chore(3p/sources): Bump channels & overlays (OpenSSL edition)

* //ops/machines/whitby: Disable grafana, since the grafana module was changed upstream in a way that our configuration no longer works. Since the OpenSSL security update is relatively pressing, adapting the grafana configuration beforehand is not a hard requirement. See https://github.com/NixOS/nixpkgs/pull/191768. * //tools/depotfmt: keep Go at version 1.18 to forgo a reformat of the tree. * //nix/buildGo: keep Go at version 1.18, as 1.19 changed the CLI interface (?) in a way that breaks buildGo. * //3p/overlays/tvl: drop upstreamed tdlib upgrade. * //3p/overlays/tvl: patch buf to work around breakage due to git 2.38.1 TODO items for Go are tracked in b/215. Change-Id: Ie08fef49cf3db12e6b5225a8b992a990ddc5b642 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7141 Tested-by: BuildkiteCI Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: tazjin <tazjin@tvl.su>
2022-10-30 22:28:02 +01:00 · 2022-10-30 22:28:02 +01:00 · 57cf952ea9
commit 57cf952ea9
parent 64afe59bbe
6 changed files with 145 additions and 82 deletions
--- a/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch
+++ b/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch
@ -0,0 +1,64 @@
+commit e9219b88de5ed37af337ee2d2e71e7ec7c0aad1b
+Author: Robbert van Ginkel <rvanginkel@buf.build>
+Date:   Thu Oct 20 16:43:28 2022 -0400
+
+    Fix git unit test by using fake git server rather than file:// (#1518)
+    
+    More recent versions of git fix a CVE by disabling some usage of the
+    `file://` transport, see
+    https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253.
+    We were using this transport in tests.
+    
+    Instead, use https://git-scm.com/docs/git-http-backend to serve up this
+    repository locally so we don't have to use the file protocol. This
+    should be a more accurate tests, since we mostly expect submodules to
+    come from servers.
+
+diff --git a/.golangci.yml b/.golangci.yml
+index 318d1171..865e03e7 100644
+--- a/.golangci.yml
+++ b/.golangci.yml
+@@ -136,3 +136,8 @@ issues:
+     - linters:
+         - containedctx
+       path: private/bufpkg/bufmodule/bufmoduleprotocompile
+      # We should be able to use net/http/cgi in a unit test, in addition the CVE mentions only versions of go < 1.6.3 are affected.
+    - linters:
+        - gosec
+      path: private/pkg/git/git_test.go
+      text: "G504:"
+diff --git a/private/pkg/git/git_test.go b/private/pkg/git/git_test.go
+index 7b77b6cd..7132054e 100644
+--- a/private/pkg/git/git_test.go
+++ b/private/pkg/git/git_test.go
+@@ -17,6 +17,8 @@ package git
+ import (
+ 	"context"
+ 	"errors"
+	"net/http/cgi"
+	"net/http/httptest"
+ 	"os"
+ 	"os/exec"
+ 	"path/filepath"
+@@ -213,6 +215,21 @@ func createGitDirs(
+ 	runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "add", "test.proto")
+ 	runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "commit", "-m", "commit 0")
+ 
+	gitExecPath, err := command.RunStdout(ctx, container, runner, "git", "--exec-path")
+	require.NoError(t, err)
+	t.Log(filepath.Join(string(gitExecPath), "git-http-backend"))
+	// https://git-scm.com/docs/git-http-backend#_description
+	f, err := os.Create(filepath.Join(submodulePath, ".git", "git-daemon-export-ok"))
+	require.NoError(t, err)
+	require.NoError(t, f.Close())
+	server := httptest.NewServer(&cgi.Handler{
+		Path: filepath.Join(strings.TrimSpace(string(gitExecPath)), "git-http-backend"),
+		Dir:  submodulePath,
+		Env:  []string{"GIT_PROJECT_ROOT=" + submodulePath},
+	})
+	t.Cleanup(server.Close)
+	submodulePath = server.URL
+
+ 	originPath := filepath.Join(tmpDir, "origin")
+ 	require.NoError(t, os.MkdirAll(originPath, 0777))
+ 	runCommand(ctx, t, container, runner, "git", "-C", originPath, "init")
--- a/third_party/overlays/tvl.nix
+++ b/third_party/overlays/tvl.nix
@ -20,6 +20,13 @@ let
      } // { revCount = 0; shortRev = builtins.substring 0 7 rev; };
 in
 {
+  buf = super.buf.overrideAttrs (old: {
+    patches = [
+      # Rebased on 1.9.0: https://github.com/bufbuild/buf/commit/bcaa77f8bbb8f6c198154c7c8d53596da4506dab
+      ./patches/buf-tests-dont-use-file-transport.patch
+    ] ++ old.patches or [ ];
+  });
+
  nix = (import "${nixSrc}/release.nix" {
    nix = nixSrc;
    nixpkgs = super.path;
@ -68,19 +75,6 @@ in
    })
  );

-  # Upgrade to match telega in emacs-overlay
-  # TODO(tazjin): ugrade tdlib (+ telega?!) in nixpkgs
-  tdlib = assert super.tdlib.version == "1.8.3";
-    super.tdlib.overrideAttrs (old: {
-      version = "1.8.7";
-      src = self.fetchFromGitHub {
-        owner = "tdlib";
-        repo = "td";
-        rev = "a7a17b34b3c8fd3f7f6295f152746beb68f34d83";
-        sha256 = "sha256:0a5609knn7rmiiblz315yrvc9f2r207l2nl6brjy5bnhjdspmzs6";
-      };
-    });
-
  # dottime support for notmuch
  notmuch = super.notmuch.overrideAttrs (old: {
    passthru = old.passthru // {
--- a/third_party/sources/sources.json
+++ b/third_party/sources/sources.json
@ -17,10 +17,10 @@
        "homepage": "",
        "owner": "nix-community",
        "repo": "emacs-overlay",
-        "rev": "ef5d67c561a8b6ce001dbc555814fdb21c7bd5dd",
-        "sha256": "0rq7xddksl2a6qv8gmhkyzhmc636az950b4z3icfxfdw3q6bn6hj",
+        "rev": "d53959356bf17656f82d90ab5d7346fb3107896f",
+        "sha256": "0723d445w6lmr20fs8ify8c4vkjxh8x3ax7zcl4yymg5p5ckxj8r",
        "type": "tarball",
-        "url": "https://github.com/nix-community/emacs-overlay/archive/ef5d67c561a8b6ce001dbc555814fdb21c7bd5dd.tar.gz",
+        "url": "https://github.com/nix-community/emacs-overlay/archive/d53959356bf17656f82d90ab5d7346fb3107896f.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "home-manager": {
@ -29,10 +29,10 @@
        "homepage": "https://nix-community.github.io/home-manager/",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "7dc4e4ebd71280842b4d30975439980baaac9db8",
-        "sha256": "1qlpcwdb1ar5a4f8cfa0apn185g6qzpm8bafaajmca5l20png0wh",
+        "rev": "423211401c245934db5052e3867cac704f658544",
+        "sha256": "0vc8a94lvcn5f4kqngf8qvh4il44hid5g2irsvaq7s5pqmgi7wr4",
        "type": "tarball",
-        "url": "https://github.com/nix-community/home-manager/archive/7dc4e4ebd71280842b4d30975439980baaac9db8.tar.gz",
+        "url": "https://github.com/nix-community/home-manager/archive/423211401c245934db5052e3867cac704f658544.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "impermanence": {
@ -60,15 +60,15 @@
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs": {
-        "branch": "nixos-unstable",
+        "branch": "staging-next",
        "description": "Nix Packages collection",
        "homepage": "",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "301aada7a64812853f2e2634a530ef5d34505048",
-        "sha256": "07y10kplajgysb6491hmksq4gqsiyibia83m3blcxicwyld455km",
+        "rev": "eeca5969b3f42ac943639aaec503816f053e5e53",
+        "sha256": "0gb1pp4psaz9y7v5fyqjr61ivwalfmgai6r2c3lva5zyl7glxjzl",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/301aada7a64812853f2e2634a530ef5d34505048.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/eeca5969b3f42ac943639aaec503816f053e5e53.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs-stable": {
@ -89,10 +89,10 @@
        "homepage": "",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "8ffc63427df1dc7e53fb96cb13b130028c258202",
-        "sha256": "0clzfjmlg7w1rsgbp84z9840xm69q7vq4haz587bmkqywlvn2gbq",
+        "rev": "de5c4d5d40ae0a0dab67c5f7ae8d26c5445cf00d",
+        "sha256": "1ldly6j435gk86f6lya1j44813mgk1jvyx66mf6mkwxyli8j0dnd",
        "type": "tarball",
-        "url": "https://github.com/oxalica/rust-overlay/archive/8ffc63427df1dc7e53fb96cb13b130028c258202.tar.gz",
+        "url": "https://github.com/oxalica/rust-overlay/archive/de5c4d5d40ae0a0dab67c5f7ae8d26c5445cf00d.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "rustsec-advisory-db": {
@ -101,10 +101,10 @@
        "homepage": "https://rustsec.org",
        "owner": "RustSec",
        "repo": "advisory-db",
-        "rev": "1736a7bd7cf0d00161721ca6abb2799b05c96fc6",
-        "sha256": "0pdrj7yi8a6ixy7798cwmgvlydasxfq4jk88h32g1qd5dmwzknll",
+        "rev": "9e50517457e5e6266881f63d04f1f0faaa9b3f1e",
+        "sha256": "0fhhcfigp4g4xl0w6jp99r9j31dq8i5qhvds4rbny5zwvsi28qwq",
        "type": "tarball",
-        "url": "https://github.com/RustSec/advisory-db/archive/1736a7bd7cf0d00161721ca6abb2799b05c96fc6.tar.gz",
+        "url": "https://github.com/RustSec/advisory-db/archive/9e50517457e5e6266881f63d04f1f0faaa9b3f1e.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    }
 }