chore(3p/sources): Bump channels & overlays (OpenSSL edition)

* //ops/machines/whitby: Disable grafana, since the grafana module was
  changed upstream in a way that our configuration no longer works.
  Since the OpenSSL security update is relatively pressing, adapting the
  grafana configuration beforehand is not a hard requirement. See
  https://github.com/NixOS/nixpkgs/pull/191768.

* //tools/depotfmt: keep Go at version 1.18 to forgo a reformat of the
  tree.

* //nix/buildGo: keep Go at version 1.18, as 1.19 changed the CLI
  interface (?) in a way that breaks buildGo.

* //3p/overlays/tvl: drop upstreamed tdlib upgrade.

* //3p/overlays/tvl: patch buf to work around breakage due to git 2.38.1

TODO items for Go are tracked in b/215.

Change-Id: Ie08fef49cf3db12e6b5225a8b992a990ddc5b642
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7141
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: tazjin <tazjin@tvl.su>

nix/buildGo/default.nix

@@ -22,7 +22,10 @@ let
     replaceStrings
     toString;
 
-  inherit (pkgs) lib go runCommand fetchFromGitHub protobuf symlinkJoin;
+  inherit (pkgs) lib runCommand fetchFromGitHub protobuf symlinkJoin;
+
+  # TODO: Adapt to Go 1.19 changes
+  go = pkgs.go_1_18;
 
   # Helpers for low-level Go compiler invocations
   spaceOut = lib.concatStringsSep " ";

ops/machines/whitby/default.nix

@@ -41,7 +41,7 @@ in
     (mod "www/nixery.dev.nix")
     (mod "www/self-redirect.nix")
     (mod "www/static.tvl.fyi.nix")
-    (mod "www/status.tvl.su.nix")
+    # (mod "www/status.tvl.su.nix")
     (mod "www/tazj.in.nix")
     (mod "www/todo.tvl.fyi.nix")
     (mod "www/tvixbolt.tvl.su.nix")
@@ -546,68 +546,69 @@ in
       }];
   };
 
+  # XXX: Adapt to https://github.com/NixOS/nixpkgs/pull/191768
   services.grafana = {
-    enable = true;
+    enable = false;
     port = 4723; # "graf" on phone keyboard
     domain = "status.tvl.su";
     rootUrl = "https://status.tvl.su";
     analytics.reporting.enable = false;
-    extraOptions =
+    # extraOptions =
-      let
+    #   let
-        options = {
+    #     options = {
-          auth = {
+    #       auth = {
-            generic_oauth = {
+    #         generic_oauth = {
-              enabled = true;
+    #           enabled = true;
-              client_id = "grafana";
+    #           client_id = "grafana";
-              scopes = "openid profile email";
+    #           scopes = "openid profile email";
-              name = "TVL";
+    #           name = "TVL";
-              email_attribute_path = "mail";
+    #           email_attribute_path = "mail";
-              login_attribute_path = "sub";
+    #           login_attribute_path = "sub";
-              name_attribute_path = "displayName";
+    #           name_attribute_path = "displayName";
-              auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
+    #           auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
-              token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
+    #           token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
-              api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
+    #           api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
 
-              # Give lukegb, grfn, tazjin "Admin" rights.
+    #           # Give lukegb, grfn, tazjin "Admin" rights.
-              role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
+    #           role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
 
-              # Allow creating new Grafana accounts from OAuth accounts.
+    #           # Allow creating new Grafana accounts from OAuth accounts.
-              allow_sign_up = true;
+    #           allow_sign_up = true;
-            };
+    #         };
 
-            anonymous = {
+    #         anonymous = {
-              enabled = true;
+    #           enabled = true;
-              org_name = "The Virus Lounge";
+    #           org_name = "The Virus Lounge";
-              org_role = "Viewer";
+    #           org_role = "Viewer";
-            };
+    #         };
 
-            basic.enabled = false;
+    #         basic.enabled = false;
-            oauth_auto_login = true;
+    #         oauth_auto_login = true;
-            disable_login_form = true;
+    #         disable_login_form = true;
-          };
+    #       };
-        };
+    #     };
-        inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
+    #     inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
-        inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
+    #     inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
 
-        # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
+    #     # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
-        encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw));
+    #     encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw));
 
-        # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
+    #     # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
-        optionToString = value:
+    #     optionToString = value:
-          if (typeOf value) == "bool" then
+    #       if (typeOf value) == "bool" then
-            if value then "true" else "false"
+    #         if value then "true" else "false"
-          else builtins.toString value;
+    #       else builtins.toString value;
 
-        # Turn an nested options attrset into a flat listToAttrs-compatible list.
+    #     # Turn an nested options attrset into a flat listToAttrs-compatible list.
-        encodeOptions = prefix: inp: concatLists (mapAttrsToList
+    #     encodeOptions = prefix: inp: concatLists (mapAttrsToList
-          (name: value:
+    #       (name: value:
-            if (typeOf value) == "set"
+    #         if (typeOf value) == "set"
-            then encodeOptions (prefix ++ [ name ]) value
+    #         then encodeOptions (prefix ++ [ name ]) value
-            else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ]
+    #         else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ]
-          )
+    #       )
-          inp);
+    #       inp);
-      in
+    #   in
-      listToAttrs (encodeOptions [ ] options);
+    #   listToAttrs (encodeOptions [ ] options);
 
     provision = {
       enable = true;

third_party/overlays/patches/buf-tests-dont-use-file-transport.patch

@@ -0,0 +1,64 @@
+commit e9219b88de5ed37af337ee2d2e71e7ec7c0aad1b
+Author: Robbert van Ginkel <rvanginkel@buf.build>
+Date:   Thu Oct 20 16:43:28 2022 -0400
+
+    Fix git unit test by using fake git server rather than file:// (#1518)
+    
+    More recent versions of git fix a CVE by disabling some usage of the
+    `file://` transport, see
+    https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253.
+    We were using this transport in tests.
+    
+    Instead, use https://git-scm.com/docs/git-http-backend to serve up this
+    repository locally so we don't have to use the file protocol. This
+    should be a more accurate tests, since we mostly expect submodules to
+    come from servers.
+
+diff --git a/.golangci.yml b/.golangci.yml
+index 318d1171..865e03e7 100644
+--- a/.golangci.yml
++++ b/.golangci.yml
+@@ -136,3 +136,8 @@ issues:
+     - linters:
+         - containedctx
+       path: private/bufpkg/bufmodule/bufmoduleprotocompile
++      # We should be able to use net/http/cgi in a unit test, in addition the CVE mentions only versions of go < 1.6.3 are affected.
++    - linters:
++        - gosec
++      path: private/pkg/git/git_test.go
++      text: "G504:"
+diff --git a/private/pkg/git/git_test.go b/private/pkg/git/git_test.go
+index 7b77b6cd..7132054e 100644
+--- a/private/pkg/git/git_test.go
++++ b/private/pkg/git/git_test.go
+@@ -17,6 +17,8 @@ package git
+ import (
+ 	"context"
+ 	"errors"
++	"net/http/cgi"
++	"net/http/httptest"
+ 	"os"
+ 	"os/exec"
+ 	"path/filepath"
+@@ -213,6 +215,21 @@ func createGitDirs(
+ 	runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "add", "test.proto")
+ 	runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "commit", "-m", "commit 0")
+ 
++	gitExecPath, err := command.RunStdout(ctx, container, runner, "git", "--exec-path")
++	require.NoError(t, err)
++	t.Log(filepath.Join(string(gitExecPath), "git-http-backend"))
++	// https://git-scm.com/docs/git-http-backend#_description
++	f, err := os.Create(filepath.Join(submodulePath, ".git", "git-daemon-export-ok"))
++	require.NoError(t, err)
++	require.NoError(t, f.Close())
++	server := httptest.NewServer(&cgi.Handler{
++		Path: filepath.Join(strings.TrimSpace(string(gitExecPath)), "git-http-backend"),
++		Dir:  submodulePath,
++		Env:  []string{"GIT_PROJECT_ROOT=" + submodulePath},
++	})
++	t.Cleanup(server.Close)
++	submodulePath = server.URL
++
+ 	originPath := filepath.Join(tmpDir, "origin")
+ 	require.NoError(t, os.MkdirAll(originPath, 0777))
+ 	runCommand(ctx, t, container, runner, "git", "-C", originPath, "init")

third_party/overlays/tvl.nix

@@ -20,6 +20,13 @@ let
       } // { revCount = 0; shortRev = builtins.substring 0 7 rev; };
 in
 {
+  buf = super.buf.overrideAttrs (old: {
+    patches = [
+      # Rebased on 1.9.0: https://github.com/bufbuild/buf/commit/bcaa77f8bbb8f6c198154c7c8d53596da4506dab
+      ./patches/buf-tests-dont-use-file-transport.patch
+    ] ++ old.patches or [ ];
+  });
+
   nix = (import "${nixSrc}/release.nix" {
     nix = nixSrc;
     nixpkgs = super.path;
@@ -68,19 +75,6 @@ in
     })
   );
 
-  # Upgrade to match telega in emacs-overlay
-  # TODO(tazjin): ugrade tdlib (+ telega?!) in nixpkgs
-  tdlib = assert super.tdlib.version == "1.8.3";
-    super.tdlib.overrideAttrs (old: {
-      version = "1.8.7";
-      src = self.fetchFromGitHub {
-        owner = "tdlib";
-        repo = "td";
-        rev = "a7a17b34b3c8fd3f7f6295f152746beb68f34d83";
-        sha256 = "sha256:0a5609knn7rmiiblz315yrvc9f2r207l2nl6brjy5bnhjdspmzs6";
-      };
-    });
-
   # dottime support for notmuch
   notmuch = super.notmuch.overrideAttrs (old: {
     passthru = old.passthru // {

third_party/sources/sources.json

@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "ef5d67c561a8b6ce001dbc555814fdb21c7bd5dd",
+        "rev": "d53959356bf17656f82d90ab5d7346fb3107896f",
-        "sha256": "0rq7xddksl2a6qv8gmhkyzhmc636az950b4z3icfxfdw3q6bn6hj",
+        "sha256": "0723d445w6lmr20fs8ify8c4vkjxh8x3ax7zcl4yymg5p5ckxj8r",
         "type": "tarball",
-        "url": "https://github.com/nix-community/emacs-overlay/archive/ef5d67c561a8b6ce001dbc555814fdb21c7bd5dd.tar.gz",
+        "url": "https://github.com/nix-community/emacs-overlay/archive/d53959356bf17656f82d90ab5d7346fb3107896f.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "home-manager": {
@@ -29,10 +29,10 @@
         "homepage": "https://nix-community.github.io/home-manager/",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7dc4e4ebd71280842b4d30975439980baaac9db8",
+        "rev": "423211401c245934db5052e3867cac704f658544",
-        "sha256": "1qlpcwdb1ar5a4f8cfa0apn185g6qzpm8bafaajmca5l20png0wh",
+        "sha256": "0vc8a94lvcn5f4kqngf8qvh4il44hid5g2irsvaq7s5pqmgi7wr4",
         "type": "tarball",
-        "url": "https://github.com/nix-community/home-manager/archive/7dc4e4ebd71280842b4d30975439980baaac9db8.tar.gz",
+        "url": "https://github.com/nix-community/home-manager/archive/423211401c245934db5052e3867cac704f658544.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "impermanence": {
@@ -60,15 +60,15 @@
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-unstable",
+        "branch": "staging-next",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "301aada7a64812853f2e2634a530ef5d34505048",
+        "rev": "eeca5969b3f42ac943639aaec503816f053e5e53",
-        "sha256": "07y10kplajgysb6491hmksq4gqsiyibia83m3blcxicwyld455km",
+        "sha256": "0gb1pp4psaz9y7v5fyqjr61ivwalfmgai6r2c3lva5zyl7glxjzl",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/301aada7a64812853f2e2634a530ef5d34505048.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/eeca5969b3f42ac943639aaec503816f053e5e53.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs-stable": {
@@ -89,10 +89,10 @@
         "homepage": "",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "8ffc63427df1dc7e53fb96cb13b130028c258202",
+        "rev": "de5c4d5d40ae0a0dab67c5f7ae8d26c5445cf00d",
-        "sha256": "0clzfjmlg7w1rsgbp84z9840xm69q7vq4haz587bmkqywlvn2gbq",
+        "sha256": "1ldly6j435gk86f6lya1j44813mgk1jvyx66mf6mkwxyli8j0dnd",
         "type": "tarball",
-        "url": "https://github.com/oxalica/rust-overlay/archive/8ffc63427df1dc7e53fb96cb13b130028c258202.tar.gz",
+        "url": "https://github.com/oxalica/rust-overlay/archive/de5c4d5d40ae0a0dab67c5f7ae8d26c5445cf00d.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "rustsec-advisory-db": {
@@ -101,10 +101,10 @@
         "homepage": "https://rustsec.org",
         "owner": "RustSec",
         "repo": "advisory-db",
-        "rev": "1736a7bd7cf0d00161721ca6abb2799b05c96fc6",
+        "rev": "9e50517457e5e6266881f63d04f1f0faaa9b3f1e",
-        "sha256": "0pdrj7yi8a6ixy7798cwmgvlydasxfq4jk88h32g1qd5dmwzknll",
+        "sha256": "0fhhcfigp4g4xl0w6jp99r9j31dq8i5qhvds4rbny5zwvsi28qwq",
         "type": "tarball",
-        "url": "https://github.com/RustSec/advisory-db/archive/1736a7bd7cf0d00161721ca6abb2799b05c96fc6.tar.gz",
+        "url": "https://github.com/RustSec/advisory-db/archive/9e50517457e5e6266881f63d04f1f0faaa9b3f1e.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

tools/depotfmt.nix

@@ -9,9 +9,10 @@ let
     echo "$@" | xargs -n1 ${pkgs.terraform}/bin/terraform fmt
   '';
 
+  # TODO: Upgrade to Go 1.19 and reformat tree
   config = pkgs.writeText "depot-treefmt-config" ''
     [formatter.go]
-    command = "${pkgs.go}/bin/gofmt"
+    command = "${pkgs.go_1_18}/bin/gofmt"
     options = [ "-w" ]
     includes = ["*.go"]