test ungoogled-chromium for minor changes. And testing bigger changes might be possible with the help of @danielfullmer or Hydra.

When was this undone, and why?

See https://github.com/NixOS/nixpkgs/pull/76082#pullrequestreview-335436810 (former Chromium maintainer), https://github.com/NixOS/nixpkgs/pull/76082#issuecomment-582523994, and https://github.com/NixOS/nixpkgs/pull/76082#issuecomment-618954927 (click on "my delayed opinion").

Also one more important thing regarding this issue/discussion: @squalus would you perform timely security updates (i.e. <1-2 days after the a new ungoogled-chromium patchset is available) if we'd merge ungoogled-chromium back into the chromium expressions (since it should then take way less time / only require running an update script and testing it)? Or does the patchset even change for minor/patch releases of Chromium (if not I could update both at once until the next major release)?

Also regrading the backports to the stable NixOS release: I think we should either mark ungoogled-chromium as insecure or @squalus would have to backport his own PRs for security updates.

primeos picture primeos on 6 Nov 2020

I've been building and testing both the chromium and ungoogled-chromium recent PRs, and I expect to be able to continue doing so for the foreseeable future. Review is much easier if the derivations use (mostly) shared nix expressions. I'm very much in favor of this proposal, so long as the patchset for ungoogled-chromium doesn't fall so far behind regular chromium that it requires a bunch of special cases in the nix expressions for us to continue to build it.

danielfullmer picture danielfullmer on 6 Nov 2020
1

I'm generally in favor of consolidating the expressions. The main issue is that there's a bit of lag between chromium releases and ungoogled-chromium patchset releases. So, updating the chromium expressions involves keeping them backwards compatible to whatever version ungoogled-chromium supports. I haven't been keeping up with the release timing, but my impression is that the lag is a few days to a week.

The patchset typically does change for every major/minor release.

I will try to do a better job with timely updates, but I can't promise it; I'm sometimes unavailable to do the maintenance work for a little while.

squalus picture squalus on 6 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

teto picture teto  路  3Comments
ghost picture ghost  路  3Comments
lverns picture lverns  路  3Comments
ob7 picture ob7  路  3Comments
spacekitteh picture spacekitteh  路  3Comments