From 57cf952ea98db70fcf50ec31e1c1057562b0a1df Mon Sep 17 00:00:00 2001 From: sterni Date: Sun, 30 Oct 2022 22:28:02 +0100 Subject: chore(3p/sources): Bump channels & overlays (OpenSSL edition) * //ops/machines/whitby: Disable grafana, since the grafana module was changed upstream in a way that our configuration no longer works. Since the OpenSSL security update is relatively pressing, adapting the grafana configuration beforehand is not a hard requirement. See https://github.com/NixOS/nixpkgs/pull/191768. * //tools/depotfmt: keep Go at version 1.18 to forgo a reformat of the tree. * //nix/buildGo: keep Go at version 1.18, as 1.19 changed the CLI interface (?) in a way that breaks buildGo. * //3p/overlays/tvl: drop upstreamed tdlib upgrade. * //3p/overlays/tvl: patch buf to work around breakage due to git 2.38.1 TODO items for Go are tracked in b/215. Change-Id: Ie08fef49cf3db12e6b5225a8b992a990ddc5b642 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7141 Tested-by: BuildkiteCI Autosubmit: sterni Reviewed-by: grfn Reviewed-by: tazjin --- nix/buildGo/default.nix | 5 +- ops/machines/whitby/default.nix | 117 +++++++++++---------- .../buf-tests-dont-use-file-transport.patch | 64 +++++++++++ third_party/overlays/tvl.nix | 20 ++-- third_party/sources/sources.json | 32 +++--- tools/depotfmt.nix | 3 +- 6 files changed, 152 insertions(+), 89 deletions(-) create mode 100644 third_party/overlays/patches/buf-tests-dont-use-file-transport.patch diff --git a/nix/buildGo/default.nix b/nix/buildGo/default.nix index 92951b3cb213..97b8bd226492 100644 --- a/nix/buildGo/default.nix +++ b/nix/buildGo/default.nix @@ -22,7 +22,10 @@ let replaceStrings toString; - inherit (pkgs) lib go runCommand fetchFromGitHub protobuf symlinkJoin; + inherit (pkgs) lib runCommand fetchFromGitHub protobuf symlinkJoin; + + # TODO: Adapt to Go 1.19 changes + go = pkgs.go_1_18; # Helpers for low-level Go compiler invocations spaceOut = lib.concatStringsSep " "; diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 956618145992..2a4e4053da15 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -41,7 +41,7 @@ in (mod "www/nixery.dev.nix") (mod "www/self-redirect.nix") (mod "www/static.tvl.fyi.nix") - (mod "www/status.tvl.su.nix") + # (mod "www/status.tvl.su.nix") (mod "www/tazj.in.nix") (mod "www/todo.tvl.fyi.nix") (mod "www/tvixbolt.tvl.su.nix") @@ -546,68 +546,69 @@ in }]; }; + # XXX: Adapt to https://github.com/NixOS/nixpkgs/pull/191768 services.grafana = { - enable = true; + enable = false; port = 4723; # "graf" on phone keyboard domain = "status.tvl.su"; rootUrl = "https://status.tvl.su"; analytics.reporting.enable = false; - extraOptions = - let - options = { - auth = { - generic_oauth = { - enabled = true; - client_id = "grafana"; - scopes = "openid profile email"; - name = "TVL"; - email_attribute_path = "mail"; - login_attribute_path = "sub"; - name_attribute_path = "displayName"; - auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth"; - token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token"; - api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo"; - - # Give lukegb, grfn, tazjin "Admin" rights. - role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'"; - - # Allow creating new Grafana accounts from OAuth accounts. - allow_sign_up = true; - }; - - anonymous = { - enabled = true; - org_name = "The Virus Lounge"; - org_role = "Viewer"; - }; - - basic.enabled = false; - oauth_auto_login = true; - disable_login_form = true; - }; - }; - inherit (builtins) typeOf replaceStrings listToAttrs concatLists; - inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep; - - # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED. - encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw)); - - # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "". - optionToString = value: - if (typeOf value) == "bool" then - if value then "true" else "false" - else builtins.toString value; - - # Turn an nested options attrset into a flat listToAttrs-compatible list. - encodeOptions = prefix: inp: concatLists (mapAttrsToList - (name: value: - if (typeOf value) == "set" - then encodeOptions (prefix ++ [ name ]) value - else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ] - ) - inp); - in - listToAttrs (encodeOptions [ ] options); + # extraOptions = + # let + # options = { + # auth = { + # generic_oauth = { + # enabled = true; + # client_id = "grafana"; + # scopes = "openid profile email"; + # name = "TVL"; + # email_attribute_path = "mail"; + # login_attribute_path = "sub"; + # name_attribute_path = "displayName"; + # auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth"; + # token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token"; + # api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo"; + + # # Give lukegb, grfn, tazjin "Admin" rights. + # role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'"; + + # # Allow creating new Grafana accounts from OAuth accounts. + # allow_sign_up = true; + # }; + + # anonymous = { + # enabled = true; + # org_name = "The Virus Lounge"; + # org_role = "Viewer"; + # }; + + # basic.enabled = false; + # oauth_auto_login = true; + # disable_login_form = true; + # }; + # }; + # inherit (builtins) typeOf replaceStrings listToAttrs concatLists; + # inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep; + + # # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED. + # encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw)); + + # # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "". + # optionToString = value: + # if (typeOf value) == "bool" then + # if value then "true" else "false" + # else builtins.toString value; + + # # Turn an nested options attrset into a flat listToAttrs-compatible list. + # encodeOptions = prefix: inp: concatLists (mapAttrsToList + # (name: value: + # if (typeOf value) == "set" + # then encodeOptions (prefix ++ [ name ]) value + # else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ] + # ) + # inp); + # in + # listToAttrs (encodeOptions [ ] options); provision = { enable = true; diff --git a/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch b/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch new file mode 100644 index 000000000000..34be80eb361d --- /dev/null +++ b/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch @@ -0,0 +1,64 @@ +commit e9219b88de5ed37af337ee2d2e71e7ec7c0aad1b +Author: Robbert van Ginkel +Date: Thu Oct 20 16:43:28 2022 -0400 + + Fix git unit test by using fake git server rather than file:// (#1518) + + More recent versions of git fix a CVE by disabling some usage of the + `file://` transport, see + https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253. + We were using this transport in tests. + + Instead, use https://git-scm.com/docs/git-http-backend to serve up this + repository locally so we don't have to use the file protocol. This + should be a more accurate tests, since we mostly expect submodules to + come from servers. + +diff --git a/.golangci.yml b/.golangci.yml +index 318d1171..865e03e7 100644 +--- a/.golangci.yml ++++ b/.golangci.yml +@@ -136,3 +136,8 @@ issues: + - linters: + - containedctx + path: private/bufpkg/bufmodule/bufmoduleprotocompile ++ # We should be able to use net/http/cgi in a unit test, in addition the CVE mentions only versions of go < 1.6.3 are affected. ++ - linters: ++ - gosec ++ path: private/pkg/git/git_test.go ++ text: "G504:" +diff --git a/private/pkg/git/git_test.go b/private/pkg/git/git_test.go +index 7b77b6cd..7132054e 100644 +--- a/private/pkg/git/git_test.go ++++ b/private/pkg/git/git_test.go +@@ -17,6 +17,8 @@ package git + import ( + "context" + "errors" ++ "net/http/cgi" ++ "net/http/httptest" + "os" + "os/exec" + "path/filepath" +@@ -213,6 +215,21 @@ func createGitDirs( + runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "add", "test.proto") + runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "commit", "-m", "commit 0") + ++ gitExecPath, err := command.RunStdout(ctx, container, runner, "git", "--exec-path") ++ require.NoError(t, err) ++ t.Log(filepath.Join(string(gitExecPath), "git-http-backend")) ++ // https://git-scm.com/docs/git-http-backend#_description ++ f, err := os.Create(filepath.Join(submodulePath, ".git", "git-daemon-export-ok")) ++ require.NoError(t, err) ++ require.NoError(t, f.Close()) ++ server := httptest.NewServer(&cgi.Handler{ ++ Path: filepath.Join(strings.TrimSpace(string(gitExecPath)), "git-http-backend"), ++ Dir: submodulePath, ++ Env: []string{"GIT_PROJECT_ROOT=" + submodulePath}, ++ }) ++ t.Cleanup(server.Close) ++ submodulePath = server.URL ++ + originPath := filepath.Join(tmpDir, "origin") + require.NoError(t, os.MkdirAll(originPath, 0777)) + runCommand(ctx, t, container, runner, "git", "-C", originPath, "init") diff --git a/third_party/overlays/tvl.nix b/third_party/overlays/tvl.nix index db2b63cc7dd6..4683bce9db37 100644 --- a/third_party/overlays/tvl.nix +++ b/third_party/overlays/tvl.nix @@ -20,6 +20,13 @@ let } // { revCount = 0; shortRev = builtins.substring 0 7 rev; }; in { + buf = super.buf.overrideAttrs (old: { + patches = [ + # Rebased on 1.9.0: https://github.com/bufbuild/buf/commit/bcaa77f8bbb8f6c198154c7c8d53596da4506dab + ./patches/buf-tests-dont-use-file-transport.patch + ] ++ old.patches or [ ]; + }); + nix = (import "${nixSrc}/release.nix" { nix = nixSrc; nixpkgs = super.path; @@ -68,19 +75,6 @@ in }) ); - # Upgrade to match telega in emacs-overlay - # TODO(tazjin): ugrade tdlib (+ telega?!) in nixpkgs - tdlib = assert super.tdlib.version == "1.8.3"; - super.tdlib.overrideAttrs (old: { - version = "1.8.7"; - src = self.fetchFromGitHub { - owner = "tdlib"; - repo = "td"; - rev = "a7a17b34b3c8fd3f7f6295f152746beb68f34d83"; - sha256 = "sha256:0a5609knn7rmiiblz315yrvc9f2r207l2nl6brjy5bnhjdspmzs6"; - }; - }); - # dottime support for notmuch notmuch = super.notmuch.overrideAttrs (old: { passthru = old.passthru // { diff --git a/third_party/sources/sources.json b/third_party/sources/sources.json index 7a614421f928..bc1dd7efbaea 100644 --- a/third_party/sources/sources.json +++ b/third_party/sources/sources.json @@ -17,10 +17,10 @@ "homepage": "", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "ef5d67c561a8b6ce001dbc555814fdb21c7bd5dd", - "sha256": "0rq7xddksl2a6qv8gmhkyzhmc636az950b4z3icfxfdw3q6bn6hj", + "rev": "d53959356bf17656f82d90ab5d7346fb3107896f", + "sha256": "0723d445w6lmr20fs8ify8c4vkjxh8x3ax7zcl4yymg5p5ckxj8r", "type": "tarball", - "url": "https://github.com/nix-community/emacs-overlay/archive/ef5d67c561a8b6ce001dbc555814fdb21c7bd5dd.tar.gz", + "url": "https://github.com/nix-community/emacs-overlay/archive/d53959356bf17656f82d90ab5d7346fb3107896f.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "home-manager": { @@ -29,10 +29,10 @@ "homepage": "https://nix-community.github.io/home-manager/", "owner": "nix-community", "repo": "home-manager", - "rev": "7dc4e4ebd71280842b4d30975439980baaac9db8", - "sha256": "1qlpcwdb1ar5a4f8cfa0apn185g6qzpm8bafaajmca5l20png0wh", + "rev": "423211401c245934db5052e3867cac704f658544", + "sha256": "0vc8a94lvcn5f4kqngf8qvh4il44hid5g2irsvaq7s5pqmgi7wr4", "type": "tarball", - "url": "https://github.com/nix-community/home-manager/archive/7dc4e4ebd71280842b4d30975439980baaac9db8.tar.gz", + "url": "https://github.com/nix-community/home-manager/archive/423211401c245934db5052e3867cac704f658544.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "impermanence": { @@ -60,15 +60,15 @@ "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { - "branch": "nixos-unstable", + "branch": "staging-next", "description": "Nix Packages collection", "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "301aada7a64812853f2e2634a530ef5d34505048", - "sha256": "07y10kplajgysb6491hmksq4gqsiyibia83m3blcxicwyld455km", + "rev": "eeca5969b3f42ac943639aaec503816f053e5e53", + "sha256": "0gb1pp4psaz9y7v5fyqjr61ivwalfmgai6r2c3lva5zyl7glxjzl", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/301aada7a64812853f2e2634a530ef5d34505048.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/eeca5969b3f42ac943639aaec503816f053e5e53.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-stable": { @@ -89,10 +89,10 @@ "homepage": "", "owner": "oxalica", "repo": "rust-overlay", - "rev": "8ffc63427df1dc7e53fb96cb13b130028c258202", - "sha256": "0clzfjmlg7w1rsgbp84z9840xm69q7vq4haz587bmkqywlvn2gbq", + "rev": "de5c4d5d40ae0a0dab67c5f7ae8d26c5445cf00d", + "sha256": "1ldly6j435gk86f6lya1j44813mgk1jvyx66mf6mkwxyli8j0dnd", "type": "tarball", - "url": "https://github.com/oxalica/rust-overlay/archive/8ffc63427df1dc7e53fb96cb13b130028c258202.tar.gz", + "url": "https://github.com/oxalica/rust-overlay/archive/de5c4d5d40ae0a0dab67c5f7ae8d26c5445cf00d.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "rustsec-advisory-db": { @@ -101,10 +101,10 @@ "homepage": "https://rustsec.org", "owner": "RustSec", "repo": "advisory-db", - "rev": "1736a7bd7cf0d00161721ca6abb2799b05c96fc6", - "sha256": "0pdrj7yi8a6ixy7798cwmgvlydasxfq4jk88h32g1qd5dmwzknll", + "rev": "9e50517457e5e6266881f63d04f1f0faaa9b3f1e", + "sha256": "0fhhcfigp4g4xl0w6jp99r9j31dq8i5qhvds4rbny5zwvsi28qwq", "type": "tarball", - "url": "https://github.com/RustSec/advisory-db/archive/1736a7bd7cf0d00161721ca6abb2799b05c96fc6.tar.gz", + "url": "https://github.com/RustSec/advisory-db/archive/9e50517457e5e6266881f63d04f1f0faaa9b3f1e.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/tools/depotfmt.nix b/tools/depotfmt.nix index 400f4ed5fd99..4530469d1cfe 100644 --- a/tools/depotfmt.nix +++ b/tools/depotfmt.nix @@ -9,9 +9,10 @@ let echo "$@" | xargs -n1 ${pkgs.terraform}/bin/terraform fmt ''; + # TODO: Upgrade to Go 1.19 and reformat tree config = pkgs.writeText "depot-treefmt-config" '' [formatter.go] - command = "${pkgs.go}/bin/gofmt" + command = "${pkgs.go_1_18}/bin/gofmt" options = [ "-w" ] includes = ["*.go"] -- cgit 1.4.1