chromium: Add some brief documentation

Wanted to do this for a long time to collect important knowledge and
make it easier to pass maintainership.
Only time will tell if this'll be useful or become outdated instead.

3 files changed, 60 insertions, 20 deletions

diff --git a/pkgs/applications/networking/browsers/chromium/README.md b/pkgs/applications/networking/browsers/chromium/README.md
new file mode 100644
index 00000000000..e7b7df7cd08
--- /dev/null
+++ b/pkgs/applications/networking/browsers/chromium/README.md
@@ -0,0 +1,56 @@
+# Maintainers
+
+- TODO: We need more maintainers:
+  - https://github.com/NixOS/nixpkgs/issues/78450
+  - If you just want to help out without becoming a maintainer:
+    - Look for open Nixpkgs issues or PRs related to Chromium
+    - Make your own PRs (but please try to make reviews as easy as possible)
+- Primary maintainer (responsible for updating Chromium): @primeos
+- Testers (test all stable channel updates)
+  - `nixos-unstable`:
+    - `x86_64`: @danielfullmer
+    - `aarch64`: @thefloweringash
+  - Stable channel:
+    - `x86_64`: @Frostman
+- Other relevant packages:
+  - `chromiumBeta` and `chromiumDev`: For testing purposes (not build on Hydra)
+  - `google-chrome`, `google-chrome-beta`, `google-chrome-dev`: Updated via
+    Chromium's `upstream-info.json`
+  - `ungoogled-chromium`: Based on `chromium` (the expressions are regularly
+    copied over and patched accordingly)
+
+# Updating Chromium
+
+Simply run `./pkgs/applications/networking/browsers/chromium/update.py` to
+update `upstream-info.json`. After updates it is important to test at least
+`nixosTests.chromium` (or basic manual testing) and `google-chrome` (which
+reuses `upstream-info.json`).
+
+## Backports
+
+All updates are considered security critical and should be ported to the stable
+channel ASAP. When there is a new stable release the old one should receive
+security updates for roughly one month. After that it is important to mark
+Chromium as insecure (see 69e4ae56c4b for an example; it is important that the
+tested job still succeeds and that all browsers that use `upstream-info.json`
+are marked as insecure).
+
+## Major version updates
+
+Unfortunately, Chromium regularly breaks on major updates and might need
+various patches. Either due to issues with the Nix build sandbox (e.g. we cannot
+fetch dependencies via the network and do not use standard FHS paths) or due to
+missing upstream fixes that need to be backported.
+
+Good sources for such patches and other hints:
+- https://github.com/archlinux/svntogit-packages/tree/packages/chromium/trunk
+- https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium
+- https://src.fedoraproject.org/rpms/chromium/tree/master
+
+If the build fails immediately due to unknown compiler flags this usually means
+that a new major release of LLVM is required.
+
+## Beta and Dev channels
+
+Those channels are only used to test and fix builds in advance. They may be
+broken at times and must not delay stable channel updates.
diff --git a/pkgs/applications/networking/browsers/chromium/browser.nix b/pkgs/applications/networking/browsers/chromium/browser.nix
index 3d87325984b..d3953da71d2 100644
--- a/pkgs/applications/networking/browsers/chromium/browser.nix
+++ b/pkgs/applications/networking/browsers/chromium/browser.nix
@@ -77,18 +77,10 @@ mkChromiumDerivation (base: rec {
       of source code for Google Chrome (which has some additional features).
     '';
     homepage = "https://www.chromium.org/";
-    maintainers = with maintainers; [ bendlas thefloweringash primeos ];
-    # Overview of the maintainer roles:
-    # nixos-unstable:
-    # - TODO: Need a new maintainer for x86_64 [0]
-    # - @thefloweringash: aarch64
-    # - @primeos: Provisional maintainer (x86_64)
-    # Stable channel:
-    # - TODO (need someone to test backports [0])
-    # [0]: https://github.com/NixOS/nixpkgs/issues/78450
+    maintainers = with maintainers; [ primeos thefloweringash bendlas ]; # See README.md
     license = if enableWideVine then licenses.unfree else licenses.bsd3;
     platforms = platforms.linux;
     hydraPlatforms = if channel == "stable" then ["aarch64-linux" "x86_64-linux"] else [];
-    timeout = 172800; # 48 hours
+    timeout = 172800; # 48 hours (increased from the Hydra default of 10h)
   };
 })
diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 4341a419142..a058ed6f18a 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -154,16 +154,8 @@ let
       ++ optionals useOzone [ libdrm wayland mesa_drivers libxkbcommon ];
 
     patches = [
-      ./patches/no-build-timestamps.patch
-      ./patches/widevine-79.patch
-      # Unfortunately, chromium regularly breaks on major updates and
-      # then needs various patches backported in order to be compiled with GCC.
-      # Good sources for such patches and other hints:
-      # - https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/
-      # - https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/chromium
-      # - https://github.com/chromium/chromium/search?q=GCC&s=committer-date&type=Commits
-      #
-      # ++ optionals (channel == "dev") [ ( githubPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000" ) ]
+      ./patches/no-build-timestamps.patch # Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed)
+      ./patches/widevine-79.patch # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags
       # ++ optional (versionRange "68" "72") ( githubPatch "<patch>" "0000000000000000000000000000000000000000000000000000000000000000" )
     ] ++ optionals (useVaapi) [
       # Check for enable-accelerated-video-decode on Linux: