| Message ID | dde8a839eb121b3ca7e17db5e00ea8c1d0544c40.1744895822.git.dannym@friendly-machines.com |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 569A927BC4B; Fri, 25 Apr 2025 00:05:24 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_SBL_CSS, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7413A27BC49 for <patchwork@mira.cbaines.net>; Fri, 25 Apr 2025 00:05:23 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1u85cz-000733-CI; Thu, 24 Apr 2025 19:05:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u85cu-0006w3-Bg for guix-patches@gnu.org; Thu, 24 Apr 2025 19:05:05 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u85ct-0005Sa-S4 for guix-patches@gnu.org; Thu, 24 Apr 2025 19:05:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=fxh2+H43mHv44A5k/ZppQO5vUtxhPxtrHeFxp+0LpSU=; b=iLW0RDem2woqvSZept3qpuU4uc5t4qV6A3vG4UPdcpAPszljJGwxzHy4qdM/55KmRPsQ3MGxYHcY3Wn/a3mJ9UiRe12P4bawqqO4pzssp1uZexJlR3ucJThnjYQST1+80Tzm5bv+EFk2isFv3Ftuz/hahyQk6HwcTCwy2H7QAidRxp8y+qdxDnRhGC2AU/jV7YyVtzpnG5/psXYkfiwaWq0IY2Q1m6ScbfQjTdhDQkn4nmvF3+OG9uTh3LxMTiMnRSKHTn1PP1LuT01vy1NaeMGPsytkFY0c2SSBE30vtTXDZTv9ZrGsT3y2pNDw8c+R8FZ0gOABucT/nuhEKN3bjw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u85cs-0007fV-SZ for guix-patches@gnu.org; Thu, 24 Apr 2025 19:05:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78052] [PATCH] gnu: ungoogled-chromium: Fix WebRTC. Resent-From: Danny Milosavljevic <dannym@friendly-machines.com> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 24 Apr 2025 23:05:02 +0000 Resent-Message-ID: <handler.78052.B.174553589029443@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 78052 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78052@debbugs.gnu.org Cc: Danny Milosavljevic <dannym@friendly-machines.com> X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.174553589029443 (code B ref -1); Thu, 24 Apr 2025 23:05:02 +0000 Received: (at submit) by debbugs.gnu.org; 24 Apr 2025 23:04:50 +0000 Received: from localhost ([127.0.0.1]:42705 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1u85cf-0007eo-Fa for submit@debbugs.gnu.org; Thu, 24 Apr 2025 19:04:49 -0400 Received: from lists.gnu.org ([2001:470:142::17]:34828) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <dannym@friendly-machines.com>) id 1u85cc-0007eX-7b for submit@debbugs.gnu.org; Thu, 24 Apr 2025 19:04:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <dannym@friendly-machines.com>) id 1u85cW-0006pJ-Qo for guix-patches@gnu.org; Thu, 24 Apr 2025 19:04:40 -0400 Received: from barb.cherry.relay.mailchannels.net ([23.83.223.10]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <dannym@friendly-machines.com>) id 1u85cU-0005Rp-Sq for guix-patches@gnu.org; Thu, 24 Apr 2025 19:04:40 -0400 X-Sender-Id: dreamhost|x-authsender|dannym@friendly-machines.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 650321C2B2B; Thu, 24 Apr 2025 23:04:37 +0000 (UTC) Received: from pdx1-sub0-mail-a239.dreamhost.com (100-103-158-130.trex-nlb.outbound.svc.cluster.local [100.103.158.130]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 1612B1C2859; Thu, 24 Apr 2025 23:04:37 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1745535877; a=rsa-sha256; cv=none; b=r5Z5i6NMLNXrJ56EXv+zCfaUsZ5skbp/2ROsgr7mT5AqfQe9OB8YuFLRkAche2eVcT+L21 +opZ09VMZoaVKIF0WB5l/tnQ2vXpqeSkz03gsZK7S0bnOXJuQuYQGhuHgHB1Jwy0rGDf/z uwhqHkPNtppNVuTB1ih7QV87VsWQE2DsIylp/10FONaPpUjUfcGgZ0LUrULdK7z8JbGaGk F0Yuv64nFZ1EyNTuJz+cccBrVNzOl6DtX3IwiyOWGHSYwuntp9FlDPw0NWL68zoB6IsjwG XNPGtKSz7XgQzQsn05sLwvyI06BAdSeJuibUwb5rUCOjYtdLdUESi1qv8E5rNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1745535877; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=fxh2+H43mHv44A5k/ZppQO5vUtxhPxtrHeFxp+0LpSU=; b=Hp3mHekh+mmgIqPsXgtmihum2OPlm6mhnhlDY2xmD1tu854IpK/32xlAPyIOLoYg37W/E6 85lGJ21tS8HddMY4aMPGnpTIiKRbqG7M+qeOk94l2dSIDb31LMvsW0F1p/nF5iqWbbsSca zIvrsiDa0g15fDqx/MpsoQOuab0pl5UtTBReTMHEln2wDqUTXgsuMpDnyHhaPe63VLWoGL U2en4eOBiNLtYRtIRBDyzt0TXg4MYe5EgIJ7BrUlGQY/GiD3TpBVyaFaBilUmMq5LUWuD7 I394QBUjmLKUkyXKjARpttA5INXM5sUw6UleWb5DJk7iw+APYyKFc4s4q2HNSA== ARC-Authentication-Results: i=1; rspamd-5b8599699-6m4nc; auth=pass smtp.auth=dreamhost smtp.mailfrom=dannym@friendly-machines.com X-Sender-Id: dreamhost|x-authsender|dannym@friendly-machines.com X-MC-Relay: Bad X-MC-Copy: stored-urls X-MailChannels-SenderId: dreamhost|x-authsender|dannym@friendly-machines.com X-MailChannels-Auth-Id: dreamhost X-Invention-Share: 3d92ad22506aa80a_1745535877299_162467897 X-MC-Loop-Signature: 1745535877298:3288421483 X-MC-Ingress-Time: 1745535877298 Received: from pdx1-sub0-mail-a239.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.103.158.130 (trex/7.0.3); Thu, 24 Apr 2025 23:04:37 +0000 Received: from localhost (84-115-226-251.cable.dynamic.surfer.at [84.115.226.251]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dannym@friendly-machines.com) by pdx1-sub0-mail-a239.dreamhost.com (Postfix) with ESMTPSA id 4ZkBPc4SJqz9y; Thu, 24 Apr 2025 16:04:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=friendly-machines.com; s=dreamhost; t=1745535876; bh=fxh2+H43mHv44A5k/ZppQO5vUtxhPxtrHeFxp+0LpSU=; h=From:To:Cc:Subject:Date:Content-Transfer-Encoding; b=WVDfC74m2FtDnuwSIzlogu/sHmADUrY/okPKirgIQhNEbKkkvitK2V3esaQCP6uNX doLoMyUVBscZQUOabf7GpPdwJGw5rJ8RDzVy6ExOF5g3z1CrSKPgZ/yWaWhTxIeK+O bPP+1HL/1IokL38NaGxmgOZJVxPwtAo6Vn/yz0mc9bolc+saqX5T4O7VeczvfkQ8Ng G+JX3Fl+2dmx0xLTqC4ooce0VCriSf4eAkXWQG2zylgRTyaFReyNW4TXbaVXudPvzG 8BcglGngtcbLG22Ui/BpvFuR5PSVbkhIK2+ftHvSuoW3/Wj+5ktSLRNrRyqpNl9Tw9 JLU0zMDT5JOiw== From: Danny Milosavljevic <dannym@friendly-machines.com> Date: Fri, 25 Apr 2025 01:04:29 +0200 Message-ID: <dde8a839eb121b3ca7e17db5e00ea8c1d0544c40.1744895822.git.dannym@friendly-machines.com> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=23.83.223.10; envelope-from=dannym@friendly-machines.com; helo=barb.cherry.relay.mailchannels.net X-Spam_score_int: 12 X-Spam_score: 1.2 X-Spam_bar: + X-Spam_report: (1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_SBL_CSS=3.335, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
[bug#78052] gnu: ungoogled-chromium: Fix WebRTC.
|
|
Commit Message
Danny Milosavljevic
April 24, 2025, 11:04 p.m. UTC
* gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch: New file. * gnu/packages/chromium.scm (%guix-patches): Add reference to it. * gnu/local.mk (dist_patch_DATA): Add reference to it. Change-Id: I91b7c3243345f6f1eda71aa4ec68faf3ef4a98f4 --- gnu/local.mk | 1 + gnu/packages/chromium.scm | 3 ++ .../ungoogled-chromium-fcntl-fix.patch | 28 +++++++++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch base-commit: a36ff7d51110403295a359e7f40c3eb42ccfd509
Comments
Hi Danny,
Danny Milosavljevic <dannym@friendly-machines.com> writes:
> * gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch: New file.
Is this an upstream patch now included in recent releases? Our
ungoogled-chromium package is probably ridden with many CVEs at this
point (it's poorly maintained). If you use it, perhaps you could try
updating it?
Hello, Danny Milosavljevic <dannym@friendly-machines.com> writes: > * gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch: New file. > * gnu/packages/chromium.scm (%guix-patches): Add reference to it. > * gnu/local.mk (dist_patch_DATA): Add reference to it. Ouch, the last time ungoogled-chromium was updated was in 2023. That's terrible for something is sensitive as a web browser that runs arbitrary javascript by default. If nobody champions an update, I'd suggest we remove the package. What do people think? (+CC guix-devel).
Hello, Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > Danny Milosavljevic <dannym@friendly-machines.com> writes: > >> * gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch: New file. >> * gnu/packages/chromium.scm (%guix-patches): Add reference to it. >> * gnu/local.mk (dist_patch_DATA): Add reference to it. > > Ouch, the last time ungoogled-chromium was updated was in 2023. That's > terrible for something is sensitive as a web browser that runs arbitrary > javascript by default. > > If nobody champions an update, I'd suggest we remove the package. > > What do people think? (+CC guix-devel). It still builds, so I disagree that it should be removed. It can still be useful locally, assuming casting is fixed (see <https://issues.guix.gnu.org/58581>). Of course, it would be nice to update it. Regards,
Hi Nicolas, Nicolas Goaziou <mail@nicolasgoaziou.fr> writes: > Hello, > > Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > >> Danny Milosavljevic <dannym@friendly-machines.com> writes: >> >>> * gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch: New file. >>> * gnu/packages/chromium.scm (%guix-patches): Add reference to it. >>> * gnu/local.mk (dist_patch_DATA): Add reference to it. >> >> Ouch, the last time ungoogled-chromium was updated was in 2023. That's >> terrible for something is sensitive as a web browser that runs arbitrary >> javascript by default. >> >> If nobody champions an update, I'd suggest we remove the package. >> >> What do people think? (+CC guix-devel). > > It still builds, so I disagree that it should be removed. It can still > be useful locally, assuming casting is fixed (see > <https://issues.guix.gnu.org/58581>). > > Of course, it would be nice to update it. I agree that it has value; wouldn't it only be for testing website problems (it's still a thing in 2025 to find a website feature that only works with Chromium, in a nudge to the good old Internet Explorer days). But I'm not sure that this value is worth the exposure of unsuspecting user to tens of CVEs: --8<---------------cut here---------------start------------->8--- $ guix lint -c cve ungoogled-chromium fetching CVE database for 2025... gnu/packages/chromium.scm:484:2: ungoogled-chromium@112.0.5615.165-1 : probablement vulnérable à CVE-2025-0291, CVE-2025-0434, CVE-2025-0436, CVE-2025-0437, CVE-2025-0438, CVE-2025-0439, CVE-2025-0441, CVE-2025-0442, CVE-2025-0443, CVE-2025-0444, CVE-2025-0445, CVE-2025-0446, CVE-2025-0447, CVE-2025-0448, CVE-2025-0451, CVE-2025-0611, CVE-2025-0612, CVE-2025-0762, CVE-2025-0995, CVE-2025-0996, CVE-2025-0997, CVE-2025-0999, CVE-2025-1006, CVE-2025-1426, CVE-2025-1914, CVE-2025-1916, CVE-2025-1918, CVE-2025-1919, CVE-2025-1920, CVE-2025-1921, CVE-2025-1923, CVE-2025-2135, CVE-2025-2136, CVE-2025-2137, CVE-2025-2476, CVE-2025-3066, CVE-2025-3067, CVE-2025-3068, CVE-2025-3069, CVE-2025-3070, CVE-2025-3071, CVE-2025-3072, CVE-2025-3073, CVE-2025-3074, CVE-2025-3619, CVE-2025-3620, CVE-2024-0222, CVE-2024-0223, CVE-2024-0224, CVE-2024-0225, CVE-2024-0333, CVE-2024-0517, CVE-2024-0518, CVE-2024-0519, CVE-2024-0804, CVE-2024-0805, CVE-2024-0806, CVE-2024-0807, CVE-2024-0808, CVE-2024-0809, CVE-2024-0810, CVE-2024-0811, CVE-2024-0812, CVE-2024-0813, CVE-2024-0814, CVE-2024-10229, CVE-2024-10230, CVE-2024-10231, CVE-2024-10487, CVE-2024-10488, CVE-2024-1059, CVE-2024-1060, CVE-2024-1077, CVE-2024-10827, CVE-2024-11110, CVE-2024-11111, CVE-2024-11113, CVE-2024-11116, CVE-2024-11117, CVE-2024-12053, CVE-2024-12381, CVE-2024-12382, CVE-2024-12692, CVE-2024-12693, CVE-2024-12694, CVE-2024-12695, CVE-2024-1283, CVE-2024-1284, CVE-2024-1669, CVE-2024-1670, CVE-2024-1671, CVE-2024-1672, CVE-2024-1673, CVE-2024-1674, CVE-2024-1675, CVE-2024-1676, CVE-2024-1938, CVE-2024-1939, CVE-2024-2173, CVE-2024-2174, CVE-2024-2176, CVE-2024-2400, CVE-2024-2625, CVE-2024-2626, CVE-2024-2627, CVE-2024-2628, CVE-2024-2629, CVE-2024-2630, CVE-2024-2631, CVE-2024-2883, CVE-2024-2884, CVE-2024-2885, CVE-2024-2886, CVE-2024-2887, CVE-2024-3156, CVE-2024-3157, CVE-2024-3158, CVE-2024-3159, CVE-2024-3168, CVE-2024-3169, CVE-2024-3170, CVE-2024-3171, CVE-2024-3172, CVE-2024-3173, CVE-2024-3174, CVE-2024-3175, CVE-2024-3176, CVE-2024-3515, CVE-2024-3516, CVE-2024-3832, CVE-2024-3833, CVE-2024-3834, CVE-2024-3837, CVE-2024-3838, CVE-2024-3839, CVE-2024-3840, CVE-2024-3843, CVE-2024-3844, CVE-2024-3845, CVE-2024-3846, CVE-2024-3847, CVE-2024-3914, CVE-2024-4058, CVE-2024-4059, CVE-2024-4060, CVE-2024-4331, CVE-2024-4368, CVE-2024-4558, CVE-2024-4559, CVE-2024-4671, CVE-2024-4761, CVE-2024-4947, CVE-2024-4948, CVE-2024-4949, CVE-2024-4950, CVE-2024-5157, CVE-2024-5158, CVE-2024-5159, CVE-2024-5274, CVE-2024-5496, CVE-2024-5497, CVE-2024-5498, CVE-2024-5499, CVE-2024-5500, CVE-2024-5830, CVE-2024-5831, CVE-2024-5832, CVE-2024-5833, CVE-2024-5834, CVE-2024-5835, CVE-2024-5836, CVE-2024-5837, CVE-2024-5838, CVE-2024-5839, CVE-2024-5840, CVE-2024-5841, CVE-2024-5842, CVE-2024-5843, CVE-2024-5844, CVE-2024-5845, CVE-2024-5846, CVE-2024-5847, CVE-2024-6100, CVE-2024-6101, CVE-2024-6102, CVE-2024-6103, CVE-2024-6290, CVE-2024-6291, CVE-2024-6772, CVE-2024-6774, CVE-2024-6775, CVE-2024-6776, CVE-2024-6777, CVE-2024-6778, CVE-2024-6779, CVE-2024-6989, CVE-2024-6990, CVE-2024-6991, CVE-2024-6994, CVE-2024-6996, CVE-2024-6997, CVE-2024-6998, CVE-2024-6999, CVE-2024-7000, CVE-2024-7001, CVE-2024-7003, CVE-2024-7004, CVE-2024-7005, CVE-2024-7018, CVE-2024-7019, CVE-2024-7020, CVE-2024-7022, CVE-2024-7024, CVE-2024-7025, CVE-2024-7255, CVE-2024-7532, CVE-2024-7534, CVE-2024-7535, CVE-2024-7536, CVE-2024-7550, CVE-2024-7965, CVE-2024-7966, CVE-2024-7967, CVE-2024-7968, CVE-2024-7969, CVE-2024-7970, CVE-2024-7971, CVE-2024-7972, CVE-2024-7973, CVE-2024-7974, CVE-2024-7975, CVE-2024-7976, CVE-2024-7978, CVE-2024-7981, CVE-2024-8193, CVE-2024-8194, CVE-2024-8198, CVE-2024-8362, CVE-2024-8636, CVE-2024-8638, CVE-2024-8904, CVE-2024-8905, CVE-2024-8906, CVE-2024-8907, CVE-2024-8908, CVE-2024-9121, CVE-2024-9122, CVE-2024-9123, CVE-2024-9369, CVE-2024-9602, CVE-2024-9603, CVE-2024-9859, CVE-2024-9954, CVE-2024-9955, CVE-2024-9958, CVE-2024-9959, CVE-2024-9960, CVE-2024-9962, CVE-2024-9963, CVE-2024-9964, CVE-2024-9966, CVE-2023-2459, CVE-2023-2460, CVE-2023-2462, CVE-2023-2464, CVE-2023-2465, CVE-2023-2466, CVE-2023-2468, CVE-2023-2721, CVE-2023-2723, CVE-2023-2724, CVE-2023-2725, CVE-2023-2726, CVE-2023-2929, CVE-2023-2930, CVE-2023-2931, CVE-2023-2932, CVE-2023-2933, CVE-2023-2934, CVE-2023-2935, CVE-2023-2936, CVE-2023-2937, CVE-2023-2938, CVE-2023-2940, CVE-2023-2941, CVE-2023-3214, CVE-2023-3215, CVE-2023-3216, CVE-2023-3217, CVE-2023-3420, CVE-2023-3421, CVE-2023-3422, CVE-2023-3598, CVE-2023-3727, CVE-2023-3728, CVE-2023-3730, CVE-2023-3732, CVE-2023-3733, CVE-2023-3734, CVE-2023-3735, CVE-2023-3737, CVE-2023-3738, CVE-2023-3740, CVE-2023-4068, CVE-2023-4069, CVE-2023-4070, CVE-2023-4071, CVE-2023-4072, CVE-2023-4074, CVE-2023-4075, CVE-2023-4076, CVE-2023-4077, CVE-2023-4078, CVE-2023-4349, CVE-2023-4351, CVE-2023-4352, CVE-2023-4353, CVE-2023-4354, CVE-2023-4355, CVE-2023-4356, CVE-2023-4357, CVE-2023-4358, CVE-2023-4360, CVE-2023-4362, CVE-2023-4364, CVE-2023-4365, CVE-2023-4366, CVE-2023-4367, CVE-2023-4368, CVE-2023-4427, CVE-2023-4428, CVE-2023-4429, CVE-2023-4430, CVE-2023-4431, CVE-2023-4572, CVE-2023-4761, CVE-2023-4762, CVE-2023-4763, CVE-2023-4764, CVE-2023-4860, CVE-2023-4863, CVE-2023-4901, CVE-2023-4902, CVE-2023-4904, CVE-2023-4905, CVE-2023-4906, CVE-2023-4908, CVE-2023-4909, CVE-2023-5186, CVE-2023-5187, CVE-2023-5217, CVE-2023-5218, CVE-2023-5346, CVE-2023-5472, CVE-2023-5473, CVE-2023-5474, CVE-2023-5475, CVE-2023-5476, CVE-2023-5477, CVE-2023-5478, CVE-2023-5479, CVE-2023-5480, CVE-2023-5481, CVE-2023-5482, CVE-2023-5483, CVE-2023-5484, CVE-2023-5485, CVE-2023-5486, CVE-2023-5487, CVE-2023-5849, CVE-2023-5850, CVE-2023-5851, CVE-2023-5852, CVE-2023-5853, CVE-2023-5854, CVE-2023-5855, CVE-2023-5856, CVE-2023-5857, CVE-2023-5858, CVE-2023-5859, CVE-2023-5996, CVE-2023-5997, CVE-2023-6112, CVE-2023-6345, CVE-2023-6346, CVE-2023-6347, CVE-2023-6348, CVE-2023-6350, CVE-2023-6351, CVE-2023-6508, CVE-2023-6509, CVE-2023-6510, CVE-2023-6511, CVE-2023-6512, CVE-2023-6702, CVE-2023-6703, CVE-2023-6704, CVE-2023-6705, CVE-2023-6706, CVE-2023-6707, CVE-2023-7010, CVE-2023-7011, CVE-2023-7012, CVE-2023-7013, CVE-2023-7024, CVE-2023-7281, CVE-2023-7282 --8<---------------cut here---------------end--------------->8--- I'd think that most users expect that security matters for web browsers and that they are kept up to date/secure.
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > Hello, > > Danny Milosavljevic <dannym@friendly-machines.com> writes: > >> * gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch: New file. >> * gnu/packages/chromium.scm (%guix-patches): Add reference to it. >> * gnu/local.mk (dist_patch_DATA): Add reference to it. > > Ouch, the last time ungoogled-chromium was updated was in 2023. That's > terrible for something is sensitive as a web browser that runs arbitrary > javascript by default. > > If nobody champions an update, I'd suggest we remove the package. > > What do people think? (+CC guix-devel). > IMO its important that we have one of webkit, chromium and gecko in our repos for when those pesky websites refuse to work with X browser. I’m thinking of microsoft teams that somehow manages to crash on all three. Might be the worst piece of software ever. Have a nice day, Noé
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > Nicolas Goaziou <mail@nicolasgoaziou.fr> writes: > > I agree that it has value; wouldn't it only be for testing website > problems (it's still a thing in 2025 to find a website feature that only > works with Chromium, in a nudge to the good old Internet Explorer > days). My hypothetical use-case is simply to display PDF on a Chromecast. It only needs to connect to a LAN. > But I'm not sure that this value is worth the exposure of unsuspecting > user to tens of CVEs: [...] > I'd think that most users expect that security matters for web browsers > and that they are kept up to date/secure. Wouldn’t a big fat warning in the description of the package help?
Hello, Am Tue, Apr 29, 2025 at 10:45:44AM +0200 schrieb Noé Lopez: > IMO its important that we have one of webkit, chromium and gecko in our > repos for when those pesky websites refuse to work with X browser. I concur. In particular, many ecommerce websites do not work with icecat, even after disabling all extensions (of which "Searxes' Third-party Request Blocker" is the most meaningful one). So I end up using ungoogled-chromium routinely for "commercial" sites. Of course, someone needs to update it, which is a daunting task... Andreas
Andreas Enge <andreas@enge.fr> writes: > Hello, > > Am Tue, Apr 29, 2025 at 10:45:44AM +0200 schrieb Noé Lopez: >> IMO its important that we have one of webkit, chromium and gecko in our >> repos for when those pesky websites refuse to work with X browser. > > I concur. In particular, many ecommerce websites do not work with icecat, > even after disabling all extensions (of which "Searxes' Third-party > Request Blocker" is the most meaningful one). > > So I end up using ungoogled-chromium routinely for "commercial" sites. > Personally, I would just use the profile with extensions disabled all the time so I switched to librewolf which offers better privacy and has more active development. Unless there are special things that Icecat does compared to librewolf, I think we could reproduce a newer icecat by bundling librewolf with the default icecat extensions. To have the best of both worlds. > Of course, someone needs to update it, which is a daunting task... > For sure… Good evening, Noé
Hi Nicolas, Nicolas Goaziou <mail@nicolasgoaziou.fr> writes: > Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > >> Nicolas Goaziou <mail@nicolasgoaziou.fr> writes: >> >> I agree that it has value; wouldn't it only be for testing website >> problems (it's still a thing in 2025 to find a website feature that only >> works with Chromium, in a nudge to the good old Internet Explorer >> days). > > My hypothetical use-case is simply to display PDF on a Chromecast. It > only needs to connect to a LAN. > >> But I'm not sure that this value is worth the exposure of unsuspecting >> user to tens of CVEs: > > [...] > >> I'd think that most users expect that security matters for web browsers >> and that they are kept up to date/secure. > > Wouldn’t a big fat warning in the description of the package help? I'm not convinced that'd be enough; existing users would probably not see it for example. I think going through the deprecation route would be a more visible option. Our (info "(guix) Deprecation Policy") suggests a one month period after the removal PATCH is submitted, plus a news to etc/news.scm broadcasting the removal in this case, because ungoogled-chromium is probably considered a 'popular' package. This would give someone one month to update it, or move it to another channel (perhaps guix-past could keep legacy browser versions around, for testing for example).
Hi Andreas, Andreas Enge <andreas@enge.fr> writes: > Hello, > > Am Tue, Apr 29, 2025 at 10:45:44AM +0200 schrieb Noé Lopez: >> IMO its important that we have one of webkit, chromium and gecko in our >> repos for when those pesky websites refuse to work with X browser. > > I concur. In particular, many ecommerce websites do not work with icecat, > even after disabling all extensions (of which "Searxes' Third-party > Request Blocker" is the most meaningful one). > > So I end up using ungoogled-chromium routinely for "commercial" sites. > > Of course, someone needs to update it, which is a daunting task... Have you tried librewolf for this use case? It works for me (and unlike ungoogled-chromium, it is maintained thus safer to use).
diff --git a/gnu/local.mk b/gnu/local.mk index 62cfe230bb..582296e3c9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -2344,6 +2344,7 @@ dist_patch_DATA = \ %D%/packages/patches/uftrace-fix-tests.patch \ %D%/packages/patches/ultrastar-deluxe-no-freesans.patch \ %D%/packages/patches/ungoogled-chromium-extension-search-path.patch \ + %D%/packages/patches/ungoogled-chromium-fcntl-fix.patch \ %D%/packages/patches/ungoogled-chromium-ffmpeg-compat.patch \ %D%/packages/patches/ungoogled-chromium-RUNPATH.patch \ %D%/packages/patches/ungoogled-chromium-system-ffmpeg.patch \ diff --git a/gnu/packages/chromium.scm b/gnu/packages/chromium.scm index 5da5f10da6..45fd719822 100644 --- a/gnu/packages/chromium.scm +++ b/gnu/packages/chromium.scm @@ -385,6 +385,9 @@ (define %guix-patches (list (local-file (assume-valid-file-name (search-patch "ungoogled-chromium-extension-search-path.patch"))) + (local-file + (assume-valid-file-name + (search-patch "ungoogled-chromium-fcntl-fix.patch"))) (local-file (assume-valid-file-name (search-patch "ungoogled-chromium-RUNPATH.patch"))) diff --git a/gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch b/gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch new file mode 100644 index 0000000000..e9e8664b6f --- /dev/null +++ b/gnu/packages/patches/ungoogled-chromium-fcntl-fix.patch @@ -0,0 +1,28 @@ +From 7b0d7f48fbffb412f0c485f86ef33b0dea605d1d Mon Sep 17 00:00:00 2001 +From: Jan Grulich <grulja@gmail.com> +Date: Fri, 12 May 2023 20:59:06 +0200 +Subject: [PATCH] PipeWire capturer: fix fcntl call when duplicating a file descriptor + +The fcntl() call has variable arguments, therefore we need to pass 0 to +specify there are no other arguments for this call, otherwise we might +end up with an argument that is random garbage. + +Bug: webrtc:15174 +Change-Id: I34f16a942d80913b667d8ade7eed557b0233be01 +Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/305120 +Reviewed-by: Alexander Cooper <alcooper@chromium.org> +Commit-Queue: Jan Grulich <grulja@gmail.com> +Cr-Commit-Position: refs/heads/main@{#40060} +--- + +--- ./third_party/webrtc/modules/desktop_capture/linux/wayland/shared_screencast_stream.cc.orig 2024-11-18 21:48:23.280303055 +0100 ++++ ./third_party/webrtc/modules/desktop_capture/linux/wayland/shared_screencast_stream.cc 2024-11-18 21:48:24.860287444 +0100 +@@ -447,7 +447,7 @@ + + if (fd >= 0) { + pw_core_ = pw_context_connect_fd( +- pw_context_, fcntl(fd, F_DUPFD_CLOEXEC), nullptr, 0); ++ pw_context_, fcntl(fd, F_DUPFD_CLOEXEC, 0), nullptr, 0); + } else { + pw_core_ = pw_context_connect(pw_context_, nullptr, 0); + }