pkgs/development/libraries/qt-5/modules/qtwebengine.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / pkgs / development / libraries / qt-5 / modules / qtwebengine.nix
at master 16 kB view raw
  1{
  2  qtModule,
  3  qtdeclarative,
  4  qtquickcontrols,
  5  qtlocation,
  6  qtwebchannel,
  7  fetchpatch,
  8  fetchpatch2,
  9
 10  bison,
 11  flex,
 12  gperf,
 13  ninja,
 14  pkg-config,
 15  python,
 16  which,
 17  nodejs,
 18  perl,
 19  buildPackages,
 20  pkgsBuildTarget,
 21  pkgsBuildBuild,
 22
 23  xorg,
 24  libXcursor,
 25  libXScrnSaver,
 26  libXrandr,
 27  libXtst,
 28  fontconfig,
 29  freetype,
 30  harfbuzz,
 31  icu,
 32  dbus,
 33  libdrm,
 34  zlib,
 35  minizip,
 36  libjpeg,
 37  libpng,
 38  libtiff,
 39  libwebp,
 40  libopus,
 41  jsoncpp,
 42  protobuf,
 43  libvpx,
 44  srtp,
 45  snappy,
 46  nss,
 47  libevent,
 48  alsa-lib,
 49  pulseaudio,
 50  libcap,
 51  pciutils,
 52  systemd,
 53  enableProprietaryCodecs ? true,
 54  gn,
 55  cctools,
 56  cups,
 57  bootstrap_cmds,
 58  xcbuild,
 59  writeScriptBin,
 60  ffmpeg ? null,
 61  lib,
 62  stdenv,
 63  version ? null,
 64  qtCompatVersion,
 65  pipewireSupport ? stdenv.hostPlatform.isLinux,
 66  pipewire,
 67  postPatch ? "",
 68  nspr,
 69  lndir,
 70}:
 71
 72let
 73  # qtwebengine expects to find an executable in $PATH which runs on
 74  # the build platform yet knows about the host `.pc` files.  Most
 75  # configury allows setting $PKG_CONFIG to point to an
 76  # arbitrarily-named script which serves this purpose; however QT
 77  # insists that it is named `pkg-config` with no target prefix.  So
 78  # we re-wrap the host platform's pkg-config.
 79  pkg-config-wrapped-without-prefix = stdenv.mkDerivation {
 80    name = "pkg-config-wrapper-without-target-prefix";
 81    dontUnpack = true;
 82    dontBuild = true;
 83    installPhase = ''
 84      mkdir -p $out/bin
 85      ln -s '${buildPackages.pkg-config}/bin/${buildPackages.pkg-config.targetPrefix}pkg-config' $out/bin/pkg-config
 86    '';
 87  };
 88
 89in
 90
 91qtModule (
 92  {
 93    pname = "qtwebengine";
 94    nativeBuildInputs = [
 95      bison
 96      flex
 97      gperf
 98      ninja
 99      pkg-config
100      (python.withPackages (ps: [ ps.html5lib ]))
101      which
102      gn
103      nodejs
104    ]
105    ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
106      perl
107      lndir
108      (lib.getDev pkgsBuildTarget.targetPackages.qt5.qtbase)
109      pkgsBuildBuild.pkg-config
110      (lib.getDev pkgsBuildTarget.targetPackages.qt5.qtquickcontrols)
111      pkg-config-wrapped-without-prefix
112    ]
113    ++ lib.optional stdenv.hostPlatform.isDarwin [
114      bootstrap_cmds
115      xcbuild
116    ];
117    doCheck = true;
118    outputs = [
119      "bin"
120      "dev"
121      "out"
122    ];
123
124    enableParallelBuilding = true;
125
126    # Don’t use the gn setup hook
127    dontUseGnConfigure = true;
128
129    # ninja builds some components with -Wno-format,
130    # which cannot be set at the same time as -Wformat-security
131    hardeningDisable = [ "format" ];
132
133    patches = [
134      # Support FFmpeg 5
135      (fetchpatch2 {
136        url = "https://gitlab.archlinux.org/archlinux/packaging/packages/qt5-webengine/-/raw/14074e4d789167bd776939037fe6df8d4d7dc0b3/qt5-webengine-ffmpeg5.patch";
137        hash = "sha256-jTbJFXBPwRMzr8IeTxrv9dtS+/xDS/zR4dysV/bRg3I=";
138        stripLen = 1;
139        extraPrefix = "src/3rdparty/";
140      })
141
142      # Support FFmpeg 7
143      (fetchpatch2 {
144        url = "https://gitlab.archlinux.org/archlinux/packaging/packages/qt5-webengine/-/raw/e8fb4f86104243b90966b69cdfaa967273d834b6/qt5-webengine-ffmpeg7.patch";
145        hash = "sha256-YNeHmOVp0M5HB+b91AOxxJxl+ktBtLYVdHlq13F7xtY=";
146        stripLen = 1;
147        extraPrefix = "src/3rdparty/chromium/";
148      })
149
150      # Support PipeWire ≥ 0.3
151      (fetchpatch2 {
152        url = "https://gitlab.archlinux.org/archlinux/packaging/packages/qt5-webengine/-/raw/c9db2cd9e144bd7a5e9246f5f7a01fe52fd089ba/qt5-webengine-pipewire-0.3.patch";
153        hash = "sha256-mGexRfVDF3yjNzSi9BjavhzPtsXI0BooSr/rZ1z/BDo=";
154        stripLen = 1;
155        extraPrefix = "src/3rdparty/";
156      })
157
158      # Fix race condition exposed by missing dependency
159      # https://bugs.gentoo.org/933368
160      ./qtwebengine-fix_build_pdf_extension_util.patch
161
162      # The latest version of Clang changed what macros it predefines on Apple
163      # targets, causing errors about predefined macros in zlib.
164      (fetchpatch2 {
165        url = "https://github.com/chromium/chromium/commit/2f39ac8d0a414dd65c0e1d5aae38c8f97aa06ae9.patch";
166        hash = "sha256-3kA2os0IntxIiJwzS5nPd7QWYlOWOpoLKYsOQFYv0Sk=";
167        stripLen = 1;
168        extraPrefix = "src/3rdparty/chromium/";
169      })
170
171      # The latest version of Clang changed what macros it predefines on Apple
172      # targets, causing errors about predefined macros in libpng.
173      (fetchpatch2 {
174        url = "https://github.com/chromium/chromium/commit/66defc14abe47c0494da9faebebfa0a5b6efcf38.patch";
175        hash = "sha256-ErS5Eycls5+xQLGYKz1r/tQC6IcRJWb/WoGsUyzO9WY=";
176        stripLen = 1;
177        extraPrefix = "src/3rdparty/chromium/";
178      })
179
180      # https://trac.macports.org/ticket/71563
181      # src/3rdparty/chromium/third_party/freetype/src/src/gzip/ftzconf.h:228:12: error: unknown type name 'Byte'
182      (fetchpatch2 {
183        url = "https://github.com/macports/macports-ports/raw/f9a4136c48020b01ecc6dffa99b88333c360f056/aqua/qt5/files/patch-qtwebengine-chromium-freetype-gzip.diff";
184        hash = "sha256-NeLmMfYMo80u3h+5GTenMANWfWLPeS35cKg+h3vzW4g=";
185        extraPrefix = "";
186      })
187
188      # src/3rdparty/chromium/base/process/process_metrics_mac.cc:303:17: error: static assertion expression is not an integral constant expression
189      (fetchpatch2 {
190        url = "https://github.com/macports/macports-ports/raw/f9a4136c48020b01ecc6dffa99b88333c360f056/aqua/qt5/files/patch-qtwebengine_chromium_static_page_size.diff";
191        hash = "sha256-8TFN5XU0SUvPJCFU6wvcKP5a8HCd0ygUnLT8BF4MZ/E=";
192        extraPrefix = "";
193      })
194
195      # Add "-target-feature +aes" to the arm crc32c build flags
196      (fetchpatch2 {
197        url = "https://github.com/chromium/chromium/commit/9f43d823b6b4cdea62f0cc7563ff01f9239b8970.patch";
198        hash = "sha256-2WCx+ZOWA8ZyV2yiSQLx9uFZOoeWQHxLqwLEZsV41QU=";
199        stripLen = 1;
200        extraPrefix = "src/3rdparty/chromium/";
201      })
202
203      # Fix build with clang and libc++ 19
204      # https://github.com/freebsd/freebsd-ports/commit/0ddd6468fb3cb9ba390973520517cb1ca2cd690d
205      (fetchpatch2 {
206        url = "https://github.com/freebsd/freebsd-ports/raw/0ddd6468fb3cb9ba390973520517cb1ca2cd690d/www/qt5-webengine/files/patch-libc++19";
207        hash = "sha256-pSVPnuEpjFHW60dbId5sZ3zHP709EWG4LSWoS+TkgcQ=";
208        extraPrefix = "";
209      })
210      (fetchpatch2 {
211        url = "https://github.com/freebsd/freebsd-ports/raw/0ddd6468fb3cb9ba390973520517cb1ca2cd690d/www/qt5-webengine/files/patch-src_3rdparty_chromium_third__party_blink_renderer_platform_wtf_hash__table.h";
212        hash = "sha256-+vyWC7Indd1oBhvL5fMTlIH4mM4INgISZFAbHsq32Lg=";
213        extraPrefix = "";
214      })
215      (fetchpatch2 {
216        url = "https://github.com/freebsd/freebsd-ports/raw/0ddd6468fb3cb9ba390973520517cb1ca2cd690d/www/qt5-webengine/files/patch-src_3rdparty_chromium_third__party_perfetto_include_perfetto_tracing_internal_track__event__data__source.h";
217        hash = "sha256-DcAYOV9b30ogPCiedvQimEmiZpUJquk5j6WLjJxR54U=";
218        extraPrefix = "";
219      })
220
221      # Fix the build with gperf ≥ 3.2 and Clang 19.
222      ./qtwebengine-gperf-3.2.patch
223    ];
224
225    postPatch = ''
226      # Patch Chromium build tools
227      (
228        cd src/3rdparty/chromium;
229
230        patch -p1 < ${
231          (fetchpatch {
232            # support for building with python 3.12
233            name = "python312-six.patch";
234            url = "https://gitlab.archlinux.org/archlinux/packaging/packages/qt5-webengine/-/raw/6b0c0e76e0934db2f84be40cb5978cee47266e78/python3.12-six.patch";
235            hash = "sha256-YgP9Sq5+zTC+U7+0hQjZokwb+fytk0UEIJztUXFhTkI=";
236          })
237        }
238
239        # Manually fix unsupported shebangs
240        substituteInPlace third_party/harfbuzz-ng/src/src/update-unicode-tables.make \
241          --replace "/usr/bin/env -S make -f" "/usr/bin/make -f" || true
242
243        # TODO: be more precise
244        patchShebangs .
245      )
246    ''
247    # Prevent Chromium build script from making the path to `clang` relative to
248    # the build directory.  `clang_base_path` is the value of `QMAKE_CLANG_DIR`
249    # from `src/core/config/mac_osx.pri`.
250    + lib.optionalString stdenv.hostPlatform.isDarwin ''
251      substituteInPlace ./src/3rdparty/chromium/build/toolchain/mac/BUILD.gn \
252        --replace 'prefix = rebase_path("$clang_base_path/bin/", root_build_dir)' 'prefix = "$clang_base_path/bin/"'
253    ''
254    # Patch library paths in Qt sources
255    + ''
256      sed -i \
257        -e "s,QLibraryInfo::location(QLibraryInfo::DataPath),QLatin1String(\"$out\"),g" \
258        -e "s,QLibraryInfo::location(QLibraryInfo::TranslationsPath),QLatin1String(\"$out/translations\"),g" \
259        -e "s,QLibraryInfo::location(QLibraryInfo::LibraryExecutablesPath),QLatin1String(\"$out/libexec\"),g" \
260        src/core/web_engine_library_info.cpp
261    ''
262    # Patch library paths in Chromium sources
263    + lib.optionalString (!stdenv.hostPlatform.isDarwin) ''
264      sed -i -e '/lib_loader.*Load/s!"\(libudev\.so\)!"${lib.getLib systemd}/lib/\1!' \
265        src/3rdparty/chromium/device/udev_linux/udev?_loader.cc
266
267      sed -i -e '/libpci_loader.*Load/s!"\(libpci\.so\)!"${pciutils}/lib/\1!' \
268        src/3rdparty/chromium/gpu/config/gpu_info_collector_linux.cc
269    ''
270    + lib.optionalString stdenv.hostPlatform.isDarwin (''
271      substituteInPlace src/buildtools/config/mac_osx.pri \
272        --replace 'QMAKE_CLANG_DIR = "/usr"' 'QMAKE_CLANG_DIR = "${stdenv.cc}"'
273
274      # Use system ffmpeg
275      echo "gn_args += use_system_ffmpeg=true" >> src/core/config/mac_osx.pri
276      echo "LIBS += -lavformat -lavcodec -lavutil" >> src/core/core_common.pri
277    '')
278    + postPatch;
279
280    env = {
281      NIX_CFLAGS_COMPILE = toString (
282        lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
283          "-w "
284        ]
285        ++ lib.optionals stdenv.cc.isGNU [
286          # with gcc8, -Wclass-memaccess became part of -Wall and this exceeds the logging limit
287          "-Wno-class-memaccess"
288        ]
289        ++ lib.optionals (stdenv.hostPlatform.gcc.arch or "" == "sandybridge") [
290          # it fails when compiled with -march=sandybridge https://github.com/NixOS/nixpkgs/pull/59148#discussion_r276696940
291          # TODO: investigate and fix properly
292          "-march=westmere"
293        ]
294        ++ lib.optionals stdenv.cc.isClang [
295          "-Wno-elaborated-enum-base"
296          # 5.15.17: need to silence these two warnings
297          # https://trac.macports.org/ticket/70850
298          "-Wno-enum-constexpr-conversion"
299          "-Wno-unused-but-set-variable"
300          # Clang 19
301          "-Wno-error=missing-template-arg-list-after-template-kw"
302        ]
303      );
304    }
305    // lib.optionalAttrs (stdenv.buildPlatform != stdenv.hostPlatform) {
306      NIX_CFLAGS_LINK = "-Wl,--no-warn-search-mismatch";
307      "NIX_CFLAGS_LINK_${buildPackages.stdenv.cc.suffixSalt}" = "-Wl,--no-warn-search-mismatch";
308    };
309
310    preConfigure = ''
311      export NINJAFLAGS=-j$NIX_BUILD_CORES
312
313      if [ -d "$PWD/tools/qmake" ]; then
314          QMAKEPATH="$PWD/tools/qmake''${QMAKEPATH:+:}$QMAKEPATH"
315      fi
316    ''
317    + lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) ''
318      export QMAKE_CC=$CC
319      export QMAKE_CXX=$CXX
320      export QMAKE_LINK=$CXX
321      export QMAKE_AR=$AR
322    '';
323
324    qmakeFlags = [
325      "--"
326      "-system-ffmpeg"
327    ]
328    ++ lib.optional (
329      pipewireSupport && stdenv.buildPlatform == stdenv.hostPlatform
330    ) "-webengine-webrtc-pipewire"
331    ++ lib.optional enableProprietaryCodecs "-proprietary-codecs";
332
333    propagatedBuildInputs = [
334      qtdeclarative
335      qtquickcontrols
336      qtlocation
337      qtwebchannel
338
339      # Image formats
340      libjpeg
341      libpng
342      libtiff
343      libwebp
344
345      # Video formats
346      srtp
347      libvpx
348
349      # Audio formats
350      libopus
351
352      # Text rendering
353      harfbuzz
354      icu
355
356      libevent
357      ffmpeg
358    ]
359    ++ lib.optionals (!stdenv.hostPlatform.isDarwin) [
360      dbus
361      zlib
362      minizip
363      snappy
364      nss
365      protobuf
366      jsoncpp
367
368      # Audio formats
369      alsa-lib
370      pulseaudio
371
372      # Text rendering
373      fontconfig
374      freetype
375
376      libcap
377      pciutils
378
379      # X11 libs
380      xorg.xrandr
381      libXScrnSaver
382      libXcursor
383      libXrandr
384      xorg.libpciaccess
385      libXtst
386      xorg.libXcomposite
387      xorg.libXdamage
388      libdrm
389      xorg.libxkbfile
390
391    ]
392    ++ lib.optionals pipewireSupport [
393      # Pipewire
394      pipewire
395    ]
396
397    # FIXME These dependencies shouldn't be needed but can't find a way
398    # around it. Chromium pulls this in while bootstrapping GN.
399    ++ lib.optionals stdenv.hostPlatform.isDarwin [ cctools.libtool ];
400
401    buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [
402      cups
403
404      # `sw_vers` is used by `src/3rdparty/chromium/build/config/mac/sdk_info.py`
405      # to get some information about the host platform.
406      (writeScriptBin "sw_vers" ''
407        #!${stdenv.shell}
408
409        while [ $# -gt 0 ]; do
410          case "$1" in
411            -buildVersion) echo "17E199";;
412          *) break ;;
413
414          esac
415          shift
416        done
417      '')
418    ];
419
420    dontUseNinjaBuild = true;
421    dontUseNinjaInstall = true;
422
423    postInstall =
424      lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
425        mkdir -p $out/libexec
426      ''
427      + lib.optionalString stdenv.hostPlatform.isLinux ''
428        cat > $out/libexec/qt.conf <<EOF
429        [Paths]
430        Prefix = ..
431        EOF
432
433      ''
434      + ''
435        # Fix for out-of-sync QtWebEngine and Qt releases (since 5.15.3)
436        sed 's/${lib.head (lib.splitString "-" version)} /${qtCompatVersion} /' -i "$out"/lib/cmake/*/*Config.cmake
437      '';
438
439    requiredSystemFeatures = [ "big-parallel" ];
440
441    meta = with lib; {
442      description = "Web engine based on the Chromium web browser";
443      mainProgram = "qwebengine_convert_dict";
444      maintainers = with maintainers; [ matthewbauer ];
445
446      # qtwebengine-5.15.8: "QtWebEngine can only be built for x86,
447      # x86-64, ARM, Aarch64, and MIPSel architectures."
448      platforms =
449        with lib.systems.inspect.patterns;
450        let
451          inherit (lib.systems.inspect) patternLogicalAnd;
452        in
453        concatMap (patternLogicalAnd isUnix) (
454          lib.concatMap lib.toList [
455            isx86_32
456            isx86_64
457            isAarch32
458            isAarch64
459            (patternLogicalAnd isMips isLittleEndian)
460          ]
461        );
462
463      # This build takes a long time; particularly on slow architectures
464      timeout = 24 * 3600;
465
466      knownVulnerabilities = [
467        ''
468          qt5 qtwebengine is unmaintained upstream since april 2025.
469          It is based on chromium 87.0.4280.144, and supposedly patched up to 135.0.7049.95 which is outdated.
470
471          Security issues are frequently discovered in chromium.
472          The following list of CVEs was fixed in the life cycle of chromium 138 and likely also affects qtwebengine:
473          - CVE-2025-8879
474          - CVE-2025-8880
475          - CVE-2025-8901
476          - CVE-2025-8881
477          - CVE-2025-8882
478          - CVE-2025-8576
479          - CVE-2025-8577
480          - CVE-2025-8578
481          - CVE-2025-8579
482          - CVE-2025-8580
483          - CVE-2025-8581
484          - CVE-2025-8582
485          - CVE-2025-8583
486          - CVE-2025-8292
487          - CVE-2025-8010
488          - CVE-2025-8011
489          - CVE-2025-7656
490          - CVE-2025-6558 (known to be exploited in the wild)
491          - CVE-2025-7657
492          - CVE-2025-6554
493          - CVE-2025-6555
494          - CVE-2025-6556
495          - CVE-2025-6557
496
497          The actual list of CVEs affecting qtwebengine is likely much longer,
498          as this list is missing issues fixed in chromium 136/137 and even more
499          issues are continuously discovered and lack upstream fixes in qtwebengine.
500        ''
501      ];
502    };
503
504  }
505  // lib.optionalAttrs (stdenv.buildPlatform != stdenv.hostPlatform) {
506    configurePlatforms = [ ];
507    # to get progress output in `nix-build` and `nix build -L`
508    preBuild = ''
509      export TERM=dumb
510    '';
511    depsBuildBuild = [
512      pkgsBuildBuild.stdenv
513      zlib
514      nss
515      nspr
516    ];
517
518  }
519)