chore(3p/sources): bump to OpenSSH vulnerability hotfix

See https://github.com/NixOS/nixpkgs/pull/323753 for details.

Changes:

* git: temporarily comment out dottime patch (it doesn't apply, but it's not critical)
* third-party/cgit: use an older git version where dottime patch still applies
* 3p/crate2nix: remove crate2nix patches included in latest release
* tvix: remove unneeded defaultCrateOverrides (upstreamed to nixpkgs)
* tvix: regenerate Cargo.nix
* tvix/nix-compat: remove unnused AtermWriteable::aterm_bytes pub(crate) function
* tvix/nix-compat: remove redundant trait bounds
* tvix/glue: use clone_into() to set drv.{builder,system}
* tools/crate2nix: apply workaround for https://github.com/numtide/treefmt/issues/327
* toold/depotfmt: expose treefmt config as passthru
* tools/crate2nix: undo some more hacks in the crate2nix-check drv

Change-Id: Ifbcedeb3e8f81b2f6ec1dbf10189bfa6dfd9c75c
Co-Authored-By: Florian Klink <flokli@flokli.de>
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11907
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>

third_party/cgit/default.nix

@@ -27,12 +27,25 @@ stdenv.mkDerivation rec {
   #
   # TODO(tazjin): Add an assert for this somewhere so we notice it on
   # channel bumps.
-  preBuild = ''
-    rm -rf git # remove submodule dir ...
-    cp -r --no-preserve=ownership,mode ${pkgs.srcOnly depot.third_party.git} git
-    makeFlagsArray+=(prefix="$out" CGIT_SCRIPT_PATH="$out/cgit/")
-    cat tvl-extra.css >> cgit.css
-  '';
+  preBuild =
+    let
+      # we have to give cgit a git with dottime support to build
+      git' = pkgs.git.overrideAttrs (old: {
+        src = pkgs.fetchurl {
+          url = "https://github.com/git/git/archive/refs/tags/v2.44.2.tar.gz";
+          hash = "sha256-3h0LBfAD4MXfZc0tjWQDO81UdbRo3w5C0W7j7rr9m9I=";
+        };
+        patches = (old.patches or [ ]) ++ [
+          ../git/0001-feat-third_party-git-date-add-dottime-format.patch
+        ];
+      });
+    in
+    ''
+      rm -rf git # remove submodule dir ...
+      cp -r --no-preserve=ownership,mode ${pkgs.srcOnly git'} git
+      makeFlagsArray+=(prefix="$out" CGIT_SCRIPT_PATH="$out/cgit/")
+      cat tvl-extra.css >> cgit.css
+    '';
 
   stripDebugList = [ "cgit" ];
 

third_party/git/default.nix

@@ -4,6 +4,6 @@
 
 pkgs.git.overrideAttrs (old: {
   patches = (old.patches or [ ]) ++ [
-    ./0001-feat-third_party-git-date-add-dottime-format.patch
+    # ./0001-feat-third_party-git-date-add-dottime-format.patch
   ];
 })

third_party/overlays/patches/crate2nix-drop-darwin-explicit-dontstrip.patch

@@ -1,22 +0,0 @@
-From 0209f258cda8a9972a785e26d92fb477ce4d1b0e Mon Sep 17 00:00:00 2001
-From: Ilan Joselevich <personal@ilanjoselevich.com>
-Date: Tue, 11 Jun 2024 18:14:06 +0300
-Subject: [PATCH] Get rid of dontStrip for Darwin as it's no longer needed
-
-Fixed in https://github.com/NixOS/nixpkgs/pull/255900
----
- templates/nix/crate2nix/default.nix                  | 2 --
-
-diff --git a/templates/nix/crate2nix/default.nix b/templates/nix/crate2nix/default.nix
-index 95d3730f..c53925e7 100644
---- a/templates/nix/crate2nix/default.nix
-+++ b/templates/nix/crate2nix/default.nix
-@@ -349,8 +349,6 @@ rec {
-           buildRustCrateForPkgsFunc pkgs
-             (
-               crateConfig // {
--                # https://github.com/NixOS/nixpkgs/issues/218712
--                dontStrip = stdenv.hostPlatform.isDarwin;
-                 src = crateConfig.src or (
-                   pkgs.fetchurl rec {
-                     name = "${crateConfig.crateName}-${crateConfig.version}.tar.gz";

third_party/overlays/patches/crate2nix-run-tests-in-build-source.patch

@@ -1,69 +0,0 @@
-From 7cf084f73f7d15fe0538a625182fa7179c083b3d Mon Sep 17 00:00:00 2001
-From: Raito Bezarius <masterancpp@gmail.com>
-Date: Tue, 16 Jan 2024 02:10:48 +0100
-Subject: [PATCH] fix(template): run tests in `/build/source` instead `/build`
-
-Previously, the source tree was located inline in `/build` during tests, this was a mistake
-because the crates more than often are built in `/build/source` as per the `sourceRoot` system.
-
-This can cause issues with test binaries hardcoding `/build/source/...` as their choice for doing things,
-causing them to be confused in the test phase which is relocated without rewriting the paths inside test binaries.
-
-We fix that by relocating ourselves in the right hierarchy.
-
-This is a "simple" fix in the sense that more edge cases could exist but they are hard to reason about
-because they would be crates using custom `sourceRoot`, i.e. having `crate.sourceRoot` set and then it becomes
-a bit hard to reproduce the hierarchy, you need to analyze whether the path is absolute or relative,
-
-If it's relative, you can just reuse it and reproduce that specific hierarchy.
-If it's absolute, you need to cut the "absolute" meaningless part, e.g. `$NIX_BUILD_TOP/` and proceed like
-it's a relative path IMHO.
----
- crate2nix/Cargo.nix                                  | 10 ++++++++++
- crate2nix/templates/nix/crate2nix/default.nix        | 10 ++++++++++
-
-diff --git a/Cargo.nix b/Cargo.nix
-index 6ef7a49..172ff34 100644
---- a/Cargo.nix
-+++ b/Cargo.nix
-@@ -2889,6 +2889,16 @@ rec {
-           # recreate a file hierarchy as when running tests with cargo
- 
-           # the source for test data
-+          # It's necessary to locate the source in $NIX_BUILD_TOP/source/
-+          # instead of $NIX_BUILD_TOP/
-+          # because we compiled those test binaries in the former and not the latter.
-+          # So all paths will expect source tree to be there and not in the build top directly.
-+          # For example: $NIX_BUILD_TOP := /build in general, if you ask yourself.
-+          # TODO(raitobezarius): I believe there could be more edge cases if `crate.sourceRoot`
-+          # do exist but it's very hard to reason about them, so let's wait until the first bug report.
-+          mkdir -p source/
-+          cd source/
-+
-           ${pkgs.buildPackages.xorg.lndir}/bin/lndir ${crate.src}
- 
-           # build outputs
-diff --git a/crate2nix/templates/nix/crate2nix/default.nix b/crate2nix/templates/nix/crate2nix/default.nix
-index e4fc2e9..dfb14c4 100644
---- a/templates/nix/crate2nix/default.nix
-+++ b/templates/nix/crate2nix/default.nix
-@@ -135,6 +135,16 @@ rec {
-           # recreate a file hierarchy as when running tests with cargo
- 
-           # the source for test data
-+          # It's necessary to locate the source in $NIX_BUILD_TOP/source/
-+          # instead of $NIX_BUILD_TOP/
-+          # because we compiled those test binaries in the former and not the latter.
-+          # So all paths will expect source tree to be there and not in the build top directly.
-+          # For example: $NIX_BUILD_TOP := /build in general, if you ask yourself.
-+          # TODO(raitobezarius): I believe there could be more edge cases if `crate.sourceRoot`
-+          # do exist but it's very hard to reason about them, so let's wait until the first bug report.
-+          mkdir -p source/
-+          cd source/
-+
-           ${pkgs.buildPackages.xorg.lndir}/bin/lndir ${crate.src}
- 
-           # build outputs
--- 
-2.43.0
-

third_party/overlays/patches/treefmt-fix-no-cache.patch

@@ -0,0 +1,43 @@
+From 601af097720079ea40db100b1dd6aefba4685e7c Mon Sep 17 00:00:00 2001
+From: Florian Klink <flokli@flokli.de>
+Date: Mon, 1 Jul 2024 17:34:08 +0300
+Subject: [PATCH] fix: only try opening the cache if cache is enabled
+
+Otherwise `--no-cache` still fails to open the cache.
+---
+ cli/format.go | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/cli/format.go b/cli/format.go
+index 492a4f3..8ccf578 100644
+--- a/cli/format.go
++++ b/cli/format.go
+@@ -118,9 +118,11 @@ func (f *Format) Run() (err error) {
+ 		f.formatters[name] = formatter
+ 	}
+ 
+-	// open the cache
+-	if err = cache.Open(f.TreeRoot, f.ClearCache, f.formatters); err != nil {
+-		return err
++	// open the cache if configured
++	if !f.NoCache {
++		if cache.Open(f.TreeRoot, f.ClearCache, f.formatters); err != nil {
++			return err
++		}
+ 	}
+ 
+ 	// create an app context and listen for shutdown
+@@ -148,7 +150,9 @@ func (f *Format) Run() (err error) {
+ 	f.processedCh = make(chan *walk.File, cap(f.filesCh))
+ 
+ 	// start concurrent processing tasks in reverse order
+-	eg.Go(f.updateCache(ctx))
++	if !f.NoCache {
++		eg.Go(f.updateCache(ctx))
++	}
+ 	eg.Go(f.applyFormatters(ctx))
+ 	eg.Go(f.walkFilesystem(ctx))
+ 
+-- 
+2.44.1
+

third_party/overlays/tvl.nix

@@ -101,8 +101,6 @@ depot.nix.readTree.drvTargets {
     patches = old.patches or [ ] ++ [
       # https://github.com/nix-community/crate2nix/pull/301
       ./patches/crate2nix-tests-debug.patch
-      # TODO(Kranzes): drop on next release
-      ./patches/crate2nix-drop-darwin-explicit-dontstrip.patch
     ];
   });
 
@@ -135,4 +133,9 @@ depot.nix.readTree.drvTargets {
             hash = "sha256-ucTzO2qdN4QkowMVvC3+4pjEVjbwMsB0xFk+bvQxwtQ=";
           };
         }) else super.fuse;
+
+  treefmt = super.treefmt.overrideAttrs (old: {
+    # https://github.com/numtide/treefmt/pull/328
+    patches = old.patches or [ ] ++ [ ./patches/treefmt-fix-no-cache.patch ];
+  });
 }

third_party/sources/sources.json

@@ -65,10 +65,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "051f920625ab5aabe37c920346e3e69d7d34400e",
-        "sha256": "08lin51g5x2vv89rs6vmqxnyy8pfysh0wdp6mdxw6l86dpm2rbg2",
+        "rev": "7f993cdf26ccef564eabf31fdb40d140821e12bc",
+        "sha256": "0dypbvibfdmv14rqlamf451625fw2fyk11prw9bbywi0q2i313d5",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/051f920625ab5aabe37c920346e3e69d7d34400e.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/7f993cdf26ccef564eabf31fdb40d140821e12bc.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs-stable": {