chore(3p/sources): Bump channels & overlays (OpenSSL edition)

* //ops/machines/whitby: Disable grafana, since the grafana module was changed upstream in a way that our configuration no longer works. Since the OpenSSL security update is relatively pressing, adapting the grafana configuration beforehand is not a hard requirement. See https://github.com/NixOS/nixpkgs/pull/191768. * //tools/depotfmt: keep Go at version 1.18 to forgo a reformat of the tree. * //nix/buildGo: keep Go at version 1.18, as 1.19 changed the CLI interface (?) in a way that breaks buildGo. * //3p/overlays/tvl: drop upstreamed tdlib upgrade. * //3p/overlays/tvl: patch buf to work around breakage due to git 2.38.1 TODO items for Go are tracked in b/215. Change-Id: Ie08fef49cf3db12e6b5225a8b992a990ddc5b642 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7141 Tested-by: BuildkiteCI Autosubmit: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: tazjin <tazjin@tvl.su>
2022-10-30 22:28:02 +01:00 · 2022-10-30 22:28:02 +01:00 · 57cf952ea9
commit 57cf952ea9
parent 64afe59bbe
6 changed files with 145 additions and 82 deletions
--- a/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch
+++ b/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch
@ -0,0 +1,64 @@
+commit e9219b88de5ed37af337ee2d2e71e7ec7c0aad1b
+Author: Robbert van Ginkel <rvanginkel@buf.build>
+Date:   Thu Oct 20 16:43:28 2022 -0400
+
+    Fix git unit test by using fake git server rather than file:// (#1518)
+    
+    More recent versions of git fix a CVE by disabling some usage of the
+    `file://` transport, see
+    https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253.
+    We were using this transport in tests.
+    
+    Instead, use https://git-scm.com/docs/git-http-backend to serve up this
+    repository locally so we don't have to use the file protocol. This
+    should be a more accurate tests, since we mostly expect submodules to
+    come from servers.
+
+diff --git a/.golangci.yml b/.golangci.yml
+index 318d1171..865e03e7 100644
+--- a/.golangci.yml
+++ b/.golangci.yml
+@@ -136,3 +136,8 @@ issues:
+     - linters:
+         - containedctx
+       path: private/bufpkg/bufmodule/bufmoduleprotocompile
+      # We should be able to use net/http/cgi in a unit test, in addition the CVE mentions only versions of go < 1.6.3 are affected.
+    - linters:
+        - gosec
+      path: private/pkg/git/git_test.go
+      text: "G504:"
+diff --git a/private/pkg/git/git_test.go b/private/pkg/git/git_test.go
+index 7b77b6cd..7132054e 100644
+--- a/private/pkg/git/git_test.go
+++ b/private/pkg/git/git_test.go
+@@ -17,6 +17,8 @@ package git
+ import (
+ 	"context"
+ 	"errors"
+	"net/http/cgi"
+	"net/http/httptest"
+ 	"os"
+ 	"os/exec"
+ 	"path/filepath"
+@@ -213,6 +215,21 @@ func createGitDirs(
+ 	runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "add", "test.proto")
+ 	runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "commit", "-m", "commit 0")
+ 
+	gitExecPath, err := command.RunStdout(ctx, container, runner, "git", "--exec-path")
+	require.NoError(t, err)
+	t.Log(filepath.Join(string(gitExecPath), "git-http-backend"))
+	// https://git-scm.com/docs/git-http-backend#_description
+	f, err := os.Create(filepath.Join(submodulePath, ".git", "git-daemon-export-ok"))
+	require.NoError(t, err)
+	require.NoError(t, f.Close())
+	server := httptest.NewServer(&cgi.Handler{
+		Path: filepath.Join(strings.TrimSpace(string(gitExecPath)), "git-http-backend"),
+		Dir:  submodulePath,
+		Env:  []string{"GIT_PROJECT_ROOT=" + submodulePath},
+	})
+	t.Cleanup(server.Close)
+	submodulePath = server.URL
+
+ 	originPath := filepath.Join(tmpDir, "origin")
+ 	require.NoError(t, os.MkdirAll(originPath, 0777))
+ 	runCommand(ctx, t, container, runner, "git", "-C", originPath, "init")
--- a/third_party/overlays/tvl.nix
+++ b/third_party/overlays/tvl.nix
@ -20,6 +20,13 @@ let
      } // { revCount = 0; shortRev = builtins.substring 0 7 rev; };
 in
 {
+  buf = super.buf.overrideAttrs (old: {
+    patches = [
+      # Rebased on 1.9.0: https://github.com/bufbuild/buf/commit/bcaa77f8bbb8f6c198154c7c8d53596da4506dab
+      ./patches/buf-tests-dont-use-file-transport.patch
+    ] ++ old.patches or [ ];
+  });
+
  nix = (import "${nixSrc}/release.nix" {
    nix = nixSrc;
    nixpkgs = super.path;
@ -68,19 +75,6 @@ in
    })
  );

-  # Upgrade to match telega in emacs-overlay
-  # TODO(tazjin): ugrade tdlib (+ telega?!) in nixpkgs
-  tdlib = assert super.tdlib.version == "1.8.3";
-    super.tdlib.overrideAttrs (old: {
-      version = "1.8.7";
-      src = self.fetchFromGitHub {
-        owner = "tdlib";
-        repo = "td";
-        rev = "a7a17b34b3c8fd3f7f6295f152746beb68f34d83";
-        sha256 = "sha256:0a5609knn7rmiiblz315yrvc9f2r207l2nl6brjy5bnhjdspmzs6";
-      };
-    });
-
  # dottime support for notmuch
  notmuch = super.notmuch.overrideAttrs (old: {
    passthru = old.passthru // {