The envoy build often takes 7-8 hours and is among the last builds
finshing an evaluation. That is because we're scheduling it with -j2 on
a normal machine, when it has over 7000 objects to build, that
parallelize very well.
Contains security fixes for:
- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](GHSA-vcf8-7238-v74c)
Envoy 1.27.4 [0] contains the fix but upgrading it is
not straightforward as the build of the current version
is already broken and only thanks to the caching of the deps
(seems to be the case since the removal of Go 1.20).
Fixing the build seems to require more Bazel knownledge than I have
and the the usual maintainer is currently not available.
[0] https://github.com/envoyproxy/envoy/releases/tag/v1.27.4
The nixpkgs-unstable channel's programs.sqlite was used to identify
packages producing exactly one binary, and these automatically added
to their package definitions wherever possible.
To do this, this commit does several things:
* Move the set-interpreter patching to outside the fixed-output
derivation
* Patch base_pip3/BUILD.bazel, which ends up getting Python's full path
* Drop local_jdk, which contains symlinks to our jdk input
* Drop bazel_gazelle_go_repository_tools, which contains built artifacts
using our go
...and updates the FOD hash to match. Checked that this appears to
remove the currently obvious FOD problems by checking out an older
nixpkgs commit and applying this on top, and verifying that the FOD hash
doesn't change between that older glibc and the current tip-of-tree.
This also disables tcmalloc on ARM because I couldn't get this to build
properly otherwise.
* Bumps brotli version to incorporate a fix for some GCC warnings which
get promoted to errors.
* Switches from wee8 to WAMR because it's easier to make it build
sensibly on a range of GCC versions that aren't just "whatever ships
with Ubuntu LTS".
* Adds a patch for WAMR's build in Envoy because it won't build properly
under Linux aarch64, since WAMR doesn't detect aarch64 unless it's on
macOS.