Switch to non-koji chromium

README.md

@@ -35,7 +35,7 @@ Hardening applied:
 - Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces
 - Sets numerous hardening kernel parameters (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html))
 - Installs and enables [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally
-- Installing Chromium from the koji updates-testing repo to always have the latest version of chromium, the stable chromium package lags behind on security patches ([Why chromium?](https://grapheneos.org/usage#web-browsing))
+- Installing Chromium into the base image ([Why chromium?](https://grapheneos.org/usage#web-browsing))
 
 ## Why
 

config/common-packages.yml

@@ -20,6 +20,7 @@ install:
   - koji
   - bubblewrap-suid
   - bubblejail
+  - chromium
   
 remove:
   - firefox

config/common-scripts.yml

@@ -3,4 +3,3 @@ scripts:
   # this sets up the proper policy & signing files for signed images to work
   - signing.sh
   - cron.sh
-  - chromium.sh

config/scripts/chromium.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell this script to exit if there are any errors.
-# You should have this in every custom script, to ensure that your completed
-# builds actually ran successfully without any errors!
-set -oue pipefail
-
-echo "Installing chromium from koji updates"
-koji download-build --arch=x86_64 $(koji latest-build f39-updates chromium | awk 'NR==3 {print $1}')
-rm chromedriver-*.rpm
-rm chromium-headless-*.rpm
-rpm-ostree install *.rpm