Merge branch 'chrome_update_script' into 'master'

Add chrome_update.py.

See merge request nonguix/nonguix!482
This commit is contained in:
Giacomo Leidi 2025-02-09 00:48:46 +00:00
commit 085066d64a

106
bin/chrome_update.py Executable file
View File

@ -0,0 +1,106 @@
#! /usr/bin/env -S guix shell python python-wrapper python-requests python-feedparser -- python
# Usage: ./chrome_update.py
# Most of this script is based on the update.py script from Nixpkgs:
# https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/browsers/chromium/update.py
import json
import re
import subprocess
import textwrap
from collections import OrderedDict
from urllib.request import urlopen
import feedparser
import requests
RELEASES_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms/linux/channels/all/versions/all/releases'
DEB_URL = 'https://dl.google.com/linux/chrome/deb/pool/main/g'
HTML_TAGS = re.compile(r'<[^>]+>')
def guix_download(url):
"""Prefetches the content of the given URL and returns its hash."""
out = subprocess.check_output(['guix', 'download', url], stderr=subprocess.DEVNULL).decode().splitlines()[-1]
return out
def get_package_version(package):
out = subprocess.check_output(['bash', '-c', f"guix show {package} | guix shell recutils -- recsel -p version"], stderr=subprocess.DEVNULL).decode().splitlines()[-1]
return out.replace("version: ", "")
def print_cves(target_version):
feed = feedparser.parse('https://chromereleases.googleblog.com/feeds/posts/default')
for entry in feed.entries:
url = requests.get(entry.link).url.split('?')[0]
if re.search(r'Stable Channel Update for Desktop', entry.title):
if target_version and entry.title == '':
# Workaround for a special case (Chrome Releases bug?):
if 'the-stable-channel-has-been-updated-to' not in url:
continue
else:
continue
content = entry.content[0].value
content = HTML_TAGS.sub('', content) # Remove any HTML tags
if re.search(r'Linux', content) is None:
continue
# print(url) # For debugging purposes
version = re.search(r'\d+(\.\d+){3}', content).group(0)
if target_version:
if version != target_version:
continue
if fixes := re.search(r'This update includes .+ security fix(es)?\.', content):
fixes = fixes.group(0)
if zero_days := re.search(r'Google is aware( of reports)? th(e|at) .+ in the wild\.', content):
fixes += " " + zero_days.group(0)
print('\n' + '\n'.join(textwrap.wrap(fixes, width=72)))
if cve_list := re.findall(r'CVE-[^: ]+', content):
cve_list = list(OrderedDict.fromkeys(cve_list)) # Remove duplicates but preserve the order
cve_string = ', '.join(cve_list)
print("\nFixes " + '\n'.join(textwrap.wrap(cve_string, width=72)) + ".")
break
with urlopen(RELEASES_URL) as resp:
releases = json.load(resp)['releases']
for release in releases:
if "endTime" in release["serving"]:
continue
channel_name = re.findall("chrome\/platforms\/linux\/channels\/(.*)\/versions\/", release['name'])[0]
channel = {'version': release['version']}
cves = ""
if channel_name == 'dev':
google_chrome_suffix = 'unstable'
elif channel_name == 'ungoogled-chromium':
google_chrome_suffix = 'stable'
else:
google_chrome_suffix = channel_name
channel['name'] = f"google-chrome-{google_chrome_suffix}"
try:
channel['hash'] = guix_download(
f'{DEB_URL}/{channel["name"]}/' +
f'{channel["name"]}_{release["version"]}-1_amd64.deb')
except subprocess.CalledProcessError:
# This release isn't actually available yet. Continue to
# the next one.
continue
print(f"====================================== {channel['name']} ===================================")
print(f"Current version: {get_package_version(channel['name'])}")
print(f"Pulled version: {channel['version']}")
print(f"Hash: {channel['hash']}")
print("Commit message:\n\n")
print(f"nongnu: {channel['name']}: Update to {channel['version']}. ")
if channel_name == "stable":
print_cves(channel['version'])
print("")
print(f"* nongnu/packages/chrome.scm ({channel['name']}): Update to {channel['version']}.")
print("")